Jenkins 管道 - 在 docker 权限问题中执行作业
Jenkins Pipeline - executing job in docker permissions issues
我有一个 Jenkinsfile 看起来像
pipeline {
agent {
docker {
image 'myartifactory/cloud-eng/sls-build:0.13'
label 'docker'
registryUrl 'https://myartifactory'
registryCredentialsId 'artfifactory-cred-id'
}
}
environment {
}
stages {
stage('Test') {
sh "env | sort"
sh "make setup-ci"
sh "make test"
}
}
}
当我 运行 这个时,我看到 jenkins 执行了一个看起来像这样的命令:
docker run -t -d -u 1318244366:1318464184 -w /jenkins_home/jenkins-rh7-a01/8b13f8c3/workspace/te_csoe-1624-switch-shared-https -v /jenkins_home/jenkins-rh7-a01/8b13f8c3/workspace/te_csoe-1624-switch-shared-https:/jenkins_home/jenkins-rh7-a01/8b13f8c3/workspace/te_csoe-1624-switch-shared-https:rw,z -v /jenkins_home/jenkins-rh7-a01/8b13f8c3/workspace/te_csoe-1624-switch-shared-https@tmp:/jenkins_home/jenkins-rh7-a01/8b13f8c3/workspace/te_csoe-1624-switch-shared-https@tmp:rw,z -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** myartifactory/cloud-eng/sls-build:0.13 cat
此项目使用 python、NPM 和无服务器框架 (javascript)。
如果我运行按照上面的方式这样做,它将失败
npm ERR! correctMkdir failed to make directory /.npm/_locks
2021-03-11 16:17:02 npm ERR! code EACCES
2021-03-11 16:17:02 npm ERR! syscall mkdir
2021-03-11 16:17:02 npm ERR! path /.npm
2021-03-11 16:17:02 npm ERR! errno -13
2021-03-11 16:17:02 npm ERR!
2021-03-11 16:17:02 npm ERR! Your cache folder contains root-owned files, due to a bug in
2021-03-11 16:17:02 npm ERR! previous versions of npm which has since been addressed.
2021-03-11 16:17:02 npm ERR!
2021-03-11 16:17:02 npm ERR! To permanently fix this problem, please run:
2021-03-11 16:17:02 npm ERR! sudo chown -R 1318244366:1318464184 "/.npm"
2021-03-11 16:17:02 make: *** [setup-ci] Error 243
我尝试了很多解决方案,但都取得了不同程度的成功。如果我添加这个:
args '-u root' 到 docker 部分,它的工作原理当然是 root 拥有对所有内容的权限....但是安全性不会喜欢 运行 将 docker 容器作为 root .
无论我如何覆盖 environment or args 中的 $HOME,更改用户我总是以 NPM 或 python.
的权限问题告终
我在各种 hack 中遇到的其他错误,例如 args '-e HOME=/tmp -e NPM_CONFIG_PREFIX=/tmp/.npm'
../../../../../tmp/.local/share/virtualenvs/te_csoe-1624-switch-shared-https-y_ilovXz/lib/python3.8/site-packages/_pytest/cacheprovider.py:428
2021-03-11 14:45:14 /tmp/.local/share/virtualenvs/te_csoe-1624-switch-shared-https-y_ilovXz/lib/python3.8/site-packages/_pytest/cacheprovider.py:428: PytestCacheWarning: cache could not write path /jenkins_home/jenkins-rh7-a01/8b13f8c3/workspace/te_csoe-1624-switch-shared-https/.pytest_cache/v/cache/nodeids
2021-03-11 14:45:14 config.cache.set("cache/nodeids", sorted(self.cached_nodeids))
Error: EACCES: permission denied, unlink '/jenkins_home/jenkins-rh7-a01/8b13f8c3/workspace/te_csoe-1624-switch-shared-https/.serverless/cloudformation-template-update-stack.json'
2021-03-11 14:45:19 at Object.unlinkSync (fs.js:1136:3)
由于 jenkins 挂载随机目录以共享和随机用户,我不确定如何修改图像的 Dockerfile 以授予写权限....
有谁知道如何获得正确的权限?
编辑添加了 Dockerfile
FROM amazonlinux:2
RUN yum install -y amazon-linux-extras
RUN yum install -y unzip
RUN yum groupinstall -y "Development Tools"
RUN yum install vim-enhanced -y
# install python/pipenv
ENV PYTHON_VERSION=3.9
RUN amazon-linux-extras install python${PYTHON_VERSION}
RUN /bin/pip-${PYTHON_VERSION} install pipenv
# install node/npm
RUN curl -sL https://rpm.nodesource.com/setup_12.x | bash -
RUN yum install -y nodejs
RUN mkdir /tmp/node-cache
RUN npm config set cache /tmp/node-cache --global
# install aws-cli2
RUN curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip" && \
unzip awscliv2.zip && \
./aws/install && \
rm -rf awscliv2.zip
`
# install vault client
ENV VAULT_VERSION=1.5.4
RUN curl -sSLo /tmp/vault.zip https://releases.hashicorp.com/vault/$VAULT_VERSION/vault_${VAULT_VERSION}_linux_amd64.zip && \
unzip -d /bin /tmp/vault.zip && \
rm -rf /tmp/vault.zip && \
setcap cap_ipc_lock= /bin/vault
ADD ./aws-login.sh /usr/local/bin/aws-login.sh
ADD ./ghe-token.sh /usr/local/bin/ghe-token.sh
ENV PATH="/bin:${PATH}"
# indicates CI CONTAINER so processes can check if running in CI
ENV CI_CONTAINER=1
ENV LANG="en_US.UTF-8"
ENV TERM xterm
# avoid million NPM install messages
ENV npm_config_loglevel warn
ENTRYPOINT []
让我感到困惑的是我 运行 这个作为 -u root 很多次而且我只有一个代理(不要问)并且 jenkins 缓存工作区目录。因此,docker 容器 运行 以 root 身份更改了该代码中的文件权限。因此,当我摆脱 -u root 并开始使用 jenkins 用户时,它没有对某些文件和目录的权限。
解决方案是删除工作区并确保所有 make 调用在任何命令之前都有一个 export HOME=${WORKSPACE}。
可能有更好的方法导出 HOME 但这解决了问题
我有一个 Jenkinsfile 看起来像
pipeline {
agent {
docker {
image 'myartifactory/cloud-eng/sls-build:0.13'
label 'docker'
registryUrl 'https://myartifactory'
registryCredentialsId 'artfifactory-cred-id'
}
}
environment {
}
stages {
stage('Test') {
sh "env | sort"
sh "make setup-ci"
sh "make test"
}
}
}
当我 运行 这个时,我看到 jenkins 执行了一个看起来像这样的命令:
docker run -t -d -u 1318244366:1318464184 -w /jenkins_home/jenkins-rh7-a01/8b13f8c3/workspace/te_csoe-1624-switch-shared-https -v /jenkins_home/jenkins-rh7-a01/8b13f8c3/workspace/te_csoe-1624-switch-shared-https:/jenkins_home/jenkins-rh7-a01/8b13f8c3/workspace/te_csoe-1624-switch-shared-https:rw,z -v /jenkins_home/jenkins-rh7-a01/8b13f8c3/workspace/te_csoe-1624-switch-shared-https@tmp:/jenkins_home/jenkins-rh7-a01/8b13f8c3/workspace/te_csoe-1624-switch-shared-https@tmp:rw,z -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** myartifactory/cloud-eng/sls-build:0.13 cat
此项目使用 python、NPM 和无服务器框架 (javascript)。
如果我运行按照上面的方式这样做,它将失败
npm ERR! correctMkdir failed to make directory /.npm/_locks
2021-03-11 16:17:02 npm ERR! code EACCES
2021-03-11 16:17:02 npm ERR! syscall mkdir
2021-03-11 16:17:02 npm ERR! path /.npm
2021-03-11 16:17:02 npm ERR! errno -13
2021-03-11 16:17:02 npm ERR!
2021-03-11 16:17:02 npm ERR! Your cache folder contains root-owned files, due to a bug in
2021-03-11 16:17:02 npm ERR! previous versions of npm which has since been addressed.
2021-03-11 16:17:02 npm ERR!
2021-03-11 16:17:02 npm ERR! To permanently fix this problem, please run:
2021-03-11 16:17:02 npm ERR! sudo chown -R 1318244366:1318464184 "/.npm"
2021-03-11 16:17:02 make: *** [setup-ci] Error 243
我尝试了很多解决方案,但都取得了不同程度的成功。如果我添加这个:
args '-u root' 到 docker 部分,它的工作原理当然是 root 拥有对所有内容的权限....但是安全性不会喜欢 运行 将 docker 容器作为 root .
无论我如何覆盖 environment or args 中的 $HOME,更改用户我总是以 NPM 或 python.
我在各种 hack 中遇到的其他错误,例如 args '-e HOME=/tmp -e NPM_CONFIG_PREFIX=/tmp/.npm'
../../../../../tmp/.local/share/virtualenvs/te_csoe-1624-switch-shared-https-y_ilovXz/lib/python3.8/site-packages/_pytest/cacheprovider.py:428
2021-03-11 14:45:14 /tmp/.local/share/virtualenvs/te_csoe-1624-switch-shared-https-y_ilovXz/lib/python3.8/site-packages/_pytest/cacheprovider.py:428: PytestCacheWarning: cache could not write path /jenkins_home/jenkins-rh7-a01/8b13f8c3/workspace/te_csoe-1624-switch-shared-https/.pytest_cache/v/cache/nodeids
2021-03-11 14:45:14 config.cache.set("cache/nodeids", sorted(self.cached_nodeids))
Error: EACCES: permission denied, unlink '/jenkins_home/jenkins-rh7-a01/8b13f8c3/workspace/te_csoe-1624-switch-shared-https/.serverless/cloudformation-template-update-stack.json'
2021-03-11 14:45:19 at Object.unlinkSync (fs.js:1136:3)
由于 jenkins 挂载随机目录以共享和随机用户,我不确定如何修改图像的 Dockerfile 以授予写权限....
有谁知道如何获得正确的权限?
编辑添加了 Dockerfile
FROM amazonlinux:2
RUN yum install -y amazon-linux-extras
RUN yum install -y unzip
RUN yum groupinstall -y "Development Tools"
RUN yum install vim-enhanced -y
# install python/pipenv
ENV PYTHON_VERSION=3.9
RUN amazon-linux-extras install python${PYTHON_VERSION}
RUN /bin/pip-${PYTHON_VERSION} install pipenv
# install node/npm
RUN curl -sL https://rpm.nodesource.com/setup_12.x | bash -
RUN yum install -y nodejs
RUN mkdir /tmp/node-cache
RUN npm config set cache /tmp/node-cache --global
# install aws-cli2
RUN curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip" && \
unzip awscliv2.zip && \
./aws/install && \
rm -rf awscliv2.zip
`
# install vault client
ENV VAULT_VERSION=1.5.4
RUN curl -sSLo /tmp/vault.zip https://releases.hashicorp.com/vault/$VAULT_VERSION/vault_${VAULT_VERSION}_linux_amd64.zip && \
unzip -d /bin /tmp/vault.zip && \
rm -rf /tmp/vault.zip && \
setcap cap_ipc_lock= /bin/vault
ADD ./aws-login.sh /usr/local/bin/aws-login.sh
ADD ./ghe-token.sh /usr/local/bin/ghe-token.sh
ENV PATH="/bin:${PATH}"
# indicates CI CONTAINER so processes can check if running in CI
ENV CI_CONTAINER=1
ENV LANG="en_US.UTF-8"
ENV TERM xterm
# avoid million NPM install messages
ENV npm_config_loglevel warn
ENTRYPOINT []
让我感到困惑的是我 运行 这个作为 -u root 很多次而且我只有一个代理(不要问)并且 jenkins 缓存工作区目录。因此,docker 容器 运行 以 root 身份更改了该代码中的文件权限。因此,当我摆脱 -u root 并开始使用 jenkins 用户时,它没有对某些文件和目录的权限。
解决方案是删除工作区并确保所有 make 调用在任何命令之前都有一个 export HOME=${WORKSPACE}。
可能有更好的方法导出 HOME 但这解决了问题