docker.inside or agnet {docker} executing as host user (jenkins) instead of the containers root

[Tom Lester]

Hi all - 

I have a docker host.  Jenkins ssh's (as the user jenkins) to this host via pipeline steps and builds apps inside the specified docker image.  This all pretty much flows as planned.  However... when the pipeline executes a "docker.insdie" or via pipeline -> agent -> docker, the docker image is always launched as the jenkins user.   Even if I specify "-u root" in the option, it's still has the "-u 501" which is the jenkins user.  

How can I get around this?   My build steps requires me to be able to create a /go/src/<etc> directory and the jenkins user doesn't have permissions to do this (it doesn't even exist on the docker image).   

Here's the output...  you can see that the docker run actually includes the -u 501 and the -u root.

[Pipeline] withDockerContainer
$ docker run -t -d -u 501:501 -u root -w /home/jenkins/workspace/ity-service_tlester_jenkins-ZAK24AVEOSII6FI5ZPP6GCRQQ7ISJCROTD5BZVI3M4MT7EMS4ERA -v /home/jenkins/workspace/ity-service_tlester_jenkins-ZAK24AVEOSII6FI5ZPP6GCRQQ7ISJCROTD5BZVI3M4MT7EMS4ERA:/home/jenkins/workspace/ity-service_tlester_jenkins-ZAK24AVEOSII6FI5ZPP6GCRQQ7ISJCROTD5BZVI3M4MT7EMS4ERA:rw -v /home/jenkins/workspace/ity-service_tlester_jenkins-ZAK24AVEOSII6FI5ZPP6GCRQQ7ISJCROTD5BZVI3M4MT7EMS4ERA@tmp:/home/jenkins/workspace/ity-service_tlester_jenkins-ZAK24AVEOSII6FI5ZPP6GCRQQ7ISJCROTD5BZVI3M4MT7EMS4ERA@tmp:rw -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** --entrypoint cat maven:3-alpine
[Pipeline] {
[Pipeline] stage
[Pipeline] { (Example Build)
[Pipeline] sh
[ity-service_tlester_jenkins-ZAK24AVEOSII6FI5ZPP6GCRQQ7ISJCROTD5BZVI3M4MT7EMS4ERA] Running shell script
+ ps -ef
PID USER TIME COMMAND
 1 root 0:00 cat
 7 root 0:00 sh -c echo $$ > '/home/jenkins/workspace/ity-service_tlester_jenkins-ZAK24AVEOSII6FI5ZPP6GCRQQ7ISJCROTD5BZVI3M4MT7EMS4ERA@tmp/durable-4de63803/pid'; jsc=durable-8732979585d96e4fbbb59583fb030a62; JENKINS_SERVER_COOKIE=$jsc '/home/jenkins/workspace/ity-service_tlester_jenkins-ZAK24AVEOSII6FI5ZPP6GCRQQ7ISJCROTD5BZVI3M4MT7EMS4ERA@tmp/durable-4de63803/script.sh' > '/home/jenkins/workspace/ity-service_tlester_jenkins-ZAK24AVEOSII6FI5ZPP6GCRQQ7ISJCROTD5BZVI3M4MT7EMS4ERA@tmp/durable-4de63803/jenkins-log.txt' 2>&1; echo $? > '/home/jenkins/workspace/ity-service_tlester_jenkins-ZAK24AVEOSII6FI5ZPP6GCRQQ7ISJCROTD5BZVI3M4MT7EMS4ERA@tmp/durable-4de63803/jenkins-result.txt'
 12 root 0:00 {script.sh} /bin/sh -xe /home/jenkins/workspace/ity-service_tlester_jenkins-ZAK24AVEOSII6FI5ZPP6GCRQQ7ISJCROTD5BZVI3M4MT7EMS4ERA@tmp/durable-4de63803/script.sh
 13 root 0:00 ps -ef
[Pipeline] }
[Pipeline] // stage

[Pipeline] }
$ docker stop --time=1 2955c0a99e3468245e1d72e9986af720b4be5f0eba05911d6de5f1e8919e8152
$ docker rm -f 2955c0a99e3468245e1d72e9986af720b4be5f0eba05911d6de5f1e8919e8152
[Pipeline] // withDockerContainer
[Pipeline] }
[Pipeline] // node
[Pipeline] End of Pipeline

[Tom Lester]

My basic pipeline used to generate this output:

pipeline {

    agent {

        docker {

            image 'maven:3-alpine'

            args  '-u root'

        }

    }

    stages {

        stage('Example Build') {

            steps {

                sh 'ps -ef'

            }

        }

    }

}

[nicolas de loof]

This is by design. If the build process doesn't run as host's user "jenkins" then this would corrupt the workspace with files one can't read/delete later

The fact the jenkins user doesn't exists isn't an issue.

You should prepare your docker image so it let arbitrary user create content under /go/src, or maybe use an alternate GOPATH for this build.

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-users+unsubscribe@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/ba344ed6-81a9-42b8-a582-688a90e3df84%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

[Tom Lester]

Can I set the go path in the pipeline?   Is it just a matter of an "sh" step.   Or is there a more elegant way to pass that variable to the docker run?

[Tom Lester]

It also seems like my sh command are not running in the container.   For example... If you see this Jenkins file:

node {

  ECR_LOGIN = sh (

  script: 'aws ecr get-login',

  returnStdout: true

  ).trim()

  sh "${ECR_LOGIN}"

  docker.image('129132148275.dkr.ecr.us-east-1.amazonaws.com/gobuild-base:latest').inside {

    stage("Build") {

      sh 'uname -a'

    }

  }

}

If I'm understanding this correctly, uname -a should return the OS info from the container.   Instead it is returning the OS info of the AWS EC2 instance.  Here's the output:

Running on docker001 in /home/jenkins/workspace/ity-service_tlester_jenkins-ZAK24AVEOSII6FI5ZPP6GCRQQ7ISJCROTD5BZVI3M4MT7EMS4ERA
[Pipeline] {
[Pipeline] sh
[ity-service_tlester_jenkins-ZAK24AVEOSII6FI5ZPP6GCRQQ7ISJCROTD5BZVI3M4MT7EMS4ERA] Running shell script
+ aws ecr get-login
[Pipeline] sh
[ity-service_tlester_jenkins-ZAK24AVEOSII6FI5ZPP6GCRQQ7ISJCROTD5BZVI3M4MT7EMS4ERA] Running shell script
+ docker login -u AWS -p
<snip>
Login Succeeded
[Pipeline] sh
[ity-service_tlester_jenkins-ZAK24AVEOSII6FI5ZPP6GCRQQ7ISJCROTD5BZVI3M4MT7EMS4ERA] Running shell script
+ docker inspect -f . 129132148275.dkr.ecr.us-east-1.amazonaws.com/gobuild-base:latest
.
[Pipeline] withDockerContainer
$ docker run -t -d -u 501:501 -w /home/jenkins/workspace/ity-service_tlester_jenkins-ZAK24AVEOSII6FI5ZPP6GCRQQ7ISJCROTD5BZVI3M4MT7EMS4ERA -v /home/jenkins/workspace/ity-service_tlester_jenkins-ZAK24AVEOSII6FI5ZPP6GCRQQ7ISJCROTD5BZVI3M4MT7EMS4ERA:/home/jenkins/workspace/ity-service_tlester_jenkins-ZAK24AVEOSII6FI5ZPP6GCRQQ7ISJCROTD5BZVI3M4MT7EMS4ERA:rw -v /home/jenkins/workspace/ity-service_tlester_jenkins-ZAK24AVEOSII6FI5ZPP6GCRQQ7ISJCROTD5BZVI3M4MT7EMS4ERA@tmp:/home/jenkins/workspace/ity-service_tlester_jenkins-ZAK24AVEOSII6FI5ZPP6GCRQQ7ISJCROTD5BZVI3M4MT7EMS4ERA@tmp:rw -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** --entrypoint cat 129132148275.dkr.ecr.us-east-1.amazonaws.com/gobuild-base:latest
[Pipeline] {
[Pipeline] stage
[Pipeline] { (Build)
[Pipeline] sh
[ity-service_tlester_jenkins-ZAK24AVEOSII6FI5ZPP6GCRQQ7ISJCROTD5BZVI3M4MT7EMS4ERA] Running shell script
+ uname -a
Linux 3cb0b774fe50 4.4.23-31.54.amzn1.x86_64 #1 SMP Tue Oct 18 22:02:09 UTC 2016 x86_64 Linux
[Pipeline] }
[Pipeline] // stage
[Pipeline] }
$ docker stop --time=1 3cb0b774fe50fa3e603146ffc791fc40f5464959f95bea5dbc87ac80f45ae217
$ docker rm -f 3cb0b774fe50fa3e603146ffc791fc40f5464959f95bea5dbc87ac80f45ae217

[nicolas de loof]

uname gives you kernel informations, and the kernel is shared between dockerhost and container.

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-users+unsubscribe@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/0c65bdef-9a3a-41ae-939b-35c41a7df8e5%40googlegroups.com.

[Tom Lester]

Duh... that makes sense.