https://github.com/kubernetes/kubernetes/blob/master/pkg/api/types.go#L937 https://github.com/kubernetes/kubernetes/blob/master/pkg/api/types.go#L2490
https://github.com/kubernetes/kubernetes/blob/master/pkg/api/types.go#L1223 https://github.com/kubernetes/kubernetes/blob/master/pkg/api/types.go#L1255 just put the new field as a peer to your "privileged" field in your resource definition yaml. On Thu, Mar 10, 2016 at 5:23 PM, Lorenz Vanthillo < [email protected]> wrote: > One last question. What did you mean with pod-template: I was searching in > the template but I don't see pod specifications. Only container. > How did I had to change it? > > *spec*: > *containers*: > - capabilities: {} > env: > - name: JENKINS_PASSWORD > value: ${JENKINS_PASSWORD} > image: ${JENKINS_IMAGE} > imagePullPolicy: IfNotPresent > name: jenkins > resources: {} > *securityContext:* > capabilities: {} > privileged: false > terminationMessagePath: /dev/termination-log > > https://github.com/openshift/jenkins/blob/master/1/Dockerfile > I don't see something as RunAsAny user in the template. It will run as > user 1001 as the dockerfile defined, isn't it? > > ------------------------------ > From: [email protected] > To: [email protected] > CC: [email protected] > Subject: RE: Run Docker on Jenkins in OpenShift > Date: Thu, 10 Mar 2016 23:08:51 +0100 > > > Okay thanks, hoped there was a more efficient way. > > ------------------------------ > From: [email protected] > Date: Thu, 10 Mar 2016 17:06:48 -0500 > Subject: Re: Run Docker on Jenkins in OpenShift > To: [email protected] > CC: [email protected]; [email protected]; > [email protected] > > instead of building a new jenkins image to change the user, you should be > able to just set the RunAsUser to "0" in the pod template (either PodSpec > SecurityContext or Container SecurityContext), in the same place you set > Privileged to true. > > > On Thu, Mar 10, 2016 at 5:02 PM, Lorenz Vanthillo < > [email protected]> wrote: > > It's working now but I had to perform some steps. I tried it first with > the template but didn't succeed because the image of the template is using > uid 101 which hasn't root acces. You need to have root access to use Docker > or create a docker group. > So I had to change the image: > > Dockerfile: > > FROM docker.io/openshift/jenkins-1-centos7 > > USER 0 > > Copied the content of the template in a .yaml and edited the image. > I had to delete the 'trigger' part and I had to set privileged: true in > the template. > > Here are the mounts + I also mounted the /etc/origin/node/ca.crt to > authenticate with Jenkins on my OpenShift (I push images to my OpenShift > registry) > > > privileged: *true* > > terminationMessagePath: /dev/termination-log > > volumeMounts: > > - mountPath: /var/lib/jenkins > > name: jenkins-volume > > - mountPath: /var/run/docker.sock > > name: socket > > - mountPath: /usr/bin/docker > > name: bin > > - mountPath: /cert/ > > name: cert > > dnsPolicy: ClusterFirst > > restartPolicy: Always > > securityContext: {} > > terminationGracePeriodSeconds: 30 > > volumes: > > - name: jenkins-volume > > persistentVolumeClaim: > > claimName: jenkins-claim > > - hostPath: > > path: /var/run/docker.sock > > name: socket > > - hostPath: > > path: /usr/bin/docker > > name: bin > > - hostPath: > > path: /etc/origin/node/ > > name: cert > > test: false > > triggers: > > - type: ConfigChange > > status: > > details: > > causes: > > - type: ConfigChange > > latestVersion: 11 > > > > last step is to edit the scc privileged: > > $ oc edit scc privileged: > > > > users: > > - system:serviceaccount:openshift-infra:build-controller > > - system:serviceaccount:management-infra:management-admin > > - system:serviceaccount:default:router > > - system:serviceaccount:default:registry > > - system:serviceaccount:jenkins:default > > Now my jenkins is persistent and I'm able to build docker images and push > it into my own openshift registry. Thanks > > ------------------------------ > From: [email protected] > Date: Thu, 10 Mar 2016 18:43:03 +0000 > Subject: Re: Run Docker on Jenkins in OpenShift > To: [email protected] > CC: [email protected]; [email protected]; [email protected]; > [email protected] > > > Right, the docker builder mounts: > > - hostPath: > path: /var/run/docker.sock > > I guess you need to make the user that run the jenkins pod privileged [1] > in order to create such volume. > > [1] > https://docs.openshift.org/latest/admin_guide/manage_scc.html#grant-access-to-the-privileged-scc > > On Thu, Mar 10, 2016 at 5:57 PM, Ben Parees <[email protected]> wrote: > > it needs access to the docker socket, i'm assuming something related to > being unprivileged is blocking it, just like our docker builder pods run as > privileged so they can use the docker socket, no? > > > On Thu, Mar 10, 2016 at 12:11 PM, Clayton Coleman <[email protected]> > wrote: > > Why would jenkins need access to host path? > > On Thu, Mar 10, 2016 at 12:01 PM, Ben Parees <[email protected]> wrote: > > Sounds like the jenkins pod on openshift needs to be run as privileged > and > > currently isn't. > > > > > > On Thu, Mar 10, 2016 at 11:55 AM, Clayton Coleman <[email protected]> > > wrote: > >> > >> Gabe, Michal, any ideas? > >> > >> On Tue, Mar 8, 2016 at 10:03 AM, Lorenz Vanthillo > >> <[email protected]> wrote: > >> > I already edited scc priviliged because otherwise I had this error: > >> > > >> > Error creating: pods "jenkins-5-" is forbidden: unable to validate > >> > against > >> > any security context constraint: > >> > [spec.containers[0].securityContext.volumes[1]: Invalid value: > >> > "hostPath": > >> > HostPath volumes are not allowed to be used > spec.containers[0].security > >> > > >> > So I added the jenkins:deploy + default service account but I've still > >> > the > >> > error > >> > > >> > ________________________________ > >> > From: [email protected] > >> > To: [email protected] > >> > Subject: Run Docker on Jenkins in OpenShift > >> > Date: Tue, 8 Mar 2016 16:52:34 +0100 > >> > > >> > I've mounted the sockets to my Jenkins container. I've also edit the > >> > docker > >> > image of openshift/jenkins so I'm able to be root. Because otherwise > I'm > >> > not > >> > able to use Docker. > >> > > >> > But I still have a problem: > >> > docker -h (works) > >> > docker ps (doesn't work): > >> > > >> > + docker ps > >> > Get http:///var/run/docker.sock/v1.20/containers/json: dial unix > >> > /var/run/docker.sock: permission denied. > >> > * Are you trying to connect to a TLS-enabled daemon without TLS? > >> > * Is your docker daemon up and running? > >> > Build step 'Execute shell' marked build as failure > >> > > >> > > >> > When I just run the image on docker (without openshift) it works to > >> > perform > >> > docker ps. > >> > I use --privileged=true -t -i. When I try to run the container without > >> > privileged it's not possible to perform the 'docker ps'. So the same > >> > issue > >> > as in my OpenShift. How and which service account do I have to change > to > >> > let > >> > it work? > >> > > >> > _______________________________________________ > >> > users mailing list > >> > [email protected] > >> > http://lists.openshift.redhat.com/openshiftmm/listinfo/users > >> > > >> > >> _______________________________________________ > >> users mailing list > >> [email protected] > >> http://lists.openshift.redhat.com/openshiftmm/listinfo/users > > > > > > > > > > -- > > Ben Parees | OpenShift > > > > > > > -- > Ben Parees | OpenShift > > > > > > -- > Ben Parees | OpenShift > > -- Ben Parees | OpenShift
_______________________________________________ users mailing list [email protected] http://lists.openshift.redhat.com/openshiftmm/listinfo/users
