Charts: [stable/jenkins] Run Jenkins as non root user

Created on 11 Jul 2019  路  3Comments  路  Source: helm/charts

I bad at english. I hope you could understand it.

I apply with config.jenkins-value.yaml for persistence volume and (runAsUser, fsGroup)

I just set master.runAsUser, master.fsGroup to 1000
And
append persistence config, too.

config.jenkins-value.yaml

namespaceOverride: jenkins

master:
  runASUser: 1000
  fsGroup: 1000

persistence:
  enabled: True
  existingClaim: "task-pv-claim"
  storageClass: "gp2"
  annotations: {}
  accessMode: "ReadWriteOnce"
  size: "5Gi"
  subPath: "jenkins-home"

Then i ran it with helm command

helm install --name jenkins -f config.jenkins-value.yaml stable/jenkins

The pod said

touch: cannot touch '/var/jenkins_home/copy_reference_file.log': Permission denied
Can not write to /var/jenkins_home/copy_reference_file.log. Wrong volume permissions?

Help me. Please.

Describe the bug
A clear and concise description of what the bug is.

Version of Helm and Kubernetes:
helm: 2.14
k8s_client: v1.15.0
k8s_server: v1.11.9

Which chart:
stable/jenkins

What happened:
run jenkins as jenkins user

What you expected to happen:
run propery

How to reproduce it (as minimally and precisely as possible):

Anything else we need to know:

picture tyg03485

Most helpful comment

Yes, It's jenkins_home dir's permission problem.

[Solved]
I was just thought what i have to do for changing permission is touching only initContainer. (image, volumeMounts, command using chwon, chmod ..)

But, when you set runAsUser, fsGroup 1000 (jenkins) user, all initContainer should run as jenkins user. So, It couldn't touch jenkins_home dir's permission.

Anyway, if somebody want to use it as non-root user with persistence volume mount, You have to customize initContainer as root user.

In my Case, i just apply my-value.yaml like this.

...
master
  customInitContainers:
    - name: "volume-mount-permission"
      image: "busybox"
      command: ["/bin/chown", "-R", "1000", "/var/jenkins_home"]
      volumeMounts:
        - name: "jenkins-home"
          mountPath: "/var/jenkins_home"
      securityContext:
        runAsUser: 0
...
picture tyg03485 on 16 Jul 2019
👍3 🚀11

All 3 comments

touch: cannot touch '/var/jenkins_home/copy_reference_file.log': Permission denied
Can not write to /var/jenkins_home/copy_reference_file.log. Wrong volume permissions?

Looks like a permission problem. You could check permissions of that file by executing ls -al //var/jenkins_home/copy_reference_file.log within your container.

If you started Jenkins before with a different user than that user is probably still the owner of that file.

torstenwalter picture torstenwalter on 12 Jul 2019

Yes, It's jenkins_home dir's permission problem.

[Solved]
I was just thought what i have to do for changing permission is touching only initContainer. (image, volumeMounts, command using chwon, chmod ..)

But, when you set runAsUser, fsGroup 1000 (jenkins) user, all initContainer should run as jenkins user. So, It couldn't touch jenkins_home dir's permission.

Anyway, if somebody want to use it as non-root user with persistence volume mount, You have to customize initContainer as root user.

In my Case, i just apply my-value.yaml like this.

...
master
  customInitContainers:
    - name: "volume-mount-permission"
      image: "busybox"
      command: ["/bin/chown", "-R", "1000", "/var/jenkins_home"]
      volumeMounts:
        - name: "jenkins-home"
          mountPath: "/var/jenkins_home"
      securityContext:
        runAsUser: 0
...
tyg03485 picture tyg03485 on 16 Jul 2019
👍3 🚀11

@torstenwalter i want to marry you. Thanks!

jack85811 picture jack85811 on 31 Aug 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

tdcox picture tdcox  路  3Comments
onyxet picture onyxet  路  3Comments
richardalberto picture richardalberto  路  3Comments
vsliouniaev picture vsliouniaev  路  3Comments
ChrisCooney picture ChrisCooney  路  3Comments