Details
-
Improvement
-
Status: Open (View Workflow)
-
Minor
-
Resolution: Unresolved
Description
We want to be able to wipe workspaces containing files created via Docker containers (and thus owned by root). In a shell, as jenkins, we can delete root-owned files/folders as long as they are within jenkins-owned directories. But this function ( https://github.com/jenkinsci/jenkins/blob/6c2fffb/core/src/main/java/hudson/Util.java#L299 ) fails in that case.
Perhaps, it's due to a windowsOS java limitation which cannot delete a non-empty directory?
Could it be possible to create a special implementation for unix, that allows deletion of non-empty directories and thus supports the use-case mentioned above?
Attachments
Issue Links
- relates to
-
JENKINS-64874 declarative pipeline post do not execute in agent
-
- Open
-
Activity
This helps in my case:
stages {
// ... image.inside('-u root) { some code creates files and folders}
post {
cleanup {
script {
image.inside('-u root') {
sh 'find . -user root -name \'*\' | xargs chmod ugo+rw'
}
}
deleteDir()
}
}
Eugene G
added a comment - - edited This helps in my case:
stages {
// ... image.inside('-u root) { some code creates files and folders}
post {
cleanup {
script {
image.inside( '-u root' ) {
sh 'find . -user root -name \' *\ ' | xargs chmod ugo+rw'
}
}
deleteDir()
}
}
A partial workaround for the generic "Jenkins cannot delete root files" - setup Linux ACL permissions for the workspace directory:
$ rm -rf workspace # to avoid any inconsistencies in existing files
$ mkdir workspace
$ sudo setfacl -dm 'u:<your_jenkins_user_name>:rwx' workspace
See internet (e.g. arch wiki) for explanations on ACL, but this basically will allow jenkins access to all NEWLY CREATED files. Note the emphasis on newly created. If, for example, you `sudo tar -xf archive_with_files_owned_by_root.tar.xz`, these files will not be assigned with this ACL expansion =/
Artalus S.
added a comment - - edited A partial workaround for the generic "Jenkins cannot delete root files" - setup Linux ACL permissions for the workspace directory:
$ rm -rf workspace # to avoid any inconsistencies in existing files
$ mkdir workspace
$ sudo setfacl -dm 'u:<your_jenkins_user_name>:rwx' workspace
See internet (e.g. arch wiki ) for explanations on ACL, but this basically will allow jenkins access to all NEWLY CREATED files. Note the emphasis on newly created. If, for example, you `sudo tar -xf archive_with_files_owned_by_root.tar.xz`, these files will not be assigned with this ACL expansion =/
Chandima Jayawickrema
added a comment - setfacl didn't work for me. And post chmod/chown is too flaky. If the agent crashes for some reason, that workspace will be left undeletable without manual intervention.
instead i tried setting `umask` to the container by overriding the docker run entrypoint and it worked. This basically sets the container's default permission mask so any files written by the docker container to the jenkins workspaces mounted dir will be accessible by Jenkins or any other.
For example this is how it worked for our Cypress execution. Once `umask` is set, it continues with the originally intended entrypoint command
docker run -v $PWD:/e2e -w /e2e -e CYPRESS_baseUrl=http://127.0.0.1:8888 --ipc host --network host --entrypoint /bin/bash cypress/included:4.12.1 -c \"umask 0000; cypress run --browser chrome --headless\""
Moreover, you can also experiment with user mapping
Chandima Jayawickrema
added a comment - setfacl didn't work for me. And post chmod/chown is too flaky. If the agent crashes for some reason, that workspace will be left undeletable without manual intervention.
instead i tried setting `umask` to the container by overriding the docker run entrypoint and it worked. This basically sets the container's default permission mask so any files written by the docker container to the jenkins workspaces mounted dir will be accessible by Jenkins or any other.
For example this is how it worked for our Cypress execution. Once `umask` is set, it continues with the originally intended entrypoint command
docker run -v $PWD:/e2e -w /e2e -e CYPRESS_baseUrl=http: //127.0.0.1:8888 --ipc host --network host --entrypoint /bin/bash cypress/included:4.12.1 -c \ "umask 0000; cypress run --browser chrome --headless\" "
Moreover, you can also experiment with user mapping 
+1