Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-37069

Permission denied on durable task directory when using docker.image.inside step on fresh install of jenkins

    XMLWordPrintable

Details

    • Bug
    • Status: Open (View Workflow)
    • Major
    • Resolution: Unresolved
    • docker-workflow-plugin

    Description

      [Maybe related to issues JENKINS-28821, JENKINS-33632 and JENKINS-36842]

      Hello,

      I am trying to stablish a new CI environment with jobs running on docker but I am running into permission issues. I tried to create a minimal reproducible scenario without slave machines.

      Looking at some of the related issues, I wonder whether I was supposed to configure permissions or group membership for the jenkins user on the container (instead of just using the image as is), but I assume that is not the case.

      Starting on a clean Centos 7 vm, I installed jenkins 2.7.1 and docker, and then added the jenkins user to the docker group (ansible playbook follows). Then I only installed "Pipeline" and "CloudBees Docker Pipeline" plugins and its dependencies. Everything is updated as of today. Then I created a single pipeline job:

      node {
         docker.image('centos:7').inside {
            sh 'pwd'
         }
      }
      

      This job fails with permission issues:

      Started by user admin
      [Pipeline] node
      Running on master in /var/lib/jenkins/workspace/container-test
      [Pipeline] {
      [Pipeline] sh
      [container-test] Running shell script
      + docker inspect -f . centos:7
      .
      [Pipeline] withDockerContainer
      $ docker run -t -d -u 992:989 -w /var/lib/jenkins/workspace/container-test -v /var/lib/jenkins/workspace/container-test:/var/lib/jenkins/workspace/container-test:rw -v /var/lib/jenkins/workspace/container-test@tmp:/var/lib/jenkins/workspace/container-test@tmp:rw -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** centos:7 cat
      [Pipeline] {
      [container-test] Running shell script
      [Pipeline] sh
      sh: /var/lib/jenkins/workspace/container-test@tmp/durable-890dccc6/pid: Permission denied
      sh: /var/lib/jenkins/workspace/container-test@tmp/durable-890dccc6/jenkins-log.txt: Permission denied
      sh: /var/lib/jenkins/workspace/container-test@tmp/durable-890dccc6/jenkins-result.txt: Permission denied
      [Pipeline] }
      $ docker stop c71c65555ff53a1bd87db33a9d240c6eb4ae14d9c61a0a0a348c7f72f82b7a50
      $ docker rm -f c71c65555ff53a1bd87db33a9d240c6eb4ae14d9c61a0a0a348c7f72f82b7a50
      [Pipeline] // withDockerContainer
      [Pipeline] }
      [Pipeline] // node
      [Pipeline] End of Pipeline
      ERROR: script returned exit code -2
      Finished: FAILURE
      

      Tools were installed using the following ansible recipe:

      ---
      - hosts: jenkins-minimal
      
        tasks:
        - yum: name={{ item }} state=installed
          with_items:
            - libselinux-python
            - dejavu-sans-fonts
            - fontconfig
            - java-1.8.0-openjdk-headless
            - docker
      
        - yum_repository:
            name: jenkins
            description: 'Jenkins-stable'
            baseurl: http://pkg.jenkins.io/redhat-stable
            gpgkey: http://pkg.jenkins.io/redhat-stable/jenkins.io.key
      
        - yum: name=jenkins state=installed
      
        - group: name=docker
        - user: name=jenkins groups=docker
      
        - firewalld: port=8080/tcp state=enabled permanent=true immediate=yes
      
        - service: name={{ item }} state=started enabled=yes
          with_items:
            - jenkins
            - docker
      

      Attachments

        Activity

          jglick Jesse Glick added a comment -

          I wonder whether I was supposed to configure permissions or group membership for the jenkins user on the container (instead of just using the image as is)

          No; Jenkins tries to run the container using the user (and group) ID from the slave agent on the host, specifically so that it will have write permissions on the workspace. Not sure why that is not working in this case.

          jglick Jesse Glick added a comment - I wonder whether I was supposed to configure permissions or group membership for the jenkins user on the container (instead of just using the image as is) No; Jenkins tries to run the container using the user (and group) ID from the slave agent on the host, specifically so that it will have write permissions on the workspace. Not sure why that is not working in this case.
          seuvitor Vitor Dantas added a comment -

          Inside the container, the jenkins user and jenkins group don't exist (992:989 on this setup). I checked this by looking at the /etc/passwd and /etc/groups files using docker exec <container_id> cat <path>. Is it supposed to be that way?

          seuvitor Vitor Dantas added a comment - Inside the container, the jenkins user and jenkins group don't exist (992:989 on this setup). I checked this by looking at the /etc/passwd and /etc/groups files using docker exec <container_id> cat <path>. Is it supposed to be that way?
          seuvitor Vitor Dantas added a comment -

          Well, the problem is solved for me when using Docker 1.12.0 (installed from the Docker project repository). When I revert to Docker 1.10.3, which is the version available today on default Centos 7 "extras" repository, the errors are back.

          Current Pipeline implementation is somehow incompatible with Docker 1.10, which for me was unexpected.

          seuvitor Vitor Dantas added a comment - Well, the problem is solved for me when using Docker 1.12.0 (installed from the Docker project repository). When I revert to Docker 1.10.3, which is the version available today on default Centos 7 "extras" repository, the errors are back. Current Pipeline implementation is somehow incompatible with Docker 1.10, which for me was unexpected.
          seuvitor Vitor Dantas added a comment -

          By the way, Docker 1.10 is still being shipped in recent images from Project Atomic (see http://www.projectatomic.io/blog/2016/07/new-centos-atomic-host-releases-available-for-download/). I wonder why other people are not complaining about this incompatibility of the inside step with Docker 1.10, since I assume lots of people are spinning slaves from a default image of Centos 7 with docker installed from default repos or from a default image of Centos Atomic Host.

          For me, as I reported in a reproducible way (the ansible recipe and pipeline script) the inside step would not work with such common slaves. I don't know if I'm missing something.

          seuvitor Vitor Dantas added a comment - By the way, Docker 1.10 is still being shipped in recent images from Project Atomic (see http://www.projectatomic.io/blog/2016/07/new-centos-atomic-host-releases-available-for-download/ ). I wonder why other people are not complaining about this incompatibility of the inside step with Docker 1.10, since I assume lots of people are spinning slaves from a default image of Centos 7 with docker installed from default repos or from a default image of Centos Atomic Host. For me, as I reported in a reproducible way (the ansible recipe and pipeline script) the inside step would not work with such common slaves. I don't know if I'm missing something.
          anton93 Anton Hughes added a comment - - edited

          Im also getting this.

          • Kubernetes plugin: 0.10 0.10-SNAPSHOT (private-70e60d4e-jamesrawlings)
          • OpenShift Pipeline Jenkins Plugin: 1.0.4-SNAPSHOT (private-e437d877-jamesrawlings)
          • OpenShift Master: v1.4.1+3f9807a
          • Kubernetes Master: v1.4.0+776c994
          • Docker version 1.12.5, build 047e51b/1.12.5
          anton93 Anton Hughes added a comment - - edited Im also getting this. Kubernetes plugin: 0.10 0.10-SNAPSHOT (private-70e60d4e-jamesrawlings) OpenShift Pipeline Jenkins Plugin: 1.0.4-SNAPSHOT (private-e437d877-jamesrawlings) OpenShift Master: v1.4.1+3f9807a Kubernetes Master: v1.4.0+776c994 Docker version 1.12.5, build 047e51b/1.12.5
          mmccaskill Michael McCaskill added a comment - - edited

          I just did a fresh install of jenkins 2.45, installed recommended plugins, attempted to do:

          node {
              docker.image("alecharp/maven-build-tools").inside() {
                  sh "mvn -B clean verify"
              }
          }
          

          and I get 3 similar errors:

          [example_poc_master-GGCVXMNZOUBSWREPVP27YOR3DZTHKBWNU2ISCLF5PYNDINJX5K6Q] Running shell script
          sh: 1: cannot create /Users/mmccaskill/.jenkins/workspace/example_poc_master-GGCVXMNZOUBSWREPVP27YOR3DZTHKBWNU2ISCLF5PYNDINJX5K6Q@tmp/durable-c84ccae7/pid: Permission denied
          sh: 1: cannot create /Users/mmccaskill/.jenkins/workspace/example_poc_master-GGCVXMNZOUBSWREPVP27YOR3DZTHKBWNU2ISCLF5PYNDINJX5K6Q@tmp/durable-c84ccae7/jenkins-log.txt: Permission denied
          sh: 1: cannot create /Users/mmccaskill/.jenkins/workspace/example_poc_master-GGCVXMNZOUBSWREPVP27YOR3DZTHKBWNU2ISCLF5PYNDINJX5K6Q@tmp/durable-c84ccae7/jenkins-result.txt: Permission denied
          

          Docker information:

          Michaels-MacBook-Pro:~ mmccaskill $ docker version
          Client:
           Version:      1.13.0
           API version:  1.25
           Go version:   go1.7.4
           Git commit:   49bf474
           Built:
           OS/Arch:      darwin/amd64
          
          Server:
           Version:      1.13.0
           API version:  1.25 (minimum version 1.12)
           Go version:   go1.7.3
           Git commit:   49bf474
           Built:        Wed Jan 18 16:20:26 2017
           OS/Arch:      linux/amd64
           Experimental: false
          Michaels-MacBook-Pro:~ mmccaskill $ docker-machine version
          docker-machine version 0.9.0, build 15fd4c7
          Michaels-MacBook-Pro:~ mmccaskill $ docker-machine ls
          NAME      ACTIVE   DRIVER       STATE     URL                         SWARM   DOCKER    ERRORS
          default   -        virtualbox   Running   tcp://192.168.99.100:2376           v1.13.0
          

          OS information:

          macOS Sierra 10.12.3 (16D32)
          

          Java information:

          Michaels-MacBook-Pro:~ mmccaskill $ java -version
          java version "1.8.0_112"
          Java(TM) SE Runtime Environment (build 1.8.0_112-b16)
          Java HotSpot(TM) 64-Bit Server VM (build 25.112-b16, mixed mode)
          

          Virtualbox:

          5.1.14 r112924
          
          mmccaskill Michael McCaskill added a comment - - edited I just did a fresh install of jenkins 2.45, installed recommended plugins, attempted to do: node { docker.image("alecharp/maven-build-tools").inside() { sh "mvn -B clean verify" } } and I get 3 similar errors: [example_poc_master-GGCVXMNZOUBSWREPVP27YOR3DZTHKBWNU2ISCLF5PYNDINJX5K6Q] Running shell script sh: 1: cannot create /Users/mmccaskill/.jenkins/workspace/example_poc_master-GGCVXMNZOUBSWREPVP27YOR3DZTHKBWNU2ISCLF5PYNDINJX5K6Q@tmp/durable-c84ccae7/pid: Permission denied sh: 1: cannot create /Users/mmccaskill/.jenkins/workspace/example_poc_master-GGCVXMNZOUBSWREPVP27YOR3DZTHKBWNU2ISCLF5PYNDINJX5K6Q@tmp/durable-c84ccae7/jenkins-log.txt: Permission denied sh: 1: cannot create /Users/mmccaskill/.jenkins/workspace/example_poc_master-GGCVXMNZOUBSWREPVP27YOR3DZTHKBWNU2ISCLF5PYNDINJX5K6Q@tmp/durable-c84ccae7/jenkins-result.txt: Permission denied Docker information: Michaels-MacBook-Pro:~ mmccaskill $ docker version Client: Version: 1.13.0 API version: 1.25 Go version: go1.7.4 Git commit: 49bf474 Built: OS/Arch: darwin/amd64 Server: Version: 1.13.0 API version: 1.25 (minimum version 1.12) Go version: go1.7.3 Git commit: 49bf474 Built: Wed Jan 18 16:20:26 2017 OS/Arch: linux/amd64 Experimental: false Michaels-MacBook-Pro:~ mmccaskill $ docker-machine version docker-machine version 0.9.0, build 15fd4c7 Michaels-MacBook-Pro:~ mmccaskill $ docker-machine ls NAME ACTIVE DRIVER STATE URL SWARM DOCKER ERRORS default - virtualbox Running tcp://192.168.99.100:2376 v1.13.0 OS information: macOS Sierra 10.12.3 (16D32) Java information: Michaels-MacBook-Pro:~ mmccaskill $ java -version java version "1.8.0_112" Java(TM) SE Runtime Environment (build 1.8.0_112-b16) Java HotSpot(TM) 64-Bit Server VM (build 25.112-b16, mixed mode) Virtualbox: 5.1.14 r112924

          I downgraded to:

          Michaels-MacBook-Pro:~ mmccaskill $ docker version
          Client:
           Version:      1.12.1
           API version:  1.24
           Go version:   go1.7.1
           Git commit:   23cf638
           Built:        Sat Sep 10 02:45:38 UTC 2016
           OS/Arch:      darwin/amd64
          
          Server:
           Version:      1.12.1
           API version:  1.24
           Go version:   go1.6.3
           Git commit:   23cf638
           Built:        Thu Aug 18 17:52:38 2016
           OS/Arch:      linux/amd64
          Michaels-MacBook-Pro:~ mmccaskill $ docker-machine version
          docker-machine version 0.8.2, build e18a919
          Michaels-MacBook-Pro:~ mmccaskill $ docker-machine ls
          NAME      ACTIVE   DRIVER       STATE     URL                         SWARM   DOCKER    ERRORS
          default   *        virtualbox   Running   tcp://192.168.99.100:2376           v1.12.1
          

