Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-74995

withDockerContainer uses -u with fails for rootless docker

      Hi,

      I have rhel 9.6 with selinux enabled. I run a jenkins agent as systemd service. The user which runs the agent has rootless docker.

       

      My pipeline job first downloads a repo from git (this set runs outside of docker), then runs build steps in docker.

      The issue is that withDockerContainer starts the docker container with -u user_pid:user_group (in my case it is -u 1013:1013) which causes the processes inside of docker to not be able to modify files created by git (or create new directories).

       

      I suspect that the issue in this case is that the user inside of docker is mapped to root, but by providing -u option the applications inside of docker run with another user.

       

      I do not have any special configuration for docker.

       

      systemd file:

      [Unit]
      Description=Jenkins JNLP Slave service
      After=network.target
      [Service]
      Type=simple
      Environment=LANG=C
      Environment=DOCKER_HOST=unix:///run/user/1013/docker.sock
      WorkingDirectory=/var/agent
      ExecStart=/usr/lib/jvm/java-21-zulu-openjdk/bin/java -jar /home/jenkins/agent.jar -url https://ANONYMIZED/ -secret ANONMIZED -name "ANONYMIZED" -webSocket -workDir "/var/agent"
      Restart=always
      RestartSec=30s
      WantedBy=multi-user.target
       

      rootless docker is installed according to the docs, without any options.

       

       

      I am able to run the pipeline if I provide args to withDockerContainer that overwrite -u by providing -u root:root. But I have to do it for each withDockerContainer execution.

          [JENKINS-74995] withDockerContainer uses -u with fails for rootless docker

          Lionel added a comment - - edited

          +1 for this issue. A workaround on remote agents is to overwrite the 'id' command to return '0', but it's not a long-term solution.

          The problem is here: https://github.com/jenkinsci/docker-workflow-plugin/blob/827a6971ac33b7985b32e03fc4133c07ebc5a2af/src/main/java/org/jenkinsci/plugins/docker/workflow/client/DockerClient.java#L326. We should have the possibility to change the returned value.

          Lionel added a comment - - edited +1 for this issue. A workaround on remote agents is to overwrite the 'id' command to return '0', but it's not a long-term solution. The problem is here: https://github.com/jenkinsci/docker-workflow-plugin/blob/827a6971ac33b7985b32e03fc4133c07ebc5a2af/src/main/java/org/jenkinsci/plugins/docker/workflow/client/DockerClient.java#L326. We should have the possibility to change the returned value.

          Mark R added a comment -

          We are running rootless podman on RHEL. Here are the steps I used to get it setup:

          1) In containers.conf use "keep-id" for the user namespace (userns = "keep-id")
          2) Run the podman service as user service (run these as the user Jenkins runs as)
          (there may be steps here I am missing that setup the user systemd files)
          export XDG_RUNTIME_DIR=/run/user/<user_id>
          /usr/bin/systemctl --user enable --now podman.socket
          /usr/bin/systemctl --user start podman.service
          3) Enable lingering so the service remains active (Run these are the user Jenkins runs as)
          export XDG_RUNTIME_DIR=/run/user/<user_id>
          /usr/bin/loginctl enable-linger <user>
          4) Set DOCKER_HOST to use the user podman socket
          DOCKER_HOST=unix:///run/user/<user_id>/podman/podman.sock

          Mark R added a comment - We are running rootless podman on RHEL. Here are the steps I used to get it setup: 1) In containers.conf use "keep-id" for the user namespace (userns = "keep-id") 2) Run the podman service as user service (run these as the user Jenkins runs as) (there may be steps here I am missing that setup the user systemd files) export XDG_RUNTIME_DIR=/run/user/<user_id> /usr/bin/systemctl --user enable --now podman.socket /usr/bin/systemctl --user start podman.service 3) Enable lingering so the service remains active (Run these are the user Jenkins runs as) export XDG_RUNTIME_DIR=/run/user/<user_id> /usr/bin/loginctl enable-linger <user> 4) Set DOCKER_HOST to use the user podman socket DOCKER_HOST=unix:///run/user/<user_id>/podman/podman.sock

          Lionel added a comment -

          Lionel added a comment - Submitted patch for this issue: https://github.com/jenkinsci/docker-workflow-plugin/pull/325

            Unassigned Unassigned
            pachum_vig MichaƂ
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated: