Hi Vincent, I am fairly certain, that the images are identical, as I used to pod image from the jenkins logs (jenkins/inbound-agent:4.3-4). The second image I used in the pipeline for the build process was https://hub.docker.com/r/kasproject/kas which also should have a non-root user (builder, uid 30000). I am not sure how Jenkins handles the containerisation, but unless there is some magic in the background I do not understand, it should be one of those images.
Best regards Mit freundlichen Grüßen Jasper Orschulko Build- und Configurationsmanager Tel. +49 30 58 58 14 265 Fax +49 30 58 58 14 999 [email protected]<mailto:[email protected]> • • • • • • • • • • • • • • • • • • • • • • • • • • iris-GmbH infrared & intelligent sensors Ostendstraße 1-14 | 12459 Berlin Geschäftsführer M.-O. Brammann | R. Bönick | A. Thun Amtsgericht Berlin-Charlottenburg HRB 41 448 | USt-ID-Nr. DE 137228225 www.irisgmbh.de ________________________________ From: [email protected] [[email protected]] on behalf of Vincent Latombe [[email protected]] Sent: Friday, September 11, 2020 11:50 AM To: Jenkins Users Subject: Re: Kubernetes Plugin: How to run commands within agent container as non-root? > [Pipeline] container What is your container definition? I really doubt it is the same image as what you're running through docker CLI. Vincent Le jeu. 10 sept. 2020 à 19:59, iris Jasper Orschulko <[email protected]<mailto:[email protected]>> a écrit : I am trying to run a Pipeline in a Kubernetes agent, which needs to execute commands as non-root user. So I tried setting the securityContext of the Pod to 1000 (the default jenkins user) as described here: https://plugins.jenkins.io/kubernetes/. However, the user does not exist in the container within Kubernetes: [Pipeline] { [Pipeline] stage [Pipeline] { (Yocto Build) [Pipeline] container [Pipeline] { [Pipeline] script [Pipeline] { [Pipeline] sh + set -ex + cat /etc/passwd root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin _apt:x:100:65534::/nonexistent:/usr/sbin/nologin However, when running the same image (jenkins/inbound-agent:4.3-4) in docker directly, there is a jenkins user: sudo docker run -it --rm jenkins/inbound-agent:4.3-4 bash jenkins@255a3961e41e:~$ cat /etc/passwd root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin _apt:x:100:65534::/nonexistent:/usr/sbin/nologin jenkins:x:1000:1000:Jenkins user:/home/jenkins:/bin/sh Any ideas why this might be the case? Is this intentional? If so, what would be the right way to run the container as non-root? Best regards Mit freundlichen Grüßen Jasper Orschulko Build- und Configurationsmanager Tel. +49 30 58 58 14 265 Fax +49 30 58 58 14 999 [email protected]<mailto:[email protected]> • • • • • • • • • • • • • • • • • • • • • • • • • • iris-GmbH infrared & intelligent sensors Ostendstraße 1-14 | 12459 Berlin Geschäftsführer M.-O. Brammann | R. Bönick | A. Thun Amtsgericht Berlin-Charlottenburg HRB 41 448 | USt-ID-Nr. DE 137228225 www.irisgmbh.de<http://www.irisgmbh.de> -- You received this message because you are subscribed to the Google Groups "Jenkins Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]<mailto:jenkinsci-users%[email protected]>. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/38B822B13B092D4C832A97382607EFDF07CF24E0%40ERDE.irisgmbh.local. -- You received this message because you are subscribed to the Google Groups "Jenkins Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]<mailto:[email protected]>. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/CAH-zGCiznE%2Bu38q4NJ0Bj2k9PSgZ7iQvLJRemTO5c%2BbypGWYAw%40mail.gmail.com<https://groups.google.com/d/msgid/jenkinsci-users/CAH-zGCiznE%2Bu38q4NJ0Bj2k9PSgZ7iQvLJRemTO5c%2BbypGWYAw%40mail.gmail.com?utm_medium=email&utm_source=footer>. -- You received this message because you are subscribed to the Google Groups "Jenkins Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/38B822B13B092D4C832A97382607EFDF07CF330A%40ERDE.irisgmbh.local.
