Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-54573

secret file not accesible to containerized stages

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Minor Minor
    • None
    • operating system: Debian GNU/Linux 8.11 (jessie)
      jenkins version: 2.121.3
      java version 1.8.0_181, oracle

      accessing files stored as secret files via the credentials plugin fails when running in a pipeline where only the particular stage is running in a docker container.

       
      how to reproduce:

      upload a file with the content "secret" via the credentials plugin:

      credentials -> system -> global credentials -> add credentials -> secret file
      

      access it via a pipeline which is containiserized on the top level:

      #!groovy
      
      pipeline {
      	agent {
      		docker {
      			label "worker"
      			image "alpine:3.8"
      		}
      	}
      	environment {
      		SECRET = credentials("secret")
      	}
      	stages {
      		stage("cat") {
      			steps {
      				sh "cat $SECRET"
      			}
      		}
      	}
      }
      

      this results in the expected log output:

      [...]
      [project_master-IVL6IBXNKWVTPPV72MKSLBHB5K2X7C74P6THVIE7VGCZ2TT2GNOQ] Running shell script
      + cat ****
      secret
      [...]
      

      access it via a pipeline where only a particular stage is containerized:

      #!groovy
      
      pipeline {
      	agent {label "worker"}
      	environment {
      		SECRET = credentials("secret")
      	}
      	stages {
      		stage("cat") {
      			agent {
      				docker {
      					label "worker"
      					image "alpine:3.8"
      				}
      			}
      			steps {
      				sh "cat $SECRET"
      			}
      		}
      	}
      }
      

      this results in the following error:

      [...]
      [project_master-IVL6IBXNKWVTPPV72MKSLBHB5K2X7C74P6THVIE7VGCZ2TT2GNOQ@2] Running shell script
      + cat ****
      cat: can't open '****': No such file or directory
      [...]
      

          [JENKINS-54573] secret file not accesible to containerized stages

          Same issue i am facing ? Any update how to resolve this ?jsj

          Swapnil Jadhav added a comment - Same issue i am facing ? Any update how to resolve this ? jsj

          Abel added a comment -

          Same issue here 

          Abel added a comment - Same issue here 

          Prashanth added a comment -

          I am seeing this issue too, does anyone have a work around?

          Prashanth added a comment - I am seeing this issue too, does anyone have a work around?

          jens stein added a comment -

          This issue stems from the fact that the containerized stages runs in different subdirectories than the non-containerized stages. And the containerized stages don't have access to the subdirectory which the non-containerized stages run in.

          If the pipeline is run with the name job-1 then the top level runs in a temporary directory such as "/home/jenkins/current/workspace/job-1" with the corresponding temporary directory "/home/jenkins/current/workspace/job-1@tmp". If the whole pipeline isn't containerized and the single stages are, they will run in different directories and have different temporary directories associated. So a containerized stage will run in "/home/jenkins/current/workspace/job-1@2" and have the temporary directory "/home/jenkins/current/workspace/job-1@2@tmp". By placing the environment block inside the stage, the secret file gets placed in the correct temporary directory.

          So to work around this issue, place the environment like this

          #!groovy
          
          pipeline {
          	agent {label "worker"}
          	stages {
          		stage("cat") {
                                  environment {
                                          SECRET = credentials("secret")
                                  } 
          			agent {
          				docker {
          					label "worker"
          					image "alpine:3.8"
          				}
          			}
          			steps {
          				sh "cat $SECRET"
          			}
          		}
          	}
          }
          
          

          jens stein added a comment - This issue stems from the fact that the containerized stages runs in different subdirectories than the non-containerized stages. And the containerized stages don't have access to the subdirectory which the non-containerized stages run in. If the pipeline is run with the name job-1 then the top level runs in a temporary directory such as "/home/jenkins/current/workspace/job-1" with the corresponding temporary directory "/home/jenkins/current/workspace/job-1@tmp". If the whole pipeline isn't containerized and the single stages are, they will run in different directories and have different temporary directories associated. So a containerized stage will run in "/home/jenkins/current/workspace/job-1@2" and have the temporary directory "/home/jenkins/current/workspace/job-1@2@tmp". By placing the environment block inside the stage, the secret file gets placed in the correct temporary directory. So to work around this issue, place the environment like this #!groovy pipeline { agent {label "worker" } stages { stage( "cat" ) { environment { SECRET = credentials( "secret" ) } agent { docker { label "worker" image "alpine:3.8" } } steps { sh "cat $SECRET" } } } }

            Unassigned Unassigned
            jsj jens stein
            Votes:
            3 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated: