Docker Jenkins Home (/var/jenkins_home) Folder Permissions Issues when running from Compose
11 views
Skip to first unread message
Apoorva Sharma
Jan 6, 2020, 11:19:07 AM1/6/20
to Jenkins Users
I build a custom Jenkins master image from jenkins lts image. Nothing very fancy but just a few convenience changes made to enable ssh communication
USER root
RUN usermod -u 105 jenkins && usermod -g nogroup jenkins
RUN mkdir -p /var/cache/jenkins && chown -R jenkins:nogroup /var/cache/jenkins && mkdir -p /var/log/jenkins && chown -R jenkins:nogroup /var/log/jenkins
RUN mkdir -p /home/jenkins/.ssh/
COPY id_rsa* /var/jenkins_home/.ssh/
RUN chmod 600 /var/jenkins_home/.ssh/id_rsa*
RUN chown -R jenkins:nogroup /home/jenkins/.ssh && chown -R jenkins:nogroup /var/jenkins_home
USER jenkins
There are reasons(limitations) with the build and test infrastructure that needed changing user id for jenkins user from 1000 (on the jenkins lts image) to 105.
There are two volumes jenkinsHome and jenkinsLog that are mounted to the Jenkins master at `/var/jenkins_home` and `/var/log/jenkins`, respectively.
When starting the Jenkins master based on a custom image (with above changes) using `docker run` command `/var/jenkins_home` folder has right permissions and volume gets mounted successfully.
jenkins@012696fe9af6:/$ ls -la /var/
total 56
..
..
drwxr-xr-x 31 jenkins jenkins 12288 Jan 3 18:42 jenkins_home
However, when I start the jenkins master using docker-compose /var/jenkins_home has owner set to 1000. Since there is no user with id 1000 on the master image, jenkins fails to start since the permissions on the jenkins_home are
jenkins@012696fe9af6:/$ ls -la /var/
total 56
..
..
drwxr-xr-x 31 1000 jenkins 12288 Jan 3 18:42 jenkins_home
QUESTIONS:
- Can someone please help me figure out why or how the owner for the jenkins_home folder seems to be different when starting the service using docker run vs docker compose ?
- It is not clear whether some how the entrypoint command for the lts image is changing the permissions. I feel it is unlikely because I explicitly set permissions on that folder `/var/jenkins_home` in the custom image that I use for spinning up the Jenkins master ?
FWIW - I have tried running the docker run command with the `--user 105:nogroup` flag and docker-compose with `user: 105:nogroup` to enforce users that are starting the container(docker run) and/or service(docker-compose). Also, a user with id 105 does exist on the host VM.
DOCKER RUN COMMAND
docker run --user 105:65534 -dit --log-opt max-size=10m --log-opt max-file=3 --restart unless-stopped -p 12345:8080 -t --name=master -p 50000:50000 --volumes-from=daas-jenkins-data -e JENKINS_OPTS="-Dhudson.plugins.sshslaves.SSHLauncher.trackCredentials=false --logfile=/var/log/jenkins/jenkins.log --webroot=/var/cache/jenkins/war --handlerCountMax=300" -e JAVA_OPTS="-Duser.timezone=America/New_York -Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2 -Xmx4096m" jenkins-custom-master
DOCKER COMPOSE FILE
version: '3.5'
services:
jenkins:
image: jenkins-custom-master
container_name: jenkins-master-svc
volumes:
- type: volume
source: jenkinsHome
target: /var/jenkins_home
- type: volume
source: jenkinsLog
target: /var/log/jenkins
ports:
- "12345:8080"
- "50000:50000"
environment:
- JENKINS_OPTS=-Dhudson.plugins.sshslaves.SSHLauncher.trackCredentials=false --logfile=/var/log/jenkins/jenkins.log --webroot=/var/cache/jenkins/war --handlerCountMax=300
- JAVA_OPTS=-Duser.timezone=America/New_York -Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2 -Xmx4096m
user: 105:65534
networks:
- jenkins-network
nginx:
image: nginx-custom
container_name: jenkins-nginx-svc
ports:
- "443:443"
- "80:80"
networks:
- jenkins-network
networks:
jenkins-network:
name: jenkins-network
volumes:
jenkinsHome:
external: true
jenkinsLog:
external: true
Reply all
Reply to author
Forward
0 new messages