Hey guys,
Been trying to fix this on my own for nearly 6 hours now and none of the workarounds seem to be working for me I've tried. A bit of background:
centos) as uid 1000. Not sure if this is the problem? http://stackoverflow.com/a/34709344/724251ext4 volume to /var/jenkinsuseradd -u 1001 -d /var/jenkins jenkins. Suggested by https://github.com/jenkinsci/docker/issues/177#issuecomment-163681464chown -R jenkins:jenkins /var/jenkinschmod 755 /var/jenkinsdocker run -p 8080:8080 -p 50000:50000 -v /var/jenkins:/var/jenkins_home -u 1001 -t jenkins:2.6.When I do docker run I'm getting:
[root@jenkins var]# df -h
Filesystem Size Used Avail Use% Mounted on
...
/dev/xvdb 50G 53M 47G 1% /var/jenkins
[root@jenkins var]# ls -l /var/
total 12
...
drwxr-xr-x. 2 jenkins jenkins 4096 May 28 01:41 jenkins
...
[root@jenkins var]# cat /etc/passwd
...
jenkins:x:1001:1001::/var/jenkins:/bin/bash
[root@jenkins var]# docker run -p 8080:8080 -p 50000:50000 -v /var/jenkins:/var/jenkins_home -u 1001 -t jenkins:2.6
/usr/local/bin/jenkins.sh: line 25: /var/jenkins_home/copy_reference_file.log: Permission denied
I've tried fixes I've found on previous stackoverflow/gh issues to no avail:
USER root
RUN chown -R jenkins:jenkins /var/jenkins_home
USER jenkins
Suggested by https://github.com/jenkinsci/docker/pull/225#issuecomment-203986508
chmod -R 777 /var/jenkins on the host. This is the weirdest one, have no clue why this isn't working after that! Suggested by https://github.com/jenkinsci/docker/issues/177#issuecomment-171345387/var/jenkins2 (not externally mounted disk) either.What I thought was going to be a super simple project has taken all day :/ Anyone know what I'm doing wrong?
Cheers, Alex
Try
docker run -v /var/jenkins:/var/jenkins_home -u 1001 -ti --entrypoint ls jenkins -alF /var/jenkins_home
docker run -v /var/jenkins:/var/jenkins_home -u 1001 -ti --entrypoint touch jenkins /var/jenkins_home/test
Hey Carlos,
No lucj, here's what I get:
[root@jenkins var]# docker run -v /var/jenkins:/var/jenkins_home -u 1001 -ti --entrypoint ls jenkins:2.6 -alF /var/jenkins_home
Usage of loopback devices is strongly discouraged for production use. Either use `--storage-opt dm.thinpooldev` or use `--storage-opt dm.no_warn_on_loop_devices=true` to suppress this warning.
ls: cannot open directory /var/jenkins_home: Permission denied
[root@jenkins var]# docker run -v /var/jenkins:/var/jenkins_home -u 1001 -ti --entrypoint touch jenkins:2.6 /var/jenkins_home/test
Usage of loopback devices is strongly discouraged for production use. Either use `--storage-opt dm.thinpooldev` or use `--storage-opt dm.no_warn_on_loop_devices=true` to suppress this warning.
touch: cannot touch ‘/var/jenkins_home/test’: Permission denied
Also tried:
[root@jenkins var]# docker run -v /var/jenkins:/var/jenkins_home -u 1001 -ti --entrypoint chown jenkins:2.6 -R jenkins:jenkins /var/jenkins_home
Usage of loopback devices is strongly discouraged for production use. Either use `--storage-opt dm.thinpooldev` or use `--storage-opt dm.no_warn_on_loop_devices=true` to suppress this warning.
chown: cannot read directory ‘/var/jenkins_home’: Permission denied
[root@jenkins var]# docker run -v /var/jenkins:/var/jenkins_home -u 1001 -ti --entrypoint ls jenkins:2.6 -l /var/
Usage of loopback devices is strongly discouraged for production use. Either use `--storage-opt dm.thinpooldev` or use `--storage-opt dm.no_warn_on_loop_devices=true` to suppress this warning.
total 12
...
drwxr-xr-x. 2 1001 1001 4096 May 28 01:41 jenkins_home
...
I'm running into a very similar issue. Jenkins runs as UID 1000 in the container, but UID 1000 is almost always already occupied by another user on the host.
In my opinion, the jenkins user in the container should be created with a non-conflicting UID (like 10000 or something?) so we don't run into issues where we have to map whatever user was lucky enough to land UID 1000 on the host to the container volumes or kludge permissions with a chmod 777
@bbriggs your case is solved by passing -u 10000 to docker run
@alexlatchford your issue must be selinux, you can mount any dir into the container, check http://www.projectatomic.io/blog/2015/06/using-volumes-with-docker-can-cause-problems-with-selinux/
That worked, but it just raised another issue. When using the SSH agent/Git repo provider, I got a notice that uid 10000 does not exist, so I ended up having to create a dummy account _inside_ the container with that UID anyways.
If not for that secondary problem, I'd say that the -u ${OTHER_UID} thing is a decent solution. Given that it caused more problems, can we please revist the idea of renumbering the jenkins user?
On Tue, Jun 07, 2016 at 11:42:27AM -0700, Carlos Sanchez wrote:
@bbriggs your case is solved by passing
-u 10000todocker run
You are receiving this because you were mentioned.
Reply to this email directly or view it on GitHub:
https://github.com/jenkinsci/docker/issues/277#issuecomment-224375408
I had the same problem when sharing directly an host directory so I switched to the following :
# Create new volume container, inheriting from jenkins container
docker create -v /var/jenkins_home --name jenkins-data jenkinsci/jenkins
# Starting jenkins container, using previously created volume container.
docker run -d --name jenkins --hostname jenkins -p 8080:8080 -p 50000:50000 --volumes-from jenkins-data jenkinsci/jenkins
And if I need access to the files , I just use docker inspect -f '{{ .Mounts }}' jenkins to see where the files are located.
@sazulo If you are doing backups on the volume container, how are you doing it?
I didn't need backup for now, but I just did a little research and found this article
I did some testing and the following seems to do the trick ( adapt as you see fit ) :
# This will create a backup.tar file in the current directory of the host.
# You might want to change $(pwd) to a specific directory
docker run --rm \
--volumes-from jenkins-data \
-v $(pwd):/backup \
-u root:root \
jenkinsci/jenkins \
tar cvf /backup/backup.tar /var/jenkins_home
# First create a new empty datastore that will receive the backup
docker run \
-v /var/jenkins_home \
--name jenkins-data-2 \
jenkinsci/jenkins \
/bin/bash
# Then mount the new datastore and the host's backup directory. Change
# $(pwd) to the same value as the backup command line if needed,
# and then just extract the backup tar .
docker run --rm \
--volumes-from jenkins-data-2 \
-v $(pwd):/backup \
-u root:root \
jenkinsci/jenkins \
bash -c "cd /var/jenkins_home && tar -xvf /backup/backup.tar"
After this you can just create a new jenkins container and mount jenkins-data-2 to /var/jenkins_home.
This will obviously copy everything in /var/jenkins_home, from configuration files to old builds and workspaces, and might take a lot of space. I suggest that you save only what you need
Thanks for that. For now, I just went with the solution I wrote out here: http://brenbriggs.com/2016/06/08/jenkins-on-docker-via-puppet.html
tl;dr:
-u ${predictable_uid} optionHere is the container I created for just such a thing (It may still be building, automated builds are taking a long time today):
@bbriggs, this just bit me in the butt, too:
When using the SSH agent/Git repo provider, I got a notice that
uid 10000 does not exist
Running the jenkins container as -u <uid_on_host_but_not_in_container> causes more issues than it solves. In my specific case, a job that calls git commit errors with the following:
fatal: unable to look up current user in the passwd file: no such user
Several users of Jenkins Docker have requested the project change the default UID of the jenkins user. See discussions in #112, #153, #154, #165, #177. The request keeps getting dismissed with "run with -u <some_other_uid>". As described here and in the other issues, this is not a foolproof workaround.
Right now, users of Jenkins Docker are left to perform workarounds by following one of two methods:
docker build --build-arg uid=<uid_compatible_with_host_os> --build-arg gid=<gid_compatible_with_host_os> --build-arg JENKINS_VERSION=<jenkins_version> --build-arg JENKINS_SHA=<jenkins_sha> -t jenkins:<jenkins_version> https://github.com/jenkinsci/docker.git
and then possibly have to upload that to a registry.
Note that both methods require using a custom build of Jenkins Docker.
