Kubernetes plugin doesn't respect privileged=true in jnlp container

This issue is archived. You can view it, but you can't modify it. Learn more

XMLWordPrintable

      I have a library that defines the follow pod template & container templates prior to using the node step to use the container as a slave.

      podTemplate(
  name: "provisioner-${config.version}",
  label: "provisioner-${config.version}",
  cloud: config.cloudName,
  serviceAccount: 'jenkins',
  idleMinutes: 0,
  namespace: config.tenant,
  containers: [
    // This adds the custom provisioner slave container to the pod. Must be first with name 'jnlp'
    containerTemplate(
      name: 'jnlp',
      image: "${config.dockerUrl}/${config.tenant}/${config.provisioningImage}-${config.version}",
      ttyEnabled: false,
      args: '${computer.jnlpmac} ${computer.name}',
      command: '',
      workingDir: '/tmp',
      privileged: true
    )
  ]
)

      The resulting job fails because the container is not privileged, and thus doesn't have access to utilties that set the corresponding log messages:

      May 31, 2018 6:18:43 PM INFO org.csanchez.jenkins.plugins.kubernetes.KubernetesLauncher launch

Created Pod: provisioner-v1.0-4gkgx in namespace redhat-multiarch-qe

May 31, 2018 6:18:43 PM INFO org.csanchez.jenkins.plugins.kubernetes.KubernetesLauncher launch

Waiting for Pod to be scheduled (0/100): provisioner-v1.0-4gkgx

May 31, 2018 6:18:49 PM SEVERE org.csanchez.jenkins.plugins.kubernetes.KubernetesLauncher logLastLines

Error in provisioning; agent=KubernetesSlave name: provisioner-v1.0-4gkgx, template=PodTemplate{, name='provisioner-v1.0', label='provisioner-v1.0', serviceAccount='jenkins', containers=[ContainerTemplate{name='jnlp', image='172.30.1.1:5000/redhat-multiarch-qe/provisioner-v1.0', alwaysPullImage=true, workingDir='/tmp', command='', args='${computer.jnlpmac} ${computer.name}'}]}. Container jnlp exited with error 127. Logs: failed to link /usr/bin/java -> /etc/alternatives/java: Permission denied

      As expected, an easy workaround for this is to go into the Jenkins settings after the job has run for the first time and manually set the pod template "privileged" flag. With this set provisioning completes as expected.

      May 31, 2018 6:40:23 PM INFO hudson.slaves.NodeProvisioner$2 run
Kubernetes Pod Template provisioning successfully completed. We have now 2 computer(s)
May 31, 2018 6:40:23 PM INFO org.csanchez.jenkins.plugins.kubernetes.KubernetesLauncher launch
Created Pod: provisioner-v1.0-85v6m in namespace redhat-multiarch-qe
May 31, 2018 6:40:23 PM INFO org.csanchez.jenkins.plugins.kubernetes.KubernetesLauncher launch

       

            Assignee:
            Carlos Sanchez
            Reporter:
            Jeremy Poulin
            Archiver:
            Jenkins Service Account

              Created:
              Updated:
              Resolved:
              Archived: