Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-51643

Kubernetes plugin doesn't respect privileged=true in jnlp container

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Cannot Reproduce
    • Icon: Minor Minor
    • kubernetes-plugin
    • None
    • Jenkins 2.89.4
      Kubernetes Plugin Version >= 1.60

      I have a library that defines the follow pod template & container templates prior to using the node step to use the container as a slave.

      podTemplate(
  name: "provisioner-${config.version}",
  label: "provisioner-${config.version}",
  cloud: config.cloudName,
  serviceAccount: 'jenkins',
  idleMinutes: 0,
  namespace: config.tenant,
  containers: [
    // This adds the custom provisioner slave container to the pod. Must be first with name 'jnlp'
    containerTemplate(
      name: 'jnlp',
      image: "${config.dockerUrl}/${config.tenant}/${config.provisioningImage}-${config.version}",
      ttyEnabled: false,
      args: '${computer.jnlpmac} ${computer.name}',
      command: '',
      workingDir: '/tmp',
      privileged: true
    )
  ]
)

      The resulting job fails because the container is not privileged, and thus doesn't have access to utilties that set the corresponding log messages:

      May 31, 2018 6:18:43 PM INFO org.csanchez.jenkins.plugins.kubernetes.KubernetesLauncher launch

Created Pod: provisioner-v1.0-4gkgx in namespace redhat-multiarch-qe

May 31, 2018 6:18:43 PM INFO org.csanchez.jenkins.plugins.kubernetes.KubernetesLauncher launch

Waiting for Pod to be scheduled (0/100): provisioner-v1.0-4gkgx

May 31, 2018 6:18:49 PM SEVERE org.csanchez.jenkins.plugins.kubernetes.KubernetesLauncher logLastLines

Error in provisioning; agent=KubernetesSlave name: provisioner-v1.0-4gkgx, template=PodTemplate{, name='provisioner-v1.0', label='provisioner-v1.0', serviceAccount='jenkins', containers=[ContainerTemplate{name='jnlp', image='172.30.1.1:5000/redhat-multiarch-qe/provisioner-v1.0', alwaysPullImage=true, workingDir='/tmp', command='', args='${computer.jnlpmac} ${computer.name}'}]}. Container jnlp exited with error 127. Logs: failed to link /usr/bin/java -> /etc/alternatives/java: Permission denied

      As expected, an easy workaround for this is to go into the Jenkins settings after the job has run for the first time and manually set the pod template "privileged" flag. With this set provisioning completes as expected.

      May 31, 2018 6:40:23 PM INFO hudson.slaves.NodeProvisioner$2 run
Kubernetes Pod Template provisioning successfully completed. We have now 2 computer(s)
May 31, 2018 6:40:23 PM INFO org.csanchez.jenkins.plugins.kubernetes.KubernetesLauncher launch
Created Pod: provisioner-v1.0-85v6m in namespace redhat-multiarch-qe
May 31, 2018 6:40:23 PM INFO org.csanchez.jenkins.plugins.kubernetes.KubernetesLauncher launch

       

            csanchez Carlos Sanchez
            jaypoulz Jeremy Poulin
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: