Thanks Clayton. That’s worked.
I’m not sure whether I also need to do an "oc adm policy add-scc-to-user anyuid
-z ${SERVICE_ACCOUNT}" (which I have done) but I am now able to build Docker
container images in a Jenkins pipeline using a buildah slave-agent! That’s neat.
The Dockerfile/image source that builds the Jenkins slave-agent and the (rather
fat) resultant agent image are public...
https://github.com/alanbchristie/openshift-jenkins-buildah-slave
<https://github.com/alanbchristie/openshift-jenkins-buildah-slave>
https://hub.docker.com/r/alanbchristie/jenkins-slave-buildah-centos7/
<https://hub.docker.com/r/alanbchristie/jenkins-slave-buildah-centos7/>
> On 17 Apr 2018, at 00:39, Clayton Coleman <[email protected]> wrote:
>
> Like any other user, to run privileged an administrator must grant access to
> the Jenkins service account to launch privileged pods. That’s done by
> granting the service account the slave pod runs as the privileged SCC:
>
> oc adm policy add-scc-to-user -z SERVICE_ACCT privileged
>
> On Apr 16, 2018, at 2:46 PM, Alan Christie <[email protected]
> <mailto:[email protected]>> wrote:
>
>> I’m trying to get around building Docker containers in a Jenkins slave-agent
>> (because the Docker socket is not available). Along comes `buildah` claiming
>> to be a lightweight OCI builder so I’ve built a `buildah` Jenkins slave
>> agent based on the `openshift/jenkins-slave-maven-centos7` image
>> (https://github.com/alanbchristie/openshift-jenkins-buildah-slave.git
>> <https://github.com/alanbchristie/openshift-jenkins-buildah-slave.git>).
>>
>> Nice.
>>
>> Sadly…
>>
>> …the agent appears useless because buildah needs to be run as root!!!
>>
>> So I walk from one problem into another.
>>
>> The wonderfully named option in Jenkins -> Manage Jenkins -> Configure
>> System -> Kubernetes Pod Template -> "Run in privileged mode" was so
>> appealing I just had to click it!
>>
>> But … sigh ... I still can’t run as root, instead I get the **Privileged
>> containers are not allowed provider restricted** error.
>>
>> This has probably been asked before but...
>> Is there anything that can be done to run slave-agents as root? (I don't
>> want a BuildConfig, I want to run my existing complex pipelines which also
>> build docker images in a Jenkins agent)
>> If not, is someone thinking about supporting this?
>> Alan Christie
>>
>>
>> _______________________________________________
>> users mailing list
>> [email protected] <mailto:[email protected]>
>> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>> <http://lists.openshift.redhat.com/openshiftmm/listinfo/users>
_______________________________________________
users mailing list
[email protected]
http://lists.openshift.redhat.com/openshiftmm/listinfo/users
