HiveBrain v1.2.0
Get Started
← Back to all entries
patterndockerModerate

What are the correct permission settings when running Docker in a Jenkins Pipeline?

Submitted by: @import:stackexchange-devops··
0
Viewed 0 times
thesettingswhataredockerpermissionjenkinsrunningcorrectwhen

Problem

I'm trying to get a new jenkins pipeline together to test new pull requests to our code. I'm using docker with the ubuntu:14.04 image to simulate our production environment.

Here is a minimum working example:

#jenkinsfile
stage('Checkout and provision'){
docker.image('ubuntu:14.04').withRun('-u root'){
    checkout scm
    sh 'chmod -R 770 ./'
    sh './init-script.sh'
    }
}


and

#init-script.sh
 sudo add-apt-repository ppa:ondrej/php
 sudo apt-get update -y
 sudo apt-get dist-upgrade -y
 sudo apt-get install \
    apache2 \
    php \
    php-mysql \
    php-xml \
    libapache2-mod-auth-mysql \
    libapache2-mod-php \
    php5-curl \
    zip \
    htop \
    supervisor \
    mailutils \
    git \
    build-essential -y
 sudo apt-get autoremove -y


And the /etc/sudoers file for the container is as follow:

#
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults        env_reset
Defaults        mail_badpass
Defaults        secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
Defaults:jenkins !requiretty

# User alias specification

# Cmnd alias specification

# User privilege specification
root    ALL=(ALL:ALL) ALL

# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL

# Allow members of group sudo to execute any command
%sudo   ALL=(ALL:ALL) ALL

# See sudoers(5) for more information on "#include" directives:

#includedir /etc/sudoers.d

jenkins ALL=(ALL:ALL) NOPASSWD:ALL


The problem I'm having is that docker is not running as root as I'm used to and instead retaining the user id of the jenkins user from the host machine. This makes it difficult to sudo.

I've tried adding the jenkins user to the containers /etc/passwd file and running chmod against that file but don't even have the permissions to d

Solution

So after a debug session in chat what is needed is to allow the user running jenkins to be able to sudo docker passwordless on the docker host.

A typical sudoers file on ubuntu could be in /etc/sudoers.d/jenkins

jenkins_user ALL=(ALL) NOPASSWD:ALL


Be warned this allow jenkins_user to run as root without password any command, a better file should be:

jenkins_user ALL=(ALL) NOPASSWD:/full/path/to/docker
jenkins_user ALL=(ALL) NOPASSWD:


This will allow to start the container as root and as such it gives all rights within the container itself by running as uid 0.

Useful resources used aside:

  • Jenkins docker plugin readme



  • How to setup passwordless sudo on Linux?

Code Snippets

jenkins_user ALL=(ALL) NOPASSWD:ALL
jenkins_user ALL=(ALL) NOPASSWD:/full/path/to/docker
jenkins_user ALL=(ALL) NOPASSWD:<other needed command to be run as root>

Context

StackExchange DevOps Q#764, answer score: 12

Revisions (0)

No revisions yet.