Running shell commands with sudo in pipeline

[Parichay Barpanda]

I am running a plugin on my local machine with this command:

mvn hpi:run

My repository contains a Jenkinsfile which runs a docker image to build a latex document.

Jenkinsfile looks like:

pipeline {

   agent none

   stages {

      stage('Build') {

         agent {

            docker {

               image 'blang/latex:ubuntu'

            }

         }

         steps {

             sh 'xelatex sample.tex'

         }

      }

   }

}

Since the Jenkins instance is running on my local machine and in my local machine docker is installed for the root user only so I need a way to execute the Jenkinsfile with sudo permission.

I recieve an error like this:

+ docker pull blang/latex:ubuntu

Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Post http://%2Fvar%2Frun%2Fdocker.sock/v1.39/images/create?fromImage=blang%2Flatex&tag=ubuntu: dial unix /var/run/docker.sock: connect: permission denied

script returned exit code 1

Can anyone suggest a way how I can run docker with root permission inside the Jenkins pipeline?

[Mark Waite]

This is a good question for the users list rather than the developers list.  The developers list is generally used for topics related to the development of Jenkins and the plugins which run on Jenkins.  Your question is more about using Jenkins than developing something that will extend or enhance Jenkins.

In general, you don't want to run a Jenkinsfile as root.  That's granting far more permission to the Jenkinsfile than should be granted and places the machine at risk of damage from innocent user mistakes.  It is less dangerous to allow the agent user to run docker than to allow the agent user to use sudo to become root.

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-de...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/b0106f8f-fa09-4dc7-98a3-f7bdff9f0d6f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

Thanks!

Mark Waite

[Parichay Barpanda]

In my case if I am not running the Jenkins in a docker but on my local machine where I have docker installed under root user.

So for creating the agent, docker command needs to run with sudo priviledge but as you suggest I shouldn't give that priviledge to Jenkins agent.

Now I have 2 options:

1) Either run a Jenkins instance as a docker container

2) Or Install docker for my user in my local machine

If you think there is a better way then I would like to know. Thanks for the help, I would see next time that appropriate topics are posted in the appropriate group.

[Baptiste Mathus]

I'm a bit lost: are you trying to use Jenkins, or develop a plugin?

Can you please clarify your use case? 

Thanks

To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/ec67a488-f926-4e59-954c-6339d7cc59e1%40googlegroups.com.

[Parichay Barpanda]

Umm.. I'm trying to develop on a plugin(specifically Blue ocean plugin). To do a dry run, I'm using the command mvn hpi:run. Now when creating a pipleine with my repository containing the Jenkinsfile as mentioned above, I'm unable to access the docker command inside the pipeline script because docker is installed under the root user on my local machine.

To be more clear, on my local machine when I have to run a docker command, I use a sudo prefix to run it. Like sudo docker run .. I want a workaround for this problem.

To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CANWgJS7sMnz3s%3DmWWvtwNUtCdjq4YgPB6R21AobfC7o6x9HzhA%40mail.gmail.com.

[Jon Hermansen]

Parichay,

It sounds like your user (or more specifically, the user the
Jenkinsfile runs as) does not belong to the docker group.

https://docs.docker.com/install/linux/linux-postinstall/#manage-docker-as-a-non-root-user

The docker command acts as a client to the docker daemon, and by
default, they communicate using a special socket file,
/var/run/docker.sock -- which is owned by the docker group. To be able
to write to it, you can add your user(s) to the same group.

On Thu, Mar 21, 2019 at 7:03 PM Parichay Barpanda

> To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAD0DWAMqNSE8A3F46yhfog%3D%2BMObwjjEHYVXe0CDfA5CmiC8cNg%40mail.gmail.com.

[Parichay Barpanda]

Hi Jon,

It worked for me! Thanks for the help. :)

Regards,

Parichay (baymac)

[Parichay Barpanda]

Hi Jon,

Add my user to the docker group worked for my local machine docker instance. Now I am trying to run a Ubuntu VM in Azure but when I am still facing the same error. 

Run the following command on my Ubuntu VM:

$ cat /etc/group | grep docker

docker:x:999:baymac

This shows the user has been added to the docker group still I receive the same error:

+ docker pull blang/latex:ubuntu

Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Post http://%2Fvar%2Frun%2Fdocker.sock/v1.39/images/create?fromImage=blang%2Flatex&tag=ubuntu: dial unix /var/run/docker.sock: connect: permission denied

script returned exit code 1

Some github users also facing similar issues when using Azure pipeline: https://github.com/Microsoft/azure-pipelines-agent/issues/2056

In case you have any idea, let me know. :)

Regards,

Parichay (baymac)

[Gavin Mogan]

this really belongs on the user list.

I would run `id` to see what your current shell's permissions are, I would guess your changes to your groups were added after you logged in.

To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/8b25195e-45d2-4ad4-a0cd-6c4aebda7c3b%40googlegroups.com.

[Parichay Barpanda]

Yes, I added the changes to the groups after logging in. Btw I am running a Bitnami Jenkins cloud stack on Azure. I guess I had to restart the service as suggested in this article. Now works for me. Yeah `id` is simpler. :)

To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAAgr96L7KffaWL3%2BiW8ykkNc5ScsGzzSXG8jq2ULy36%3Da7zfqg%40mail.gmail.com.

[Jesse Glick]

Just beware that adding a user to the `docker` group is tantamount to
adding them to `sudoers` with `!authenticate`. In other words, if the
user account is compromised, the whole machine is too. If this is a
personal computer or a VM (as opposed to an account on a shared
server) that may be tolerable since there is probably nothing of any
value on the machine that only `root` could access.

But yes, Jenkins Docker features generally assume that either the
Jenkins master account or the account used to run an agent process
(depending on the feature) have unrestricted access to some Docker
daemon, meaning they are effectively root on whatever OS instance is
running that daemon.

Mark:

> It is less dangerous to allow the agent user to run docker than to allow the agent user to use sudo to become root.

Not true, at least in the straightforward case that the Docker daemon
is just listening on a local socket.