          and still same errors

          mmccaskill Michael McCaskill added a comment - I downgraded to: Michaels-MacBook-Pro:~ mmccaskill $ docker version Client: Version: 1.12.1 API version: 1.24 Go version: go1.7.1 Git commit: 23cf638 Built: Sat Sep 10 02:45:38 UTC 2016 OS/Arch: darwin/amd64 Server: Version: 1.12.1 API version: 1.24 Go version: go1.6.3 Git commit: 23cf638 Built: Thu Aug 18 17:52:38 2016 OS/Arch: linux/amd64 Michaels-MacBook-Pro:~ mmccaskill $ docker-machine version docker-machine version 0.8.2, build e18a919 Michaels-MacBook-Pro:~ mmccaskill $ docker-machine ls NAME ACTIVE DRIVER STATE URL SWARM DOCKER ERRORS default * virtualbox Running tcp://192.168.99.100:2376 v1.12.1 and still same errors
          jupierce Justin Pierce added a comment -

          In my environment, this boiled down to: https://bugzilla.redhat.com/show_bug.cgi?id=1358340
          Two options to address: run container with --privileged or turn off selinux. Both worked around this issue for me. Apparently upgrading to docker 1.12 would have also done it, but I can't confirm that.

          jupierce Justin Pierce added a comment - In my environment, this boiled down to: https://bugzilla.redhat.com/show_bug.cgi?id=1358340 Two options to address: run container with --privileged or turn off selinux. Both worked around this issue for me. Apparently upgrading to docker 1.12 would have also done it, but I can't confirm that.

          jupierce - Well I'm running on OS X but nonetheless I attempted again with using "--privileged" as an argument for .inside() and it fails with the same error.

          $ docker run -t -d -u 501:20 --privileged -w /Users/mmccaskill/.jenkins/workspace/example_poc_master-GGCVXMNZOUBSWREPVP27YOR3DZTHKBWNU2ISCLF5PYNDINJX5K6Q -v /Users/mmccaskill/.jenkins/workspace/example_poc_master-GGCVXMNZOUBSWREPVP27YOR3DZTHKBWNU2ISCLF5PYNDINJX5K6Q:/Users/mmccaskill/.jenkins/workspace/example_poc_master-GGCVXMNZOUBSWREPVP27YOR3DZTHKBWNU2ISCLF5PYNDINJX5K6Q:rw -v /Users/mmccaskill/.jenkins/workspace/example_poc_master-GGCVXMNZOUBSWREPVP27YOR3DZTHKBWNU2ISCLF5PYNDINJX5K6Q@tmp:/Users/mmccaskill/.jenkins/workspace/example_poc_master-GGCVXMNZOUBSWREPVP27YOR3DZTHKBWNU2ISCLF5PYNDINJX5K6Q@tmp:rw -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** --entrypoint cat alecharp/maven-build-tools
          [Pipeline] {
          [Pipeline] sh
          [example_poc_master-GGCVXMNZOUBSWREPVP27YOR3DZTHKBWNU2ISCLF5PYNDINJX5K6Q] Running shell script
          sh: 1: cannot create /Users/mmccaskill/.jenkins/workspace/example_poc_master-GGCVXMNZOUBSWREPVP27YOR3DZTHKBWNU2ISCLF5PYNDINJX5K6Q@tmp/durable-bc881c3b/pid: Permission denied
          sh: 1: cannot create /Users/mmccaskill/.jenkins/workspace/example_poc_master-GGCVXMNZOUBSWREPVP27YOR3DZTHKBWNU2ISCLF5PYNDINJX5K6Q@tmp/durable-bc881c3b/jenkins-log.txt: Permission denied
          sh: 1: cannot create /Users/mmccaskill/.jenkins/workspace/example_poc_master-GGCVXMNZOUBSWREPVP27YOR3DZTHKBWNU2ISCLF5PYNDINJX5K6Q@tmp/durable-bc881c3b/jenkins-result.txt: Permission denied
          
