Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-54408

docker exec runs as root within docker.image.inside which docker run runs as the jenkins user

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Major Major
    • docker-workflow-plugin
    • None
    • Jenkins ver. 2.138.2

      A docker.image.inside block causes Jenkins to run a 'docker run ... cat' command and later a docker exec command. The run command runs as the Jenkins user (specifically with the same uid), while docker exec runs as root. The result is that files created withing the inside block has root owners in the workplace, causing issues in later stages.

      I would expect the opposite behavior. "docker run ... cat" should run as root, in order to be able to initialize the docker container. Specifically I have to create a user with the same uid as the jenkins user of the agent (otherwise sudo, ssh will not work). On the other hand docker exec, which does the actual build job, should run under the jenkins user uid, so the owner of the newly created files in mounted directories is the jenkins user.

          [JENKINS-54408] docker exec runs as root within docker.image.inside which docker run runs as the jenkins user

          Andrew Nicols added a comment -

          We're seeing some of the same behaviour (docker run as Jenkins user). Our images don't play nicely with this and so I can't confirm the latter.

           

          Either way, what can we do to get this solved?

          Andrew Nicols added a comment - We're seeing some of the same behaviour (docker run as Jenkins user). Our images don't play nicely with this and so I can't confirm the latter.   Either way, what can we do to get this solved?

          Arnaud R added a comment - - edited

          I think I'm facing the same issue. My docker image requires some init code to run as root, which is achieved by an entrypoint. The last thing the entrypoint does is to drop privileges end execute CMD, pretty similar to what's done at https://github.com/cgwalters/dockerfiles/blob/master/fdev/entrypoint.sh.

          Now to get that to work with Jenkins, I need to tell it to run the container as the user root, ie:

          agent {
            docker {
              label 'docker-slave' 
              image DOCKER_IMAGE_NAME
              args '-u root'
            }
          }
          

          With that, the entrypoint runs successfully, however I noticed that my other stages are also run as root, which is not what I want.

          If my understanding of the Jenkins plugin is correct, the container is brought up with "docker run ... cat", then the various stages of my Jenkinsfile are run using "docker exec ...". If that's the case, then I agree 100% with the reporter of this issue: the container should be brought up as root, then the various exec command should run as the jenkins user. It seems that it would be the perfect fit for my use-case.

          Arnaud R added a comment - - edited I think I'm facing the same issue. My docker image requires some init code to run as root, which is achieved by an entrypoint. The last thing the entrypoint does is to drop privileges end execute CMD, pretty similar to what's done at https://github.com/cgwalters/dockerfiles/blob/master/fdev/entrypoint.sh . Now to get that to work with Jenkins, I need to tell it to run the container as the user root, ie: agent {  docker { label 'docker-slave'     image DOCKER_IMAGE_NAME    args '-u root' } } With that, the entrypoint runs successfully, however I noticed that my other stages are also run as root, which is not what I want. If my understanding of the Jenkins plugin is correct, the container is brought up with "docker run ... cat", then the various stages of my Jenkinsfile are run using "docker exec ...". If that's the case, then I agree 100% with the reporter of this issue: the container should be brought up as root, then the various exec command should run as the jenkins user. It seems that it would be the perfect fit for my use-case.

          Henry Xu added a comment - - edited

          for scripted pipeline you can run

           docker.image(dockerImageTag).inside("-u root") {
          // run your step
          }
          

          It's not problem of Jenkins but docker run container as root user. A potential solution is to run docker with rootless mode. But I didn't test it myself yet.

          Henry Xu added a comment - - edited for scripted pipeline you can run docker.image(dockerImageTag).inside( "-u root" ) { // run your step } It's not problem of Jenkins but docker run container as root user. A potential solution is to run docker with rootless mode. But I didn't test it myself yet.

            Unassigned Unassigned
            hontvari HONTVÁRI Levente
            Votes:
            4 Vote for this issue
            Watchers:
            6 Start watching this issue

              Created:
              Updated: