Your second image runs as root and its /etc/passwd matches what you were seeing in your pipeline.
➭ docker run --entrypoint /bin/bash -ti kasproject/kas root@ffa3dff671f9:/# cat /etc/passwd root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin _apt:x:100:65534::/nonexistent:/usr/sbin/nologin Vincent Le mar. 15 sept. 2020 à 10:49, iris Jasper Orschulko < [email protected]> a écrit : > Hi Vincent, > > I am fairly certain, that the images are identical, as I used to pod image > from the jenkins logs (jenkins/inbound-agent:4.3-4). The second image I > used in the pipeline for the build process was > https://hub.docker.com/r/kasproject/kas which also should have a non-root > user (builder, uid 30000). I am not sure how Jenkins handles the > containerisation, but unless there is some magic in the background I do not > understand, it should be one of those images. > > Best regards > > Mit freundlichen Grüßen > > Jasper Orschulko > Build- und Configurationsmanager > > Tel. +49 30 58 58 14 265 > Fax +49 30 58 58 14 999 > [email protected] > > • • • • • • • • • • • • • • • • • • • • • • • • • • > > iris-GmbH > infrared & intelligent sensors > Ostendstraße 1-14 | 12459 Berlin > > Geschäftsführer > M.-O. Brammann | R. Bönick | A. Thun > Amtsgericht Berlin-Charlottenburg > HRB 41 448 | USt-ID-Nr. DE 137228225 > > www.irisgmbh.de > > > ------------------------------ > *From:* [email protected] [[email protected]] > on behalf of Vincent Latombe [[email protected]] > *Sent:* Friday, September 11, 2020 11:50 AM > *To:* Jenkins Users > *Subject:* Re: Kubernetes Plugin: How to run commands within agent > container as non-root? > > > [Pipeline] container > > What is your container definition? I really doubt it is the same image as > what you're running through docker CLI. > > Vincent > > > Le jeu. 10 sept. 2020 à 19:59, iris Jasper Orschulko < > [email protected]> a écrit : > >> I am trying to run a Pipeline in a Kubernetes agent, which needs to >> execute commands as non-root user. So I tried setting the securityContext >> of the Pod to 1000 (the default jenkins user) as described here: >> https://plugins.jenkins.io/kubernetes/. However, the user does not exist >> in the container within Kubernetes: >> >> [Pipeline] { >> [Pipeline] stage >> [Pipeline] { (Yocto Build) >> [Pipeline] container >> [Pipeline] { >> [Pipeline] script >> [Pipeline] { >> [Pipeline] sh >> >> + set -ex >> + cat /etc/passwd >> root:x:0:0:root:/root:/bin/bash >> daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin >> bin:x:2:2:bin:/bin:/usr/sbin/nologin >> sys:x:3:3:sys:/dev:/usr/sbin/nologin >> sync:x:4:65534:sync:/bin:/bin/sync >> games:x:5:60:games:/usr/games:/usr/sbin/nologin >> man:x:6:12:man:/var/cache/man:/usr/sbin/nologin >> lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin >> mail:x:8:8:mail:/var/mail:/usr/sbin/nologin >> news:x:9:9:news:/var/spool/news:/usr/sbin/nologin >> uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin >> proxy:x:13:13:proxy:/bin:/usr/sbin/nologin >> www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin >> backup:x:34:34:backup:/var/backups:/usr/sbin/nologin >> list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin >> irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin >> gnats:x:41:41:Gnats Bug-Reporting System >> (admin):/var/lib/gnats:/usr/sbin/nologin >> nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin >> _apt:x:100:65534::/nonexistent:/usr/sbin/nologin >> >> However, when running the same image (jenkins/inbound-agent:4.3-4) in >> docker directly, there is a jenkins user: >> >> sudo docker run -it --rm jenkins/inbound-agent:4.3-4 bash >> jenkins@255a3961e41e:~$ cat /etc/passwd >> root:x:0:0:root:/root:/bin/bash >> daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin >> bin:x:2:2:bin:/bin:/usr/sbin/nologin >> sys:x:3:3:sys:/dev:/usr/sbin/nologin >> sync:x:4:65534:sync:/bin:/bin/sync >> games:x:5:60:games:/usr/games:/usr/sbin/nologin >> man:x:6:12:man:/var/cache/man:/usr/sbin/nologin >> lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin >> mail:x:8:8:mail:/var/mail:/usr/sbin/nologin >> news:x:9:9:news:/var/spool/news:/usr/sbin/nologin >> uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin >> proxy:x:13:13:proxy:/bin:/usr/sbin/nologin >> www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin >> backup:x:34:34:backup:/var/backups:/usr/sbin/nologin >> list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin >> irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin >> gnats:x:41:41:Gnats Bug-Reporting System >> (admin):/var/lib/gnats:/usr/sbin/nologin >> nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin >> _apt:x:100:65534::/nonexistent:/usr/sbin/nologin >> jenkins:x:1000:1000:Jenkins user:/home/jenkins:/bin/sh >> >> Any ideas why this might be the case? Is this intentional? If so, what >> would be the right way to run the container as non-root? >> >> Best regards >> >> Mit freundlichen Grüßen >> >> Jasper Orschulko >> Build- und Configurationsmanager >> >> Tel. +49 30 58 58 14 265 >> Fax +49 30 58 58 14 999 >> [email protected] >> >> • • • • • • • • • • • • • • • • • • • • • • • • • • >> >> iris-GmbH >> infrared & intelligent sensors >> Ostendstraße 1-14 | 12459 Berlin >> >> Geschäftsführer >> M.-O. Brammann | R. Bönick | A. Thun >> Amtsgericht Berlin-Charlottenburg >> HRB 41 448 | USt-ID-Nr. DE 137228225 >> >> www.irisgmbh.de >> >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Jenkins Users" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/jenkinsci-users/38B822B13B092D4C832A97382607EFDF07CF24E0%40ERDE.irisgmbh.local >> . >> > -- > You received this message because you are subscribed to the Google Groups > "Jenkins Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/jenkinsci-users/CAH-zGCiznE%2Bu38q4NJ0Bj2k9PSgZ7iQvLJRemTO5c%2BbypGWYAw%40mail.gmail.com > <https://groups.google.com/d/msgid/jenkinsci-users/CAH-zGCiznE%2Bu38q4NJ0Bj2k9PSgZ7iQvLJRemTO5c%2BbypGWYAw%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "Jenkins Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/CAH-zGCjNk_%2BwwZdy6T4FLqiQwxu%2BYwzRMv2JmoaOUk_imr%3DK_w%40mail.gmail.com.
