[JIRA] (JENKINS-54408) docker exec runs as root within docker.image.inside which docker run runs as the jenkins user

0 views
Skip to first unread message

hontvari@flyordie.com (JIRA)

unread,
Nov 1, 2018, 3:55:02 PM11/1/18
to jenkinsc...@googlegroups.com
HONTVÁRI Levente created an issue
 
Jenkins / Bug JENKINS-54408
docker exec runs as root within docker.image.inside which docker run runs as the jenkins user
Issue Type: Bug Bug
Assignee: Unassigned
Components: docker-workflow-plugin
Created: 2018-11-01 19:54
Environment: Jenkins ver. 2.138.2
Priority: Major Major
Reporter: HONTVÁRI Levente

A docker.image.inside block causes Jenkins to run a 'docker run ... cat' command and later a docker exec command. The run command runs as the Jenkins user (specifically with the same uid), while docker exec runs as root. The result is that files created withing the inside block has root owners in the workplace, causing issues in later stages.

I would expect the opposite behavior. "docker run ... cat" should run as root, in order to be able to initialize the docker container. Specifically I have to create a user with the same uid as the jenkins user of the agent (otherwise sudo, ssh will not work). On the other hand docker exec, which does the actual build job, should run under the jenkins user uid, so the owner of the newly created files in mounted directories is the jenkins user.

Add Comment Add Comment
 
This message was sent by Atlassian Jira (v7.11.2#711002-sha1:fdc329d)

andrew@nicols.co.uk (JIRA)

unread,
Feb 27, 2019, 3:00:02 AM2/27/19
to jenkinsc...@googlegroups.com
Andrew Nicols commented on Bug JENKINS-54408
 
Re: docker exec runs as root within docker.image.inside which docker run runs as the jenkins user

We're seeing some of the same behaviour (docker run as Jenkins user). Our images don't play nicely with this and so I can't confirm the latter.

 

Either way, what can we do to get this solved?

arnaud.rebillout@collabora.com (JIRA)

unread,
Sep 10, 2019, 11:07:03 PM9/10/19
to jenkinsc...@googlegroups.com
Arnaud R commented on Bug JENKINS-54408

I think I'm facing the same issue. My docker image requires some init code to run as root, which is achieved by an entrypoint. The last thing the entrypoint does is to drop privileges end execute CMD, pretty similar to what's done at https://github.com/cgwalters/dockerfiles/blob/master/fdev/entrypoint.sh.

Now to get that to work with Jenkins, I need to tell it to run the container as the user root, ie:

agent {
  docker {
    label 'docker-slave' 
    image DOCKER_IMAGE_NAME
    args '-u root"'
  }
}

With that, the entrypoint runs successfully, however I noticed that my other stages are also run as root, which is not what I want.

If my understanding of the Jenkins plugin is correct, the container is brought up with "docker run ... cat", then the various stages of my Jenkinsfile are run using "docker exec ...". If that's the case, then I agree 100% with the reporter of this issue: the container should be brought up as root, then the various exec command should run as the jenkins user. It seems that it would be the perfect fit for my use-case.

This message was sent by Atlassian Jira (v7.13.6#713006-sha1:cc4451f)
Atlassian logo

arnaud.rebillout@collabora.com (JIRA)

unread,
Sep 10, 2019, 11:07:03 PM9/10/19
to jenkinsc...@googlegroups.com
Arnaud R edited a comment on Bug JENKINS-54408
I think I'm facing the same issue. My docker image requires some init code to run as root, which is achieved by an entrypoint. The last thing the entrypoint does is to drop privileges end execute CMD, pretty similar to what's done at [https://github.com/cgwalters/dockerfiles/blob/master/fdev/entrypoint.sh].


Now to get that to work with Jenkins, I need to tell it to run the container as the user root, ie:


{code:groovy}

agent {
 docker {
    label 'docker-slave' 
    image DOCKER_IMAGE_NAME
   args '-u root
" '
  }
}
{code}



With that, the entrypoint runs successfully, however I noticed that my other stages are also run as root, which is not what I want.

If my understanding of the Jenkins plugin is correct, the container is brought up with "docker run ... cat", then the various stages of my Jenkinsfile are run using "docker exec ...". If that's the case, then I agree 100% with the reporter of this issue: the container should be brought up as root, then the various exec command should run as the jenkins user. It seems that it would be the perfect fit for my use-case.
Reply all
Reply to author
Forward
0 new messages