Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-51646

Pipeline does not resolve credentials symlinks

    • Icon: Bug Bug
    • Resolution: Not A Defect
    • Icon: Minor Minor
    • docker-plugin
    • Jenkins 2.107.3
      Docker Pipeline 1.17

      Given these two Jenkinsfile, the one with the cp of the credentials file will be read when trying to do a docker push of a signed image using the private key,

      however, if we were to symlink to the file credentials it would not be found when trying to push a signed image. 

      node('master') {
       stage('Push to private registry') {
       withCredentials([
       string(credentialsId: 'repo_passphrase', variable: 'SIGNED_PASSPHRASE'),
       file(credentialsId: 'docker_pw', variable: 'DOCKER_PW'),
       file(credentialsId: 'trust_key', variable: 'TRUST_KEY')]) {
       withEnv([
       'DOCKER_CONTENT_TRUST=1',
       'DOCKER_CONTENT_TRUST_SERVER=https://privateregistry:4443',
       "DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE=${NEMOUI_SIGNED_PASSPHRASE}"]) {
       sh "mkdir -p ${HOME}/.docker/trust/private"
       sh "ln -s ${TRUST_KEY} ${env.HOME}/.docker/trust/private/`basename ${TRUST_KEY}`"
       sh 'cat ${DOCKER_PW} | docker login privateregistry.com --username jenkins --password-stdin'
       sh "docker push privateregistry.com/library/image:${env.BUILD_ID}"
       sh 'docker logout privateregistry.com'
       sh "rm ${HOME}/.docker/trust/private/`basename ${TRUST_KEY}`"
       }
       }
       }
      }

       

       

      node('master') {
       stage('Push to private registry') {
       withCredentials([
       string(credentialsId: 'repo_passphrase', variable: 'SIGNED_PASSPHRASE'),
       file(credentialsId: 'docker_pw', variable: 'DOCKER_PW'),
       file(credentialsId: 'trust_key', variable: 'TRUST_KEY')]) {
       withEnv([
       'DOCKER_CONTENT_TRUST=1',
       'DOCKER_CONTENT_TRUST_SERVER=https://privateregistry:4443',
       "DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE=${SIGNED_PASSPHRASE}"]) {
       sh "if [[ -d ${HOME}/.docker ]]; then rm -rf ${HOME}/.docker; fi"
       sh "mkdir -p ${HOME}/.docker/trust/private"
       sh "cp ${TRUST_KEY} ${HOME}/.docker/trust/private/`basename ${TRUST_KEY}`"
       sh 'ls -lah ${HOME}/.docker/trust/private/'
       sh 'cat ${DOCKER_PW} | docker login privateregistry.com --username jenkins --password-stdin'
       sh "docker push privateregistry.com/library/image:${BUILD_ID}"
       sh 'docker logout privateregistry.com'
       sh "rm ${HOME}/.docker/trust/private/`basename ${TRUST_KEY}`"
       }
       }
       }
      }

          [JENKINS-51646] Pipeline does not resolve credentials symlinks

          ZackQ added a comment -

          This has to do with the way Docker CLI interprets symlinks, there are some security issues when Docker CLI tries to resolve symlinks, as such this has nothing to do with Jenkins.

          Closing issue.

          ZackQ added a comment - This has to do with the way Docker CLI interprets symlinks, there are some security issues when Docker CLI tries to resolve symlinks, as such this has nothing to do with Jenkins. Closing issue.

            ndeloof Nicolas De Loof
            zackq ZackQ
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:
              Resolved: