Privileged allows everything that anyuid allows
On Apr 17, 2018, at 11:20 AM, Alan Christie <
[email protected]> wrote:
Thanks Clayton. That’s worked.
I’m not sure whether I also need to do an "*oc adm policy add-scc-to-user
anyuid -z ${SERVICE_ACCOUNT}"* (which I have done) but I am now able to
build Docker container images in a Jenkins pipeline using a buildah
slave-agent! That’s neat.
The Dockerfile/image source that builds the Jenkins slave-agent and the
(rather fat) resultant agent image are public...
https://github.com/alanbchristie/openshift-jenkins-buildah-slave
https://hub.docker.com/r/alanbchristie/jenkins-slave-buildah-centos7/
On 17 Apr 2018, at 00:39, Clayton Coleman <[email protected]> wrote:
Like any other user, to run privileged an administrator must grant access
to the Jenkins service account to launch privileged pods. That’s done by
granting the service account the slave pod runs as the privileged SCC:
oc adm policy add-scc-to-user -z SERVICE_ACCT privileged
On Apr 16, 2018, at 2:46 PM, Alan Christie <[email protected]>
wrote:
I’m trying to get around building Docker containers in a Jenkins
slave-agent (because the Docker socket is not available). Along comes
`buildah` claiming to be a lightweight OCI builder so I’ve built a
`buildah` Jenkins slave agent based on the
`openshift/jenkins-slave-maven-centos7` image (
https://github.com/alanbchristie/openshift-jenkins-buildah-slave.git).
Nice.
Sadly…
…the agent appears useless because buildah needs to be run as root!!!
So I walk from one problem into another.
The wonderfully named option in Jenkins -> Manage Jenkins -> Configure
System -> Kubernetes Pod Template -> "Run in privileged mode" was so
appealing I just had to click it!
But … sigh ... I still can’t run as root, instead I get the **Privileged
containers are not allowed provider restricted** error.
This has probably been asked before but...
1. Is there anything that can be done to run slave-agents as root? (I
don't want a BuildConfig, I want to run my existing complex pipelines which
also build docker images in a Jenkins agent)
2. If not, is someone thinking about supporting this?
Alan Christie
_______________________________________________
users mailing list
[email protected]
http://lists.openshift.redhat.com/openshiftmm/listinfo/users
_______________________________________________
users mailing list
[email protected]
http://lists.openshift.redhat.com/openshiftmm/listinfo/users
