Jenkins: Permission issue using Docker as build environment

jenkins docker jenkins-pipeline

20,318

Solution 1

I had the same issue with node. The thing is files in the container are owned by "root:root". Try adding docker args -u root:root:

docker { 
    image 'node:8'
    args '-u root:root'
}

Solution 2

I just had a similar issue today, although with another image.

docker {
 image 'node:8'
 args '--tmpfs /.config'
}

Reference: https://docs.docker.com/storage/tmpfs/ This way you shouldn't be worried about any security leaks or files which are present after the container is destroyed inside the jenkins.

Solution 3

buildEnv.inside("-u 0") {} resolved my problem. But then the workspace will contains directory and files owned by root which can not be deleted by the user Jenkins at the next run when cleaning the workpace , so I have added sh "sudo chown jenkins: -R \$PWD/" at the beginning of the pipeline.

20,318

Michael

newbie in web programming

Updated on September 18, 2022

Comments

Michael over 1 year

I installed Jenkins on an Ubuntu 16.04 machine. The Jenkins itself is not run in a container. What I want to do is simply call yarn install using a node image. So here is my Jenkinsfile:

pipeline {
    agent any
    stages {
        stage('install node modules...') {
            agent { docker 'node' }
            steps {
                sh 'cd /path/to/package.json; yarn install'
            }
        }
    }
}

Pretty straightforward, right?

jenkins user/group is 112:116, and the uid of the node container is 1000, hence yarn process (which is run as node user 1000) can't do its things, like mkdir /.config.

I tried to spin up the node container passing in argument -u 1000, it bumped into permission issues when trying to create durable directories.

It looks like one or the other kind of issue, how can I work around that?

Jenkins logs:

Below is where the build starts and fails.

[Pipeline] sh
[Pipeline_Test_Jenkins_test-4JTFYMX7KSJY6ZH44VINNGEB7WH2D2HWYZN5ABF6O32O2HBQJYXQ@2] Running shell script
+ docker inspect -f . node
.
[Pipeline] withDockerContainer
Jenkins does not seem to be running inside a container
$ docker run -t -d -u 112:116 -w /var/lib/jenkins/workspace/Pipeline_Test_Jenkins_test-4JTFYMX7KSJY6ZH44VINNGEB7WH2D2HWYZN5ABF6O32O2HBQJYXQ@2 -v /var/lib/jenkins/workspace/Pipeline_Test_Jenkins_test-4JTFYMX7KSJY6ZH44VINNGEB7WH2D2HWYZN5ABF6O32O2HBQJYXQ@2:/var/lib/jenkins/workspace/Pipeline_Test_Jenkins_test-4JTFYMX7KSJY6ZH44VINNGEB7WH2D2HWYZN5ABF6O32O2HBQJYXQ@2:rw,z -v /var/lib/jenkins/workspace/Pipeline_Test_Jenkins_test-4JTFYMX7KSJY6ZH44VINNGEB7WH2D2HWYZN5ABF6O32O2HBQJYXQ@2@tmp:/var/lib/jenkins/workspace/Pipeline_Test_Jenkins_test-4JTFYMX7KSJY6ZH44VINNGEB7WH2D2HWYZN5ABF6O32O2HBQJYXQ@2@tmp:rw,z -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** --entrypoint cat node
[Pipeline] {
[Pipeline] sh
[Pipeline_Test_Jenkins_test-4JTFYMX7KSJY6ZH44VINNGEB7WH2D2HWYZN5ABF6O32O2HBQJYXQ@2] Running shell script
+ cd /path/to/package.json
+ yarn install
yarn install v0.24.6
error An unexpected error occurred: "EACCES: permission denied, mkdir '/.config'".
info If you think this is a bug, please open a bug report with the information provided in "/var/lib/jenkins/workspace/Pipeline_Test_Jenkins_test-4JTFYMX7KSJY6ZH44VINNGEB7WH2D2HWYZN5ABF6O32O2HBQJYXQ@2/<path>/yarn-error.log".
info Visit https://yarnpkg.com/en/docs/cli/install for documentation about this command.
[Pipeline] }
$ docker stop --time=1 c1147934ea689f71a449e486282db03338b12182368def31bdf8e8cf179ab46a
$ docker rm -f c1147934ea689f71a449e486282db03338b12182368def31bdf8e8cf179ab46a
[Pipeline] // withDockerContainer
[Pipeline] }
[Pipeline] // node
[Pipeline] }
[Pipeline] // stage
[Pipeline] }
[Pipeline] // node
[Pipeline] End of Pipeline
ERROR: script returned exit code 1
Finished: FAILURE

Admin over 6 years

Please add the logs
Admin over 6 years

Attached the logs. I also tried to run Jenkins using its official docker image, which works fine, because the jenkins user in that docker image is 1000, which is the same uid as the node user in node image.
Admin over 6 years

Is selinux enabled and enforcing?
Admin over 6 years

@JamesShewey Not sure. I simply span up a ubuntu AMI ec2 instance.
Admin over 6 years

I believe they disable it, but check with "sestatus." If it is on, try turning it off.
Admin over 6 years

@JamesShewey I had to run apt install policycoreutils, and yeah, checking sestatus returns disabled. The problem persists.

Olivier Boudry about 5 years

I used a similar approach, but ran 'sh "chmod -R a+w \$PWD"' at the end, as a "Cleanup" step of the pipeline instead of chown at the start. Jenkins user was not defined in my container, and sudo was not available. I could have deleted the files too, but thought it might be better to keep them for investigation if something goes wrong.
CodeSamurai777 almost 5 years

Solution worked for me as well. Why isn't this in the Jenkins documentation? (my issue was with a simple pip install command resulting in Could not install packages due to an EnvironmentError: [Errno 13] Permission denied; mentioning it here to help people searching for that. Even using virtualenv or pip install --user didn't fix the issue for me)
user7610 almost 4 years

About pip install --user. You probably don't have permissions to the workspace directory as -u 112:116. You probably don't have permissions anywhere. The user with id 112 and group with id 116 probably don't even exist in the image.