instead of building a new jenkins image to change the user, you should be able to just set the RunAsUser to "0" in the pod template (either PodSpec SecurityContext or Container SecurityContext), in the same place you set Privileged to true.
On Thu, Mar 10, 2016 at 5:02 PM, Lorenz Vanthillo < [email protected]> wrote: > It's working now but I had to perform some steps. I tried it first with > the template but didn't succeed because the image of the template is using > uid 101 which hasn't root acces. You need to have root access to use Docker > or create a docker group. > So I had to change the image: > > Dockerfile: > > FROM docker.io/openshift/jenkins-1-centos7 > > USER 0 > > Copied the content of the template in a .yaml and edited the image. > I had to delete the 'trigger' part and I had to set privileged: true in > the template. > > Here are the mounts + I also mounted the /etc/origin/node/ca.crt to > authenticate with Jenkins on my OpenShift (I push images to my OpenShift > registry) > > > privileged: *true* > > terminationMessagePath: /dev/termination-log > > volumeMounts: > > - mountPath: /var/lib/jenkins > > name: jenkins-volume > > - mountPath: /var/run/docker.sock > > name: socket > > - mountPath: /usr/bin/docker > > name: bin > > - mountPath: /cert/ > > name: cert > > dnsPolicy: ClusterFirst > > restartPolicy: Always > > securityContext: {} > > terminationGracePeriodSeconds: 30 > > volumes: > > - name: jenkins-volume > > persistentVolumeClaim: > > claimName: jenkins-claim > > - hostPath: > > path: /var/run/docker.sock > > name: socket > > - hostPath: > > path: /usr/bin/docker > > name: bin > > - hostPath: > > path: /etc/origin/node/ > > name: cert > > test: false > > triggers: > > - type: ConfigChange > > status: > > details: > > causes: > > - type: ConfigChange > > latestVersion: 11 > > > > last step is to edit the scc privileged: > > $ oc edit scc privileged: > > > > users: > > - system:serviceaccount:openshift-infra:build-controller > > - system:serviceaccount:management-infra:management-admin > > - system:serviceaccount:default:router > > - system:serviceaccount:default:registry > > - system:serviceaccount:jenkins:default > > Now my jenkins is persistent and I'm able to build docker images and push > it into my own openshift registry. Thanks > > ------------------------------ > From: [email protected] > Date: Thu, 10 Mar 2016 18:43:03 +0000 > Subject: Re: Run Docker on Jenkins in OpenShift > To: [email protected] > CC: [email protected]; [email protected]; [email protected]; > [email protected] > > > Right, the docker builder mounts: > > - hostPath: > path: /var/run/docker.sock > > I guess you need to make the user that run the jenkins pod privileged [1] > in order to create such volume. > > [1] > https://docs.openshift.org/latest/admin_guide/manage_scc.html#grant-access-to-the-privileged-scc > > On Thu, Mar 10, 2016 at 5:57 PM, Ben Parees <[email protected]> wrote: > > it needs access to the docker socket, i'm assuming something related to > being unprivileged is blocking it, just like our docker builder pods run as > privileged so they can use the docker socket, no? > > > On Thu, Mar 10, 2016 at 12:11 PM, Clayton Coleman <[email protected]> > wrote: > > Why would jenkins need access to host path? > > On Thu, Mar 10, 2016 at 12:01 PM, Ben Parees <[email protected]> wrote: > > Sounds like the jenkins pod on openshift needs to be run as privileged > and > > currently isn't. > > > > > > On Thu, Mar 10, 2016 at 11:55 AM, Clayton Coleman <[email protected]> > > wrote: > >> > >> Gabe, Michal, any ideas? > >> > >> On Tue, Mar 8, 2016 at 10:03 AM, Lorenz Vanthillo > >> <[email protected]> wrote: > >> > I already edited scc priviliged because otherwise I had this error: > >> > > >> > Error creating: pods "jenkins-5-" is forbidden: unable to validate > >> > against > >> > any security context constraint: > >> > [spec.containers[0].securityContext.volumes[1]: Invalid value: > >> > "hostPath": > >> > HostPath volumes are not allowed to be used > spec.containers[0].security > >> > > >> > So I added the jenkins:deploy + default service account but I've still > >> > the > >> > error > >> > > >> > ________________________________ > >> > From: [email protected] > >> > To: [email protected] > >> > Subject: Run Docker on Jenkins in OpenShift > >> > Date: Tue, 8 Mar 2016 16:52:34 +0100 > >> > > >> > I've mounted the sockets to my Jenkins container. I've also edit the > >> > docker > >> > image of openshift/jenkins so I'm able to be root. Because otherwise > I'm > >> > not > >> > able to use Docker. > >> > > >> > But I still have a problem: > >> > docker -h (works) > >> > docker ps (doesn't work): > >> > > >> > + docker ps > >> > Get http:///var/run/docker.sock/v1.20/containers/json: dial unix > >> > /var/run/docker.sock: permission denied. > >> > * Are you trying to connect to a TLS-enabled daemon without TLS? > >> > * Is your docker daemon up and running? > >> > Build step 'Execute shell' marked build as failure > >> > > >> > > >> > When I just run the image on docker (without openshift) it works to > >> > perform > >> > docker ps. > >> > I use --privileged=true -t -i. When I try to run the container without > >> > privileged it's not possible to perform the 'docker ps'. So the same > >> > issue > >> > as in my OpenShift. How and which service account do I have to change > to > >> > let > >> > it work? > >> > > >> > _______________________________________________ > >> > users mailing list > >> > [email protected] > >> > http://lists.openshift.redhat.com/openshiftmm/listinfo/users > >> > > >> > >> _______________________________________________ > >> users mailing list > >> [email protected] > >> http://lists.openshift.redhat.com/openshiftmm/listinfo/users > > > > > > > > > > -- > > Ben Parees | OpenShift > > > > > > > -- > Ben Parees | OpenShift > > > -- Ben Parees | OpenShift
_______________________________________________ users mailing list [email protected] http://lists.openshift.redhat.com/openshiftmm/listinfo/users