          mmccaskill Michael McCaskill added a comment - jupierce - Well I'm running on OS X but nonetheless I attempted again with using "--privileged" as an argument for .inside() and it fails with the same error. $ docker run -t -d -u 501:20 --privileged -w /Users/mmccaskill/.jenkins/workspace/example_poc_master-GGCVXMNZOUBSWREPVP27YOR3DZTHKBWNU2ISCLF5PYNDINJX5K6Q -v /Users/mmccaskill/.jenkins/workspace/example_poc_master-GGCVXMNZOUBSWREPVP27YOR3DZTHKBWNU2ISCLF5PYNDINJX5K6Q:/Users/mmccaskill/.jenkins/workspace/example_poc_master-GGCVXMNZOUBSWREPVP27YOR3DZTHKBWNU2ISCLF5PYNDINJX5K6Q:rw -v /Users/mmccaskill/.jenkins/workspace/example_poc_master-GGCVXMNZOUBSWREPVP27YOR3DZTHKBWNU2ISCLF5PYNDINJX5K6Q@tmp:/Users/mmccaskill/.jenkins/workspace/example_poc_master-GGCVXMNZOUBSWREPVP27YOR3DZTHKBWNU2ISCLF5PYNDINJX5K6Q@tmp:rw -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** --entrypoint cat alecharp/maven-build-tools [Pipeline] { [Pipeline] sh [example_poc_master-GGCVXMNZOUBSWREPVP27YOR3DZTHKBWNU2ISCLF5PYNDINJX5K6Q] Running shell script sh: 1: cannot create /Users/mmccaskill/.jenkins/workspace/example_poc_master-GGCVXMNZOUBSWREPVP27YOR3DZTHKBWNU2ISCLF5PYNDINJX5K6Q@tmp/durable-bc881c3b/pid: Permission denied sh: 1: cannot create /Users/mmccaskill/.jenkins/workspace/example_poc_master-GGCVXMNZOUBSWREPVP27YOR3DZTHKBWNU2ISCLF5PYNDINJX5K6Q@tmp/durable-bc881c3b/jenkins-log.txt: Permission denied sh: 1: cannot create /Users/mmccaskill/.jenkins/workspace/example_poc_master-GGCVXMNZOUBSWREPVP27YOR3DZTHKBWNU2ISCLF5PYNDINJX5K6Q@tmp/durable-bc881c3b/jenkins-result.txt: Permission denied

          Just now I've ensured that /Users/mmccaskill/.jenkins has 777 permissions and still the same error.

          mmccaskill Michael McCaskill added a comment - Just now I've ensured that /Users/mmccaskill/.jenkins has 777 permissions and still the same error.

          Interestingly using fswatch reveals creating and deleting of other directories

          /Users/mmccaskill/.jenkins/workspace/example_poc_master-GGCVXMNZOUBSWREPVP27YOR3DZTHKBWNU2ISCLF5PYNDINJX5K6Q@tmp/durable-803731eb/jenkins-log.txt
          /Users/mmccaskill/.jenkins/workspace/example_poc_master-GGCVXMNZOUBSWREPVP27YOR3DZTHKBWNU2ISCLF5PYNDINJX5K6Q@tmp/durable-803731eb/jenkins-result.txt
          /Users/mmccaskill/.jenkins/workspace/example_poc_master-GGCVXMNZOUBSWREPVP27YOR3DZTHKBWNU2ISCLF5PYNDINJX5K6Q@tmp/durable-803731eb/output.txt
          /Users/mmccaskill/.jenkins/workspace/example_poc_master-GGCVXMNZOUBSWREPVP27YOR3DZTHKBWNU2ISCLF5PYNDINJX5K6Q@tmp/durable-803731eb/pid
          /Users/mmccaskill/.jenkins/workspace/example_poc_master-GGCVXMNZOUBSWREPVP27YOR3DZTHKBWNU2ISCLF5PYNDINJX5K6Q@tmp/durable-803731eb/script.sh
          /Users/mmccaskill/.jenkins/workspace/example_poc_master-GGCVXMNZOUBSWREPVP27YOR3DZTHKBWNU2ISCLF5PYNDINJX5K6Q@tmp/durable-803731eb
          /Users/mmccaskill/.jenkins/workspace/example_poc_master-GGCVXMNZOUBSWREPVP27YOR3DZTHKBWNU2ISCLF5PYNDINJX5K6Q@tmp/durable-1839560a/jenkins-log.txt
          /Users/mmccaskill/.jenkins/workspace/example_poc_master-GGCVXMNZOUBSWREPVP27YOR3DZTHKBWNU2ISCLF5PYNDINJX5K6Q@tmp/durable-1839560a/jenkins-result.txt
          /Users/mmccaskill/.jenkins/workspace/example_poc_master-GGCVXMNZOUBSWREPVP27YOR3DZTHKBWNU2ISCLF5PYNDINJX5K6Q@tmp/durable-1839560a/pid
          /Users/mmccaskill/.jenkins/workspace/example_poc_master-GGCVXMNZOUBSWREPVP27YOR3DZTHKBWNU2ISCLF5PYNDINJX5K6Q@tmp/durable-1839560a/script.sh
          /Users/mmccaskill/.jenkins/workspace/example_poc_master-GGCVXMNZOUBSWREPVP27YOR3DZTHKBWNU2ISCLF5PYNDINJX5K6Q@tmp/durable-1839560a
          /Users/mmccaskill/.jenkins/workspace/example_poc_master-GGCVXMNZOUBSWREPVP27YOR3DZTHKBWNU2ISCLF5PYNDINJX5K6Q@tmp/durable-c91c1312
          /Users/mmccaskill/.jenkins/workspace/example_poc_master-GGCVXMNZOUBSWREPVP27YOR3DZTHKBWNU2ISCLF5PYNDINJX5K6Q@tmp/durable-c91c1312/script.sh
          /Users/mmccaskill/.jenkins/workspace/example_poc_master-GGCVXMNZOUBSWREPVP27YOR3DZTHKBWNU2ISCLF5PYNDINJX5K6Q@tmp/durable-c91c1312/script.sh
          /Users/mmccaskill/.jenkins/workspace/example_poc_master-GGCVXMNZOUBSWREPVP27YOR3DZTHKBWNU2ISCLF5PYNDINJX5K6Q@tmp/durable-c91c1312
          
