-
New Feature
-
Resolution: Fixed
-
Major
-
None
-
kubernetes 1.7.3
kubernetes-plugin 1.1
jenkins 2.83
-
-
Fixed
Currently, the kubernetes plugin can't run jobs in containers that have unpriveleged users baked into their image metadata.
Supporting jobs running as unpriveleged users is a more difficult task. Maybe a minimal solution to this is to allow the user to override the user. Kubernetes supports this, so it should be reasonably straight forward to add a "user" field to the containerTemplate() call.
When a job is run as an unpriveleged user, we see the following error:
// running a job as any user other than root
sh: 1: cannot create /home/jenkins/workspace/CS-Core-Speedy@tmp/durable-b7e7d045/pid: Permission denied
sh: 1: cannot create /home/jenkins/workspace/CS-Core-Speedy@tmp/durable-b7e7d045/jenkins-log.txt: Permission denied
sh: 1: cannot create /home/jenkins/workspace/CS-Core-Speedy@tmp/durable-b7e7d045/jenkins-result.txt: Permission denied
- causes
-
JENKINS-59937 Container and Pod template runAsGroup and runAsUser default to root on config roundtrip
-
- Resolved
-
- is duplicated by
-
-
- Resolved
-
- is related to
-
-
- Closed
-
[JENKINS-47827] Support passing a user/uid into containerTemplate
The issue is because the JNLP agent container uses UID 10000 , in this example, the jenkins container uses the UID 1000 and both try to use the same user on the same folders with different UID
def label = "mypod-${UUID.randomUUID().toString()}" def name = 'jenkins' timestamps { podTemplate( label: label, containers: [ containerTemplate(name: name, image: "jenkins/jenkins", ttyEnabled: true) ]){ node(label) { stage('Run on k8s'){ sh 'id' container('jnlp') { sh 'id' } container(name) { sh 'id' } } } } }
you can configure the user id using the yaml syntax
apiVersion: v1
kind: Pod
metadata:
name: security-context-demo-2
spec:
securityContext:
runAsUser: 1000
containers:
- name: sec-ctx-demo-2
image: gcr.io/google-samples/node-hello:1.0
securityContext:
runAsUser: 2000
allowPrivilegeEscalation: false
The only solution it is to force the UID to 1000 and there is not conflict to access to the share filesystem
def label = "mypod-${UUID.randomUUID().toString()}" def workspace = "/tmp/jenkins-${UUID.randomUUID().toString()}" def name = 'jenkins' def yaml = """ apiVersion: v1 kind: Pod metadata: generateName: jnlp- labels: name: jnlp label: jnlp spec: containers: - name: jnlp image: jenkins/jnlp-slave tty: true securityContext: runAsUser: 1000 allowPrivilegeEscalation: false - name: jenkins image: jenkins/jenkins tty: true securityContext: runAsUser: 1000 allowPrivilegeEscalation: false """ timestamps { podTemplate(label: label, yaml: yaml){ node(label) { sh 'id' stage('Run on k8s'){ container('jnlp') { sh 'id' } container(name) { sh 'id' } } } } }
Dee Kryvenko
added a comment - Why is this resolved? Maybe not a bug but definitely sounds like a feature request. Jenkins official slave docker image use jenkins user with uid 10000, where most of the alpine based images on the market use root with uid 1000, which means anything created in Jenkinsfile by directives such as `writeFile` becomes unusable by other containers in the pod. Sounds pretty serious to me.
It's good to have an ability to fall back to the yml and have a workaround there, but more fundamental and transparent to the users solution is a must.
Dee Kryvenko
added a comment - Why is this resolved? Maybe not a bug but definitely sounds like a feature request. Jenkins official slave docker image use jenkins user with uid 10000, where most of the alpine based images on the market use root with uid 1000, which means anything created in Jenkinsfile by directives such as `writeFile` becomes unusable by other containers in the pod. Sounds pretty serious to me.
It's good to have an ability to fall back to the yml and have a workaround there, but more fundamental and transparent to the users solution is a must. Support passing a user/uid into containerTemplate => it is supported using yaml syntax, will not add new features to containerTemplate
Why not supporting passing the runAsUser throught the containerTemplate ? It would be very useful for many and easier to maintain instead of YAML files..
I agree with other users it would be quite helpful to add support through containerTemplate.
ASHOK MOHANTY
added a comment - Thanks, any update when can we expect the fix !! 
elhay efrat
added a comment - Guys can you please approve [JENKINS-47827 ] adding support Support passing a user/uid into containerTemplate
elhay efrat
added a comment - Guys can you please approve [JENKINS-47827 ] adding support Support passing a user/uid into containerTemplate
elhay efrat
added a comment - Waiting for code review and merge no conflicts and test covered and pass
elhay efrat
added a comment - Waiting for code review and merge no conflicts and test covered and pass elhay efrat
added a comment - Guys, should I close it and close the PR? I see that there is a lot of people that resist this change adding this functionality, I have added it locally in our Jenkins because I have no time for endless conversions
elhay efrat
added a comment - Guys, should I close it and close the PR? I see that there is a lot of people that resist this change adding this functionality, I have added it locally in our Jenkins because I have no time for endless conversions Oh no, what a shame really... Waiting for this feature since long time.
elhay efrat
added a comment - jonesbusy i finished adding it , only test not finished yet , but as i understand i got blocked 
elhay efrat
added a comment - jonesbusy i finished adding it , only test not finished yet , but as i understand i got blocked 
isn't this possible now with the yaml syntax?