One last question. What did you mean with pod-template: I was searching in the
template but I don't see pod specifications. Only container.
How did I had to change it?
spec:
containers:
- capabilities: {}
env:
- name: JENKINS_PASSWORD
value: ${JENKINS_PASSWORD}
image: ${JENKINS_IMAGE}
imagePullPolicy: IfNotPresent
name: jenkins
resources: {}
securityContext:
capabilities: {}
privileged: false
terminationMessagePath: /dev/termination-log
https://github.com/openshift/jenkins/blob/master/1/Dockerfile
I don't see something as RunAsAny user in the template. It will run as user
1001 as the dockerfile defined, isn't it?
From: [email protected]
To: [email protected]
CC: [email protected]
Subject: RE: Run Docker on Jenkins in OpenShift
Date: Thu, 10 Mar 2016 23:08:51 +0100
Okay thanks, hoped there was a more efficient way.
From: [email protected]
Date: Thu, 10 Mar 2016 17:06:48 -0500
Subject: Re: Run Docker on Jenkins in OpenShift
To: [email protected]
CC: [email protected]; [email protected]; [email protected]
instead of building a new jenkins image to change the user, you should be able
to just set the RunAsUser to "0" in the pod template (either PodSpec
SecurityContext or Container SecurityContext), in the same place you set
Privileged to true.
On Thu, Mar 10, 2016 at 5:02 PM, Lorenz Vanthillo
<[email protected]> wrote:
It's working now but I had to perform some steps. I tried it first with the
template but didn't succeed because the image of the template is using uid 101
which hasn't root acces. You need to have root access to use Docker or create a
docker group.
So I had to change the image:
Dockerfile:
FROM docker.io/openshift/jenkins-1-centos7
USER
0
Copied the content of the template in a .yaml and edited the image.
I had to delete the 'trigger' part and I had to set
privileged: true
in the template.
Here are the mounts + I also mounted the /etc/origin/node/ca.crt to
authenticate with Jenkins on my OpenShift (I push images to my OpenShift
registry)
privileged: true
terminationMessagePath: /dev/termination-log
volumeMounts:
-
mountPath: /var/lib/jenkins
name: jenkins-volume
-
mountPath: /var/run/docker.sock
name: socket
-
mountPath: /usr/bin/docker
name: bin
-
mountPath: /cert/
name: cert
dnsPolicy: ClusterFirst
restartPolicy: Always
securityContext: {}
terminationGracePeriodSeconds: 30
volumes:
-
name: jenkins-volume
persistentVolumeClaim:
claimName: jenkins-claim
-
hostPath:
path: /var/run/docker.sock
name: socket
-
hostPath:
path: /usr/bin/docker
name: bin
-
hostPath:
path: /etc/origin/node/
name: cert
test:
false
triggers:
- type:
ConfigChange
status:
details:
causes:
-
type: ConfigChange
latestVersion: 11
last step is to edit the scc privileged:
$
oc edit scc privileged:
users:
- system:serviceaccount:openshift-infra:build-controller
-
system:serviceaccount:management-infra:management-admin
- system:serviceaccount:default:router
- system:serviceaccount:default:registry
-
system:serviceaccount:jenkins:default
Now my jenkins is persistent and I'm able to build docker images and push it
into my own openshift registry. Thanks
From: [email protected]
Date: Thu, 10 Mar 2016 18:43:03 +0000
Subject: Re: Run Docker on Jenkins in OpenShift
To: [email protected]
CC: [email protected]; [email protected]; [email protected];
[email protected]
Right, the docker builder mounts:
- hostPath: path: /var/run/docker.sock
I guess you need to make the user that run the jenkins pod privileged [1] in
order to create such volume.
[1]
https://docs.openshift.org/latest/admin_guide/manage_scc.html#grant-access-to-the-privileged-scc
On Thu, Mar 10, 2016 at 5:57 PM, Ben Parees <[email protected]> wrote:
it needs access to the docker socket, i'm assuming something related to being
unprivileged is blocking it, just like our docker builder pods run as
privileged so they can use the docker socket, no?
On Thu, Mar 10, 2016 at 12:11 PM, Clayton Coleman <[email protected]> wrote:
Why would jenkins need access to host path?
On Thu, Mar 10, 2016 at 12:01 PM, Ben Parees <[email protected]> wrote:
> Sounds like the jenkins pod on openshift needs to be run as privileged and
> currently isn't.
>
>
> On Thu, Mar 10, 2016 at 11:55 AM, Clayton Coleman <[email protected]>
> wrote:
>>
>> Gabe, Michal, any ideas?
>>
>> On Tue, Mar 8, 2016 at 10:03 AM, Lorenz Vanthillo
>> <[email protected]> wrote:
>> > I already edited scc priviliged because otherwise I had this error:
>> >
>> > Error creating: pods "jenkins-5-" is forbidden: unable to validate
>> > against
>> > any security context constraint:
>> > [spec.containers[0].securityContext.volumes[1]: Invalid value:
>> > "hostPath":
>> > HostPath volumes are not allowed to be used spec.containers[0].security
>> >
>> > So I added the jenkins:deploy + default service account but I've still
>> > the
>> > error
>> >
>> > ________________________________
>> > From: [email protected]
>> > To: [email protected]
>> > Subject: Run Docker on Jenkins in OpenShift
>> > Date: Tue, 8 Mar 2016 16:52:34 +0100
>> >
>> > I've mounted the sockets to my Jenkins container. I've also edit the
>> > docker
>> > image of openshift/jenkins so I'm able to be root. Because otherwise I'm
>> > not
>> > able to use Docker.
>> >
>> > But I still have a problem:
>> > docker -h (works)
>> > docker ps (doesn't work):
>> >
>> > + docker ps
>> > Get http:///var/run/docker.sock/v1.20/containers/json: dial unix
>> > /var/run/docker.sock: permission denied.
>> > * Are you trying to connect to a TLS-enabled daemon without TLS?
>> > * Is your docker daemon up and running?
>> > Build step 'Execute shell' marked build as failure
>> >
>> >
>> > When I just run the image on docker (without openshift) it works to
>> > perform
>> > docker ps.
>> > I use --privileged=true -t -i. When I try to run the container without
>> > privileged it's not possible to perform the 'docker ps'. So the same
>> > issue
>> > as in my OpenShift. How and which service account do I have to change to
>> > let
>> > it work?
>> >
>> > _______________________________________________
>> > users mailing list
>> > [email protected]
>> > http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>> >
>>
>> _______________________________________________
>> users mailing list
>> [email protected]
>> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>
>
>
>
> --
> Ben Parees | OpenShift
>
--
Ben Parees | OpenShift
--
Ben Parees | OpenShift
_______________________________________________
users mailing list
[email protected]
http://lists.openshift.redhat.com/openshiftmm/listinfo/users
