I build a custom Jenkins master image from jenkins lts image. Nothing very
fancy but just a few convenience changes made to enable ssh communication
USER root
RUN usermod -u 105 jenkins && usermod -g nogroup jenkins
RUN mkdir -p /var/cache/jenkins && chown -R jenkins:nogroup
/var/cache/jenkins && mkdir -p /var/log/jenkins && chown -R jenkins:nogroup
/var/log/jenkins
RUN mkdir -p /home/jenkins/.ssh/
COPY id_rsa* /var/jenkins_home/.ssh/
RUN chmod 600 /var/jenkins_home/.ssh/id_rsa*
RUN chown -R jenkins:nogroup /home/jenkins/.ssh && chown -R
jenkins:nogroup /var/jenkins_home
USER jenkins
There are reasons(limitations) with the build and test infrastructure that
needed changing user id for jenkins user from 1000 (on the jenkins lts
image) to 105.
There are two volumes jenkinsHome and jenkinsLog that are mounted to the
Jenkins master at `/var/jenkins_home` and `/var/log/jenkins`, respectively.
When starting the Jenkins master based on a custom image (with above
changes) using `docker run` command `/var/jenkins_home` folder has right
permissions and volume gets mounted successfully.
jenkins@012696fe9af6:/$ ls -la /var/
total 56
..
..
drwxr-xr-x 31 jenkins jenkins 12288 Jan 3 18:42 jenkins_home
However, when I start the jenkins master using docker-compose
/var/jenkins_home has owner set to 1000. Since there is no user with id
1000 on the master image, jenkins fails to start since the permissions on
the jenkins_home are
jenkins@012696fe9af6:/$ ls -la /var/
total 56
..
..
drwxr-xr-x 31 1000 jenkins 12288 Jan 3 18:42 jenkins_home
QUESTIONS:
- Can someone please help me figure out why or how the owner for the
jenkins_home folder seems to be different when starting the service using
docker run vs docker compose ?
- It is not clear whether some how the entrypoint command for the lts image
is changing the permissions. I feel it is unlikely because I explicitly set
permissions on that folder `/var/jenkins_home` in the custom image that I
use for spinning up the Jenkins master ?
FWIW - I have tried running the docker run command with the `--user
105:nogroup` flag and docker-compose with `user: 105:nogroup` to enforce
users that are starting the container(docker run) and/or
service(docker-compose). Also, a user with id 105 does exist on the host VM.
DOCKER RUN COMMAND
docker run --user 105:65534 -dit --log-opt max-size=10m --log-opt
max-file=3 --restart unless-stopped -p 12345:8080 -t --name=master -p
50000:50000 --volumes-from=daas-jenkins-data -e
JENKINS_OPTS="-Dhudson.plugins.sshslaves.SSHLauncher.trackCredentials=false
--logfile=/var/log/jenkins/jenkins.log --webroot=/var/cache/jenkins/war
--handlerCountMax=300" -e JAVA_OPTS="-Duser.timezone=America/New_York
-Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2 -Xmx4096m" jenkins-custom-master
DOCKER COMPOSE FILE
version: '3.5'
services:
jenkins:
image: jenkins-custom-master
container_name: jenkins-master-svc
volumes:
- type: volume
source: jenkinsHome
target: /var/jenkins_home
- type: volume
source: jenkinsLog
target: /var/log/jenkins
ports:
- "12345:8080"
- "50000:50000"
environment:
-
JENKINS_OPTS=-Dhudson.plugins.sshslaves.SSHLauncher.trackCredentials=false
--logfile=/var/log/jenkins/jenkins.log --webroot=/var/cache/jenkins/war
--handlerCountMax=300
- JAVA_OPTS=-Duser.timezone=America/New_York
-Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2 -Xmx4096m
user: 105:65534
networks:
- jenkins-network
nginx:
image: nginx-custom
container_name: jenkins-nginx-svc
ports:
- "443:443"
- "80:80"
networks:
- jenkins-network
networks:
jenkins-network:
name: jenkins-network
volumes:
jenkinsHome:
external: true
jenkinsLog:
external: true
--
You received this message because you are subscribed to the Google Groups
"Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to jenkinsci-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/jenkinsci-users/e53073a6-84d6-45a3-b261-5a76c7263210%40googlegroups.com.