          mmccaskill Michael McCaskill added a comment - Interestingly using fswatch reveals creating and deleting of other directories /Users/mmccaskill/.jenkins/workspace/example_poc_master-GGCVXMNZOUBSWREPVP27YOR3DZTHKBWNU2ISCLF5PYNDINJX5K6Q@tmp/durable-803731eb/jenkins-log.txt /Users/mmccaskill/.jenkins/workspace/example_poc_master-GGCVXMNZOUBSWREPVP27YOR3DZTHKBWNU2ISCLF5PYNDINJX5K6Q@tmp/durable-803731eb/jenkins-result.txt /Users/mmccaskill/.jenkins/workspace/example_poc_master-GGCVXMNZOUBSWREPVP27YOR3DZTHKBWNU2ISCLF5PYNDINJX5K6Q@tmp/durable-803731eb/output.txt /Users/mmccaskill/.jenkins/workspace/example_poc_master-GGCVXMNZOUBSWREPVP27YOR3DZTHKBWNU2ISCLF5PYNDINJX5K6Q@tmp/durable-803731eb/pid /Users/mmccaskill/.jenkins/workspace/example_poc_master-GGCVXMNZOUBSWREPVP27YOR3DZTHKBWNU2ISCLF5PYNDINJX5K6Q@tmp/durable-803731eb/script.sh /Users/mmccaskill/.jenkins/workspace/example_poc_master-GGCVXMNZOUBSWREPVP27YOR3DZTHKBWNU2ISCLF5PYNDINJX5K6Q@tmp/durable-803731eb /Users/mmccaskill/.jenkins/workspace/example_poc_master-GGCVXMNZOUBSWREPVP27YOR3DZTHKBWNU2ISCLF5PYNDINJX5K6Q@tmp/durable-1839560a/jenkins-log.txt /Users/mmccaskill/.jenkins/workspace/example_poc_master-GGCVXMNZOUBSWREPVP27YOR3DZTHKBWNU2ISCLF5PYNDINJX5K6Q@tmp/durable-1839560a/jenkins-result.txt /Users/mmccaskill/.jenkins/workspace/example_poc_master-GGCVXMNZOUBSWREPVP27YOR3DZTHKBWNU2ISCLF5PYNDINJX5K6Q@tmp/durable-1839560a/pid /Users/mmccaskill/.jenkins/workspace/example_poc_master-GGCVXMNZOUBSWREPVP27YOR3DZTHKBWNU2ISCLF5PYNDINJX5K6Q@tmp/durable-1839560a/script.sh /Users/mmccaskill/.jenkins/workspace/example_poc_master-GGCVXMNZOUBSWREPVP27YOR3DZTHKBWNU2ISCLF5PYNDINJX5K6Q@tmp/durable-1839560a /Users/mmccaskill/.jenkins/workspace/example_poc_master-GGCVXMNZOUBSWREPVP27YOR3DZTHKBWNU2ISCLF5PYNDINJX5K6Q@tmp/durable-c91c1312 /Users/mmccaskill/.jenkins/workspace/example_poc_master-GGCVXMNZOUBSWREPVP27YOR3DZTHKBWNU2ISCLF5PYNDINJX5K6Q@tmp/durable-c91c1312/script.sh /Users/mmccaskill/.jenkins/workspace/example_poc_master-GGCVXMNZOUBSWREPVP27YOR3DZTHKBWNU2ISCLF5PYNDINJX5K6Q@tmp/durable-c91c1312/script.sh /Users/mmccaskill/.jenkins/workspace/example_poc_master-GGCVXMNZOUBSWREPVP27YOR3DZTHKBWNU2ISCLF5PYNDINJX5K6Q@tmp/durable-c91c1312
          jglick Jesse Glick added a comment -

          Generally this is an environmental issue rather than a product bug, though there may be ways the product could assist in automatic diagnosis.

          jglick Jesse Glick added a comment - Generally this is an environmental issue rather than a product bug, though there may be ways the product could assist in automatic diagnosis.
          rodrigc Craig Rodrigues added a comment - - edited

          I encountered exactly the same problem.

          I am using:

          • Docker 1.13.1
          • MacOS 10.12.3

          I am running Jenkins locally, under my own user ID, so I don't understand why I am getting a permission denied error.

          I used this:

          node {
              stage("Inside the container") {
                  docker.image('debian:stretch').inside {   
                     sh "whoami"
                     sh "echo Hi"
                     sh "dpkg -l"
                  }
              }
          }
          

          I looked at the output of my script and got this:

          [test3] Running shell script
          + docker inspect -f . debian:stretch
          .
          [Pipeline] withDockerContainer
          $ docker run -t -d -u 948935127:269013081 -w /Users/c-craigr/.jenkins/workspace/test3 -v /Users/c-craigr/.jenkins/workspace/test3:/Users/c-craigr/.jenkins/workspace/test3:rw -v /Users/c-craigr/.jenkins/workspace/test3@tmp:/Users/c-craigr/.jenkins/workspace/test3@tmp:rw -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** --entrypoint cat debian:stretch
          [Pipeline] {
          [Pipeline] sh
          [test3] Running shell script
          sh: 1: cannot create /Users/c-craigr/.jenkins/workspace/test3@tmp/durable-56d7e69e/pid: Permission denied
          sh: 1: cannot create /Users/c-craigr/.jenkins/workspace/test3@tmp/durable-56d7e69e/jenkins-log.txt: Permission denied
          sh: 1: cannot create /Users/c-craigr/.jenkins/workspace/test3@tmp/durable-56d7e69e/jenkins-result.txt: Permission denied
          [Pipeline] }
          $ docker stop --time=1 186dc9f881b57c62d9ac59ff3533a259b70fd80670de2a0e6e1ff37a8129c90d
          $ docker rm -f 186dc9f881b57c62d9ac59ff3533a259b70fd80670de2a0e6e1ff37a8129c90d
          [Pipeline] // withDockerContainer
          [Pipeline] }
          [Pipeline] // stage
          [Pipeline] }
          [Pipeline] // node
          [Pipeline] End of Pipeline
          ERROR: script returned exit code -2
          Finished: FAILURE
          
          rodrigc Craig Rodrigues added a comment - - edited I encountered exactly the same problem. I am using: Docker 1.13.1 MacOS 10.12.3 I am running Jenkins locally, under my own user ID, so I don't understand why I am getting a permission denied error. I used this: node { stage("Inside the container") { docker.image('debian:stretch').inside { sh "whoami" sh "echo Hi" sh "dpkg -l" } } } I looked at the output of my script and got this: [test3] Running shell script + docker inspect -f . debian:stretch . [Pipeline] withDockerContainer $ docker run -t -d -u 948935127:269013081 -w /Users/c-craigr/.jenkins/workspace/test3 -v /Users/c-craigr/.jenkins/workspace/test3:/Users/c-craigr/.jenkins/workspace/test3:rw -v /Users/c-craigr/.jenkins/workspace/test3@tmp:/Users/c-craigr/.jenkins/workspace/test3@tmp:rw -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** --entrypoint cat debian:stretch [Pipeline] { [Pipeline] sh [test3] Running shell script sh: 1: cannot create /Users/c-craigr/.jenkins/workspace/test3@tmp/durable-56d7e69e/pid: Permission denied sh: 1: cannot create /Users/c-craigr/.jenkins/workspace/test3@tmp/durable-56d7e69e/jenkins-log.txt: Permission denied sh: 1: cannot create /Users/c-craigr/.jenkins/workspace/test3@tmp/durable-56d7e69e/jenkins-result.txt: Permission denied [Pipeline] } $ docker stop --time=1 186dc9f881b57c62d9ac59ff3533a259b70fd80670de2a0e6e1ff37a8129c90d $ docker rm -f 186dc9f881b57c62d9ac59ff3533a259b70fd80670de2a0e6e1ff37a8129c90d [Pipeline] // withDockerContainer [Pipeline] } [Pipeline] // stage [Pipeline] } [Pipeline] // node [Pipeline] End of Pipeline ERROR: script returned exit code -2 Finished: FAILURE
          jglick Jesse Glick added a comment -

          Using docker-workflow 1.9.1, durable-task 1.12, and workflow-durable-task-step 2.8 on Jenkins 2.32.2 on Linux / Java 8 / Docker 1.12.3, whoami fails (no such user) but the other commands succeed.

          Do not try to use Image.inside on a Jenkins master node running on a Mac. The tricks used by the nonnative Docker ports do not permit the container to share a filesystem with the Jenkins JVM. (You should be able to run a Jenkins agent in a container, if its filesystem root is a volume, and use Image.inside from that “remote” node.)

          jglick Jesse Glick added a comment - Using docker-workflow 1.9.1, durable-task 1.12, and workflow-durable-task-step 2.8 on Jenkins 2.32.2 on Linux / Java 8 / Docker 1.12.3, whoami fails (no such user) but the other commands succeed. Do not try to use Image.inside on a Jenkins master node running on a Mac. The tricks used by the nonnative Docker ports do not permit the container to share a filesystem with the Jenkins JVM. (You should be able to run a Jenkins agent in a container, if its filesystem root is a volume, and use Image.inside from that “remote” node.)
          rodrigc Craig Rodrigues added a comment - - edited

          jglick Ah! OK, that makes a lot of sense. I switched to an a completely Linux + Docker environment,
          and re-ran the pipeline and it worked.
          I don't know if it is possible, but it might be nice to put some error messages
          in the Docker plugin to indicate that this type of thing is not supported on platforms that are non-native Docker ports, like Mac.

          rodrigc Craig Rodrigues added a comment - - edited jglick Ah! OK, that makes a lot of sense. I switched to an a completely Linux + Docker environment, and re-ran the pipeline and it worked. I don't know if it is possible, but it might be nice to put some error messages in the Docker plugin to indicate that this type of thing is not supported on platforms that are non-native Docker ports, like Mac.
          jglick Jesse Glick added a comment -

          Well the documentation does mention this but if I can figure out a way for Jenkins to automatically detect this situation and report a nicer error I will do so.

          jglick Jesse Glick added a comment - Well the documentation does mention this but if I can figure out a way for Jenkins to automatically detect this situation and report a nicer error I will do so.

          rodrigc - If it is helpful I was able to get it to work using the xhyve driver with experimental NFS share

          brew install docker-machine-driver-xhyve
          sudo chown root:wheel /usr/local/opt/docker-machine-driver-xhyve/bin/docker-machine-driver-xhyve
          sudo chmod u+s /usr/local/opt/docker-machine-driver-xhyve/bin/docker-machine-driver-xhyve
          docker-machine create -d xhyve --xhyve-experimental-nfs-share default2
          eval $(docker-machine env default2)
          jenkins
          

          Then it worked for me.

          mmccaskill Michael McCaskill added a comment - rodrigc - If it is helpful I was able to get it to work using the xhyve driver with experimental NFS share brew install docker-machine-driver-xhyve sudo chown root:wheel /usr/local/opt/docker-machine-driver-xhyve/bin/docker-machine-driver-xhyve sudo chmod u+s /usr/local/opt/docker-machine-driver-xhyve/bin/docker-machine-driver-xhyve docker-machine create -d xhyve --xhyve-experimental-nfs-share default2 eval $(docker-machine env default2) jenkins Then it worked for me.

          rodrigc - Another option I've used successfully recently was using vagrant.

          • vagrant init ubuntu/xenial64
          • vagrant up
          • install JDK and Docker
          • Copy appropriate SSH public key to /home/ubuntu/.ssh/authorized_keys
          • Setup this vagrant machine as a SSH Slave

          For my purposes I did mount my /Users -> /Users via the Vagrantfile and it works nicely. You may want to label the node as 'docker' and have the Jenkinsfile use that node.

          mmccaskill Michael McCaskill added a comment - rodrigc - Another option I've used successfully recently was using vagrant. vagrant init ubuntu/xenial64 vagrant up install JDK and Docker Copy appropriate SSH public key to /home/ubuntu/.ssh/authorized_keys Setup this vagrant machine as a SSH Slave For my purposes I did mount my /Users -> /Users via the Vagrantfile and it works nicely. You may want to label the node as 'docker' and have the Jenkinsfile use that node.

          rodrigc - Another option that works that's much easier to continue using the virtualbox driver and

          https://github.com/adlogix/docker-machine-nfs

          brew install docker-machine-nfs
          docker-machine-nfs <name of docker-machine>
          
          mmccaskill Michael McCaskill added a comment - rodrigc - Another option that works that's much easier to continue using the virtualbox driver and https://github.com/adlogix/docker-machine-nfs brew install docker-machine-nfs docker-machine-nfs <name of docker-machine>

          People

            Unassigned Unassigned
            seuvitor Vitor Dantas
            Votes:
            1 Vote for this issue
            Watchers:
            9 Start watching this issue

            Dates

              Created:
              Updated: