Overview

When using runAsNonRootUser and runAsUser you may experience the following error message in your CircleCI job. 

CircleCI failed to run this build, check your config. Try re-running the build and 
if this issue persists, open a Support ticket. Detail: failed to copy circleci-agent 
into container "primary", 
Error: error executing command mkdir -p $HOME/.local/bin/circleci : 
error executing command /bin/bash -c set -o pipefail ; mkdir -p 
$HOME/.local/bin/circleci 2>&1 | tee /proc/1/fd/1 : 
command terminated with exit code 1

This is typically a case of the user in runAsUser not matching the User ID within the image. 

Solution

Step 1

Verify the User ID configured in the Docker image. 

$ docker pull ${image_name}
$ docker run --rm ${image_name} echo $UID

Step 2

Confirm the runAsUser matches the UID returned by the first command. 

agent:
  resourceClasses:
    <namespace>/<runner_name>:
      spec:
        containers:
        securityContext:
          runAsNonRoot: true
          runAsUser: <the_UID_found_before>

Example

As an example, we can test this with a cimg/base:current image.

$ docker pull cimg/base:current
$ docker run --rm cimg/base:current echo $UID
  1000

We can see that after running the docker run command, it returns 1000 to us. 

If your runAsUser does not match the same as $UID in the Docker image, you need to update either one of them to allow your container to run in your Container Runner.

Additional Notes

• CircleCI Container Runner Docs
• Configure a Security Context for a Pod or Container