If the UID and GID was changed to unreserved values, these workarounds would no longer be necessary, and we would be able to use the stock Jenkins Docker images hosted on Docker Hub, right out of the box. Understanding the maintainers have rejected changing the UID and GID multiple times, I'd like to ask them to kindly reconsider this issue once again, with this new knowledge of why running a container with a different UID is insufficient. It is a small change of two values that will make a huge usability improvement.
For those of you who are looking to use workaround option 2 (custom build of Jenkins Docker image), most of the values for the arguments are obvious except for the value for JENKINS_SHA. I have found these values located in the corresponding subdirectory of your desired Jenkins version under https://repo.jenkins-ci.org/releases/org/jenkins-ci/main/jenkins-war/. For example, the SHA1 checksum for Jenkins 2.2 is located at https://repo.jenkins-ci.org/releases/org/jenkins-ci/main/jenkins-war/2.2/jenkins-war-2.2.war.sha1
Below is a complete example of a custom image build for Jenkins 2.2 using UID of 200 and GID of 200 for the jenkins user and group, respectively:
docker build --build-arg uid=200 --build-arg gid=200 --build-arg JENKINS_VERSION=2.2 --build-arg JENKINS_SHA=ac0b046f477620088fc8e9a40c510e484d975d63 -t jenkins:2.2 https://github.com/jenkinsci/docker.git
Edits: Removed aggressive language so as not to offend the Jenkins Docker maintainers.
Further edits: Advised how to find appropriate SHA1 checksum and showed a complete custom build command.
Further further edits: reduced UID and GID example values to within system UID/GID range. (See comment in #112.)
Great solutions, @gotgenes!
For the record, I went the first route by publishing my own version of the Jenkins container that used a UID friendly to me. It's no problem for me to consistently create a user without an offending UID because I'm automating the deployment with Puppet, but I also realize that may not be the case for everyone.
In a perfect world, the Jenkins container itself would have a good UID. Until such a time, I have to stick with the solution we discussed earlier.
I'm closing this issue that is fixed by setting the correct selinux labels
http://www.projectatomic.io/blog/2015/06/using-volumes-with-docker-can-cause-problems-with-selinux/
For any other questions about the default UID see https://github.com/jenkinsci/docker/issues/112#issuecomment-227080794
Most helpful comment
@bbriggs, this just bit me in the butt, too:
Running the jenkins container as
-u <uid_on_host_but_not_in_container>causes more issues than it solves. In my specific case, a job that callsgit commiterrors with the following:Several users of Jenkins Docker have requested the project change the default UID of the jenkins user. See discussions in #112, #153, #154, #165, #177. The request keeps getting dismissed with "run with
-u <some_other_uid>". As described here and in the other issues, this is not a foolproof workaround.Right now, users of Jenkins Docker are left to perform workarounds by following one of two methods:
docker build --build-arg uid=<uid_compatible_with_host_os> --build-arg gid=<gid_compatible_with_host_os> --build-arg JENKINS_VERSION=<jenkins_version> --build-arg JENKINS_SHA=<jenkins_sha> -t jenkins:<jenkins_version> https://github.com/jenkinsci/docker.gitand then possibly have to upload that to a registry.
Note that both methods require using a custom build of Jenkins Docker.
If the UID and GID was changed to unreserved values, these workarounds would no longer be necessary, and we would be able to use the stock Jenkins Docker images hosted on Docker Hub, right out of the box. Understanding the maintainers have rejected changing the UID and GID multiple times, I'd like to ask them to kindly reconsider this issue once again, with this new knowledge of why running a container with a different UID is insufficient. It is a small change of two values that will make a huge usability improvement.
More information on custom builds of Jenkins Docker (workaround 2):
For those of you who are looking to use workaround option 2 (custom build of Jenkins Docker image), most of the values for the arguments are obvious except for the value for
JENKINS_SHA. I have found these values located in the corresponding subdirectory of your desired Jenkins version under https://repo.jenkins-ci.org/releases/org/jenkins-ci/main/jenkins-war/. For example, the SHA1 checksum for Jenkins 2.2 is located at https://repo.jenkins-ci.org/releases/org/jenkins-ci/main/jenkins-war/2.2/jenkins-war-2.2.war.sha1Below is a complete example of a custom image build for Jenkins 2.2 using UID of 200 and GID of 200 for the jenkins user and group, respectively:
Edits: Removed aggressive language so as not to offend the Jenkins Docker maintainers.
Further edits: Advised how to find appropriate SHA1 checksum and showed a complete custom build command.
Further further edits: reduced UID and GID example values to within system UID/GID range. (See comment in #112.)