Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

non-root docker-container failed to start .e.g Jenkins #339

Open
kknd22 opened this issue May 29, 2019 · 2 comments
Open

non-root docker-container failed to start .e.g Jenkins #339

kknd22 opened this issue May 29, 2019 · 2 comments

Comments

@kknd22
Copy link

kknd22 commented May 29, 2019

Unsuccessfully try to use official Jenkins container for kitchen-test.
Digged a bit more and discovered that user is set to a non root 'jenkins'
https://github.com/jenkinsci/docker/blob/587b2856cd225bb152c4abeeaaa24934c75aa460/Dockerfile#L66
https://github.com/jenkinsci/docker/blob/587b2856cd225bb152c4abeeaaa24934c75aa460/Dockerfile#L5

The error is:

Step 3/16 : RUN yum clean all
 ---> Using cache
 ---> ef4ad2349c4
Step 4/16 : RUN yum install -y sudo openssh-server openssh-clients which curl
 ---> Running in bd2wr4a8139
Loaded plugins: fastestmirror, ovl
ovl: Error while doing RPMdb copy-up:
[Errno 13] Permission denied: '/var/lib/rpm/.dbenv.lock'
You need to be root to perform this command.

Tried adding in .kitchen.yml :

platforms:
  - name: centos-7   
    driver_config:
      image: jenkins
      run_options: --user=root:root

Without any luck.

Any help would be appreciated.
-ChrisL

BTW, this is not a Jenkins specific issue but for any container run not as root. Kitchen-Docker seems to have no way around this
@ObiH15
Copy link

ObiH15 commented Aug 30, 2019

I am experiencing the same issue. I see the dockerfile portion of the linux.rb requires sudo privileges.

kitchen-docker/lib/kitchen/docker/container/linux.rb

Lines 106 to 192 in c43a4af

def dockerfile
return dockerfile_template if @config[:dockerfile]
from = "FROM #{@config[:image]}"
platform = case @config[:platform]
when 'debian', 'ubuntu'
disable_upstart = <<-CODE
RUN [ ! -f "/sbin/initctl" ] || dpkg-divert --local --rename --add /sbin/initctl && ln -sf /bin/true /sbin/initctl
CODE
packages = <<-CODE
ENV DEBIAN_FRONTEND noninteractive
ENV container docker
RUN apt-get update
RUN apt-get install -y sudo openssh-server curl lsb-release
CODE
@config[:disable_upstart] ? disable_upstart + packages : packages
when 'rhel', 'centos', 'oraclelinux', 'amazonlinux'
<<-CODE
ENV container docker
RUN yum clean all
RUN yum install -y sudo openssh-server openssh-clients which curl
RUN [ -f "/etc/ssh/ssh_host_rsa_key" ] || ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key -N ''
RUN [ -f "/etc/ssh/ssh_host_dsa_key" ] || ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key -N ''
CODE
when 'fedora'
<<-CODE
ENV container docker
RUN dnf clean all
RUN dnf install -y sudo openssh-server openssh-clients which curl
RUN [ -f "/etc/ssh/ssh_host_rsa_key" ] || ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key -N ''
RUN [ -f "/etc/ssh/ssh_host_dsa_key" ] || ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key -N ''
CODE
when 'opensuse/tumbleweed', 'opensuse/leap', 'opensuse', 'sles'
<<-CODE
ENV container docker
RUN zypper install -y sudo openssh which curl
RUN [ -f "/etc/ssh/ssh_host_rsa_key" ] || ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key -N ''
RUN [ -f "/etc/ssh/ssh_host_dsa_key" ] || ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key -N ''
CODE
when 'arch'
# See https://bugs.archlinux.org/task/47052 for why we
# blank out limits.conf.
<<-CODE
RUN pacman --noconfirm -Sy archlinux-keyring
RUN pacman-db-upgrade
RUN pacman --noconfirm -Syu openssl openssh sudo curl
RUN [ -f "/etc/ssh/ssh_host_rsa_key" ] || ssh-keygen -A -t rsa -f /etc/ssh/ssh_host_rsa_key
RUN [ -f "/etc/ssh/ssh_host_dsa_key" ] || ssh-keygen -A -t dsa -f /etc/ssh/ssh_host_dsa_key
RUN echo >/etc/security/limits.conf
CODE
when 'gentoo'
<<-CODE
RUN emerge --sync
RUN emerge net-misc/openssh app-admin/sudo
RUN [ -f "/etc/ssh/ssh_host_rsa_key" ] || ssh-keygen -A -t rsa -f /etc/ssh/ssh_host_rsa_key
RUN [ -f "/etc/ssh/ssh_host_dsa_key" ] || ssh-keygen -A -t dsa -f /etc/ssh/ssh_host_dsa_key
CODE
when 'gentoo-paludis'
<<-CODE
RUN cave sync
RUN cave resolve -zx net-misc/openssh app-admin/sudo
RUN [ -f "/etc/ssh/ssh_host_rsa_key" ] || ssh-keygen -A -t rsa -f /etc/ssh/ssh_host_rsa_key
RUN [ -f "/etc/ssh/ssh_host_dsa_key" ] || ssh-keygen -A -t dsa -f /etc/ssh/ssh_host_dsa_key
CODE
else
raise ActionFailed, "Unknown platform '#{@config[:platform]}'"
end
username = @config[:username]
public_key = IO.read(@config[:public_key]).strip
homedir = username == 'root' ? '/root' : "/home/#{username}"
base = <<-CODE
RUN if ! getent passwd #{username}; then \
useradd -d #{homedir} -m -s /bin/bash -p '*' #{username}; \
fi
RUN echo "#{username} ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers
RUN echo "Defaults !requiretty" >> /etc/sudoers
RUN mkdir -p #{homedir}/.ssh
RUN chown -R #{username} #{homedir}/.ssh
RUN chmod 0700 #{homedir}/.ssh
RUN touch #{homedir}/.ssh/authorized_keys
RUN chown #{username} #{homedir}/.ssh/authorized_keys
RUN chmod 0600 #{homedir}/.ssh/authorized_keys
RUN mkdir -p /run/sshd
CODE

We are planning on running containers without a root user... Are there any plans to support running kitchen-docker without root/sudo privileges? Thanks

@lmayorga1980
Copy link

Any news about this issue?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@kknd22 @lmayorga1980 @ObiH15