Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-47389

sh step within container step does not work when user is non-root

    XMLWordPrintable

Details

    • Bug
    • Status: Resolved (View Workflow)
    • Minor
    • Resolution: Not A Defect
    • kubernetes-plugin
    • None
    • Jenkins 2.73.1, Kubernetes Plugin 1.0, Kubernetes 1.7.4

    Description

      Attempting to execute sh command within container step fails when the image user is not root.

      Replicate by running pipeline:

      podTemplate(name: 'my-pod', label: 'my-pod',
        containers: [
          containerTemplate(name: 'kubectl-cmd', 
                            image: 'wernight/kubectl:1.6.4',
                            ttyEnabled: true, 
                            command: 'cat', args:null)]) {
            node('my-pod') {
              stage('Test command') {
                container('kubectl-cmd') {
                  sh 'whoami'
                }
              }
            }
      } 

      `sh 'whoami'` does not successfully run, and the job fails with message: "ERROR: script returned exit code -2 "

      The image being run is here.

      I created a modified version of the image where simply "User kubectl" is removed. The job then runs as expected.

       

       

      Attachments

        Issue Links

          Activity

            csanchez Carlos Sanchez added a comment - debug logs please ? https://github.com/jenkinsci/kubernetes-plugin#debugging
            willmore Chris Willmore added a comment - - edited

            Attached debug log for what I believe are relevant entries during job execution.
            Note, there may be some noise from other concurrent jobs running.

            willmore Chris Willmore added a comment - - edited Attached debug log for what I believe are relevant entries during job execution. Note, there may be some noise from other concurrent jobs running.

            so this is the error, can you try making your image user be uid 1000 ?

            [non-root-container] Running shell script
            sh: can't create /home/jenkins/workspace/non-root-container@tmp/durable-bf906406/jenkins-log.txt: Permission denied
            sh: can't create /home/jenkins/workspace/non-root-container@tmp/durable-bf906406/jenkins-result.txt.tmp: Permission denied
            mv: can't rename '/home/jenkins/workspace/non-root-container@tmp/durable-bf906406/jenkins-result.txt.tmp': No such file or directory
            touch: /home/jenkins/workspace/non-root-container@tmp/durable-bf906406/jenkins-log.txt: Permission denied
            touch: /home/jenkins/workspace/non-root-container@tmp/durable-bf906406/jenkins-log.txt: Permission denied
            touch: /home/jenkins/workspace/non-root-container@tmp/durable-bf906406/jenkins-log.txt: Permission denied
            touch: /home/jenkins/workspace/non-root-container@tmp/durable-bf906406/jenkins-log.txt: Permission denied
            touch: /home/jenkins/workspace/non-root-container@tmp/durable-bf906406/jenkins-log.txt: Permission denied
            touch: /home/jenkins/workspace/non-root-container@tmp/durable-bf906406/jenkins-log.txt: Permission denied
            touch: /home/jenkins/workspace/non-root-container@tmp/durable-bf906406/jenkins-log.txt: Permission denied
            process apparently never started in /home/jenkins/workspace/non-root-container@tmp/durable-bf906406
            
            csanchez Carlos Sanchez added a comment - so this is the error, can you try making your image user be uid 1000 ? [non-root-container] Running shell script sh: can't create /home/jenkins/workspace/non-root-container@tmp/durable-bf906406/jenkins-log.txt: Permission denied sh: can't create /home/jenkins/workspace/non-root-container@tmp/durable-bf906406/jenkins-result.txt.tmp: Permission denied mv: can 't rename ' /home/jenkins/workspace/non-root-container@tmp/durable-bf906406/jenkins-result.txt.tmp': No such file or directory touch: /home/jenkins/workspace/non-root-container@tmp/durable-bf906406/jenkins-log.txt: Permission denied touch: /home/jenkins/workspace/non-root-container@tmp/durable-bf906406/jenkins-log.txt: Permission denied touch: /home/jenkins/workspace/non-root-container@tmp/durable-bf906406/jenkins-log.txt: Permission denied touch: /home/jenkins/workspace/non-root-container@tmp/durable-bf906406/jenkins-log.txt: Permission denied touch: /home/jenkins/workspace/non-root-container@tmp/durable-bf906406/jenkins-log.txt: Permission denied touch: /home/jenkins/workspace/non-root-container@tmp/durable-bf906406/jenkins-log.txt: Permission denied touch: /home/jenkins/workspace/non-root-container@tmp/durable-bf906406/jenkins-log.txt: Permission denied process apparently never started in /home/jenkins/workspace/non-root-container@tmp/durable-bf906406

            csanchez I'm running into this issue as well; I'd be more then happy to help fix the issue if you can point to the right place in the Kubernetes-plugin code;  

            habanero Diego Rodriguez added a comment - csanchez I'm running into this issue as well; I'd be more then happy to help fix the issue if you can point to the right place in the Kubernetes-plugin code;  

            Just add the `jnlp` container with path pointing to `home/jekins/agent`. It worked for me

            containerTemplate(name: 'jnlp', image: 'lachlanevenson/jnlp-slave:3.10-1-alpine', args: '${computer.jnlpmac} ${computer.name}', workingDir: '/home/jenkins/agent')
            

             

            spothala Sriniva Pothala added a comment - Just add the `jnlp` container with path pointing to `home/jekins/agent`. It worked for me containerTemplate(name: 'jnlp' , image: 'lachlanevenson/jnlp-slave:3.10-1-alpine' , args: '${computer.jnlpmac} ${computer.name}' , workingDir: '/home/jenkins/agent' )  
            shott85 David Schott added a comment -

            The example works after adding runAsUser:

            podTemplate(name: 'my-pod', label: 'my-pod', runAsUser: '2342',
              containers: [
                containerTemplate(name: 'kubectl-cmd', 
                                  image: 'wernight/kubectl:1.6.4',
                                  ttyEnabled: true, 
                                  command: 'cat', args:null)]) {
                  node('my-pod') {
                    stage('Test command') {
                      container('kubectl-cmd') {
                        sh 'whoami'
                      }
                    }
                  }
            }  

            Documented under https://github.com/jenkinsci/kubernetes-plugin#pod-and-container-template-configuration

            shott85 David Schott added a comment - The example works after adding runAsUser: podTemplate(name: 'my-pod' , label: 'my-pod' , runAsUser: '2342' , containers: [ containerTemplate(name: 'kubectl-cmd' , image: 'wernight/kubectl:1.6.4' , ttyEnabled: true , command: 'cat' , args: null )]) { node( 'my-pod' ) { stage( 'Test command' ) { container( 'kubectl-cmd' ) { sh 'whoami' } } } } Documented under  https://github.com/jenkinsci/kubernetes-plugin#pod-and-container-template-configuration
            jglick Jesse Glick added a comment -

            (incorrect Resolution)

            jglick Jesse Glick added a comment - (incorrect Resolution )

            People

              Unassigned Unassigned
              willmore Chris Willmore
              Votes:
              5 Vote for this issue
              Watchers:
              11 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: