Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-47827

Support passing a user/uid into containerTemplate

XMLWordPrintable

    • Icon: New Feature New Feature
    • Resolution: Fixed
    • Icon: Major Major
    • kubernetes-plugin
    • None
    • kubernetes 1.7.3
      kubernetes-plugin 1.1
      jenkins 2.83
    • Fixed

      Currently, the kubernetes plugin can't run jobs in containers that have unpriveleged users baked into their image metadata. 

      Supporting jobs running as unpriveleged users is a more difficult task. Maybe a minimal solution to this is to allow the user to override the user. Kubernetes supports this, so it should be reasonably straight forward to add a "user" field to the containerTemplate() call.

       

      When a job is run as an unpriveleged user, we see the following error:

       

      // running a job as any user other than root
sh: 1: cannot create /home/jenkins/workspace/CS-Core-Speedy@tmp/durable-b7e7d045/pid: Permission denied
sh: 1: cannot create /home/jenkins/workspace/CS-Core-Speedy@tmp/durable-b7e7d045/jenkins-log.txt: Permission denied
sh: 1: cannot create /home/jenkins/workspace/CS-Core-Speedy@tmp/durable-b7e7d045/jenkins-result.txt: Permission denied

       

          [JENKINS-47827] Support passing a user/uid into containerTemplate

          Morgan Jones created issue -
          Morgan Jones made changes -
          Summary Original: Support containers that run as unpriveleged users New: Support passing the container user into containerTemplate
          Morgan Jones made changes -
          Summary Original: Support passing the container user into containerTemplate New: Support passing a user/uid into containerTemplate

          Carlos Sanchez added a comment -

          isn't this possible now with the yaml syntax?

          Carlos Sanchez added a comment - isn't this possible now with the yaml syntax?
          Ivan Fernandez Calvo made changes -
          Link New: This issue is related to JENKINS-41418 [ JENKINS-41418 ]

          Ivan Fernandez Calvo added a comment - - edited

          The issue is because the JNLP agent container uses UID 10000 , in this example, the jenkins container uses the UID 1000 and both try to use the same user on the same folders with different UID

          def label = "mypod-${UUID.randomUUID().toString()}"
def name = 'jenkins'
timestamps { 
  podTemplate(
    label: label,
    containers: [
      containerTemplate(name: name, image: "jenkins/jenkins", ttyEnabled: true)
    ]){
      node(label) {
        stage('Run on k8s'){
          sh 'id'
          container('jnlp') {
            sh 'id'
          }
          container(name) {
            sh 'id'
          }
        }
      }
    }
}

           

          Ivan Fernandez Calvo added a comment - - edited The issue is because the JNLP agent container uses UID 10000 , in this example, the jenkins container uses the UID 1000 and both try to use the same user on the same folders with different UID def label = "mypod-${UUID.randomUUID().toString()}" def name = 'jenkins' timestamps { podTemplate( label: label, containers: [ containerTemplate(name: name, image: "jenkins/jenkins" , ttyEnabled: true ) ]){ node(label) { stage( 'Run on k8s' ){ sh 'id' container( 'jnlp' ) { sh 'id' } container(name) { sh 'id' } } } } }  

          Carlos Sanchez added a comment -

          you can configure the user id using the yaml syntax

          https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container

          apiVersion: v1
kind: Pod
metadata:
  name: security-context-demo-2
spec:
  securityContext:
    runAsUser: 1000
  containers:
  - name: sec-ctx-demo-2
    image: gcr.io/google-samples/node-hello:1.0
    securityContext:
      runAsUser: 2000
      allowPrivilegeEscalation: false

          Carlos Sanchez added a comment - you can configure the user id using the yaml syntax https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container apiVersion: v1 kind: Pod metadata: name: security-context-demo-2 spec: securityContext: runAsUser: 1000 containers: - name: sec-ctx-demo-2 image: gcr.io/google-samples/node-hello:1.0 securityContext: runAsUser: 2000 allowPrivilegeEscalation: false
          Carlos Sanchez made changes -
          Resolution New: Not A Defect [ 7 ]
          Status Original: Open [ 1 ] New: Resolved [ 5 ]

          Ivan Fernandez Calvo added a comment -

           

          The only solution it is to force the UID to 1000 and there is not conflict to access to the share filesystem

           

          def label = "mypod-${UUID.randomUUID().toString()}"
def workspace = "/tmp/jenkins-${UUID.randomUUID().toString()}"
def name = 'jenkins'
def yaml = """
apiVersion: v1
kind: Pod
metadata:
  generateName: jnlp-
  labels:
    name: jnlp
    label: jnlp
spec:
  containers:
    - name: jnlp
    image: jenkins/jnlp-slave
    tty: true
    securityContext:
      runAsUser: 1000
      allowPrivilegeEscalation: false
    - name: jenkins
      image: jenkins/jenkins
      tty: true
      securityContext:
       runAsUser: 1000
       allowPrivilegeEscalation: false
"""
timestamps { 
  podTemplate(label: label, yaml: yaml){
    node(label) {
      sh 'id'
      stage('Run on k8s'){
        container('jnlp') {
          sh 'id'
        }
        container(name) {
          sh 'id'
        }
      }
    }
  }
}

           

          Ivan Fernandez Calvo added a comment -   The only solution it is to force the UID to 1000 and there is not conflict to access to the share filesystem   def label = "mypod-${UUID.randomUUID().toString()}" def workspace = "/tmp/jenkins-${UUID.randomUUID().toString()}" def name = 'jenkins' def yaml = """ apiVersion: v1 kind: Pod metadata: generateName: jnlp- labels: name: jnlp label: jnlp spec: containers: - name: jnlp image: jenkins/jnlp-slave tty: true securityContext: runAsUser: 1000 allowPrivilegeEscalation: false - name: jenkins image: jenkins/jenkins tty: true securityContext: runAsUser: 1000 allowPrivilegeEscalation: false """ timestamps { podTemplate(label: label, yaml: yaml){ node(label) { sh 'id' stage( 'Run on k8s' ){ container( 'jnlp' ) { sh 'id' } container(name) { sh 'id' } } } } }  

          Dee Kryvenko added a comment -

          Why is this resolved? Maybe not a bug but definitely sounds like a feature request. Jenkins official slave docker image use jenkins user with uid 10000, where most of the alpine based images on the market use root with uid 1000, which means anything created in Jenkinsfile by directives such as `writeFile` becomes unusable by other containers in the pod. Sounds pretty serious to me.

          It's good to have an ability to fall back to the yml and have a workaround there, but more fundamental and transparent to the users solution is a must.

          Dee Kryvenko added a comment - Why is this resolved? Maybe not a bug but definitely sounds like a feature request. Jenkins official slave docker image use jenkins user with uid 10000, where most of the alpine based images on the market use root with uid 1000, which means anything created in Jenkinsfile by directives such as `writeFile` becomes unusable by other containers in the pod. Sounds pretty serious to me. It's good to have an ability to fall back to the yml and have a workaround there, but more fundamental and transparent to the users solution is a must.
          Dee Kryvenko made changes -
          Resolution Original: Not A Defect [ 7 ]
          Status Original: Resolved [ 5 ] New: Reopened [ 4 ]

            elhay elhay efrat
            mogthesprog Morgan Jones
            Votes:
            5 Vote for this issue
            Watchers:
            16 Start watching this issue

              Created:
              Updated:
              Resolved: