Re: Can we use 'Run in privileged mode' in the Jenkins Kubernetes Pod Template?

2018-04-17 Thread Clayton Coleman 
Privileged allows everything that anyuid allows

On Apr 17, 2018, at 11:20 AM, Alan Christie <
achris...@informaticsmatters.com> wrote:

Thanks Clayton. That’s worked.

I’m not sure whether I also need to do an "*oc adm policy add-scc-to-user
anyuid -z ${SERVICE_ACCOUNT}"* (which I have done) but I am now able to
build Docker container images in a Jenkins pipeline using a buildah
slave-agent! That’s neat.

The Dockerfile/image source that builds the Jenkins slave-agent and the
(rather fat) resultant agent image are public...

https://github.com/alanbchristie/openshift-jenkins-buildah-slave
https://hub.docker.com/r/alanbchristie/jenkins-slave-buildah-centos7/


On 17 Apr 2018, at 00:39, Clayton Coleman  wrote:

Like any other user, to run privileged an administrator must grant access
to the Jenkins service account to launch privileged pods.  That’s done by
granting the service account the slave pod runs as the privileged SCC:

oc adm policy add-scc-to-user -z SERVICE_ACCT privileged

On Apr 16, 2018, at 2:46 PM, Alan Christie 
wrote:

I’m trying to get around building Docker containers in a Jenkins
slave-agent (because the Docker socket is not available). Along comes
`buildah` claiming to be a lightweight OCI builder so I’ve built a
`buildah` Jenkins slave agent based on the
`openshift/jenkins-slave-maven-centos7` image (
https://github.com/alanbchristie/openshift-jenkins-buildah-slave.git).

Nice.

Sadly…

…the agent appears useless because buildah needs to be run as root!!!

So I walk from one problem into another.

The wonderfully named option in Jenkins -> Manage Jenkins -> Configure
System -> Kubernetes Pod Template -> "Run in privileged mode" was so
appealing I just had to click it!

But … sigh ... I still can’t run as root, instead I get the **Privileged
containers are not allowed provider restricted** error.

This has probably been asked before but...

   1. Is there anything that can be done to run slave-agents as root? (I
   don't want a BuildConfig, I want to run my existing complex pipelines which
   also build docker images in a Jenkins agent)
   2. If not, is someone thinking about supporting this?

Alan Christie


___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: Can we use 'Run in privileged mode' in the Jenkins Kubernetes Pod Template?

2018-04-17 Thread Alan Christie 
Thanks Clayton. That’s worked.

I’m not sure whether I also need to do an "oc adm policy add-scc-to-user anyuid 
-z ${SERVICE_ACCOUNT}" (which I have done) but I am now able to build Docker 
container images in a Jenkins pipeline using a buildah slave-agent! That’s neat.

The Dockerfile/image source that builds the Jenkins slave-agent and the (rather 
fat) resultant agent image are public...

https://github.com/alanbchristie/openshift-jenkins-buildah-slave 

https://hub.docker.com/r/alanbchristie/jenkins-slave-buildah-centos7/ 



> On 17 Apr 2018, at 00:39, Clayton Coleman  wrote:
> 
> Like any other user, to run privileged an administrator must grant access to 
> the Jenkins service account to launch privileged pods.  That’s done by 
> granting the service account the slave pod runs as the privileged SCC:
> 
> oc adm policy add-scc-to-user -z SERVICE_ACCT privileged 
> 
> On Apr 16, 2018, at 2:46 PM, Alan Christie  > wrote:
> 
>> I’m trying to get around building Docker containers in a Jenkins slave-agent 
>> (because the Docker socket is not available). Along comes `buildah` claiming 
>> to be a lightweight OCI builder so I’ve built a `buildah` Jenkins slave 
>> agent based on the `openshift/jenkins-slave-maven-centos7` image 
>> (https://github.com/alanbchristie/openshift-jenkins-buildah-slave.git 
>> ).
>> 
>> Nice.
>> 
>> Sadly…
>> 
>> …the agent appears useless because buildah needs to be run as root!!!
>> 
>> So I walk from one problem into another.
>> 
>> The wonderfully named option in Jenkins -> Manage Jenkins -> Configure 
>> System -> Kubernetes Pod Template -> "Run in privileged mode" was so 
>> appealing I just had to click it!
>> 
>> But … sigh ... I still can’t run as root, instead I get the **Privileged 
>> containers are not allowed provider restricted** error.
>> 
>> This has probably been asked before but...
>> Is there anything that can be done to run slave-agents as root? (I don't 
>> want a BuildConfig, I want to run my existing complex pipelines which also 
>> build docker images in a Jenkins agent)
>> If not, is someone thinking about supporting this?
>> Alan Christie
>> 
>> 
>> ___
>> users mailing list
>> users@lists.openshift.redhat.com 
>> http://lists.openshift.redhat.com/openshiftmm/listinfo/users 
>> 

___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: Can we use 'Run in privileged mode' in the Jenkins Kubernetes Pod Template?

2018-04-16 Thread Clayton Coleman 
Like any other user, to run privileged an administrator must grant access
to the Jenkins service account to launch privileged pods.  That’s done by
granting the service account the slave pod runs as the privileged SCC:

oc adm policy add-scc-to-user -z SERVICE_ACCT privileged

On Apr 16, 2018, at 2:46 PM, Alan Christie 
wrote:

I’m trying to get around building Docker containers in a Jenkins
slave-agent (because the Docker socket is not available). Along comes
`buildah` claiming to be a lightweight OCI builder so I’ve built a
`buildah` Jenkins slave agent based on the
`openshift/jenkins-slave-maven-centos7` image (
https://github.com/alanbchristie/openshift-jenkins-buildah-slave.git).

Nice.

Sadly…

…the agent appears useless because buildah needs to be run as root!!!

So I walk from one problem into another.

The wonderfully named option in Jenkins -> Manage Jenkins -> Configure
System -> Kubernetes Pod Template -> "Run in privileged mode" was so
appealing I just had to click it!

But … sigh ... I still can’t run as root, instead I get the **Privileged
containers are not allowed provider restricted** error.

This has probably been asked before but...

   1. Is there anything that can be done to run slave-agents as root? (I
   don't want a BuildConfig, I want to run my existing complex pipelines which
   also build docker images in a Jenkins agent)
   2. If not, is someone thinking about supporting this?

Alan Christie


___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Can we use 'Run in privileged mode' in the Jenkins Kubernetes Pod Template?

2018-04-16 Thread Alan Christie 
I’m trying to get around building Docker containers in a Jenkins slave-agent 
(because the Docker socket is not available). Along comes `buildah` claiming to 
be a lightweight OCI builder so I’ve built a `buildah` Jenkins slave agent 
based on the `openshift/jenkins-slave-maven-centos7` image 
(https://github.com/alanbchristie/openshift-jenkins-buildah-slave.git).

Nice.

Sadly…

…the agent appears useless because buildah needs to be run as root!!!

So I walk from one problem into another.

The wonderfully named option in Jenkins -> Manage Jenkins -> Configure System 
-> Kubernetes Pod Template -> "Run in privileged mode" was so appealing I just 
had to click it!

But … sigh ... I still can’t run as root, instead I get the **Privileged 
containers are not allowed provider restricted** error.

This has probably been asked before but...
Is there anything that can be done to run slave-agents as root? (I don't want a 
BuildConfig, I want to run my existing complex pipelines which also build 
docker images in a Jenkins agent)
If not, is someone thinking about supporting this?
Alan Christie


___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users