15

I am new to docker, so if this is a fairly obvious process that I am missing, I do apologize for the dumb question up front.

I am setting up a continuous integration server using the jenkins docker image. I did a docker pull jenkins, and created a user jenkins to allow me to mount the /var/jenkins_home in the container to my host's /var/jenkins_home (also owned by jenkins:jenkins user).

the problem is that the container seems to define the jenkins user with uid 102, but my host has the jenkins user as 1002, so when I run it I get:

docker run --name jenkins -u jenkins -p 8080 -v /var/jenkins_home:/var/jenkins_home jenkins
/usr/local/bin/jenkins.sh: line 25: /var/jenkins_home/copy_reference_file.log: Permission denied

I would simply make the uid for the host's jenkins user be 102 in /etc/passwd, but that uid is already taken by sshd. I think the solution is to change the container to use uid 1002 instead, but I am not sure how.

Edit

Actually, user 102 on the host is messagebus, not sshd.

CodeChimp
  • 8,016
  • 5
  • 41
  • 79

4 Answers4

8

Please take a look at the docker file I just uploaded: https://github.com/bdruemen/jenkins-docker-uid-from-volume/blob/master/Dockerfile . Here the UID is extracted from a mounted volume (host directory), with

stat -c '%u' <VOLUME-PATH>

Then the UID of the container user is changed to the same value with

usermod -u <UID>

This has to be done as root, but then root privileges are dropped with

gosu <USERNAME> <COMMAND>

Everything is done in the ENTRYPOINT, so the real UID is unknown until you run

docker run -d -v <HOST-DIRECTORY>:<VOLUME-PATH> ...

Note that after changing the UID, there might be some other files no longer accessible for the process in the container, so you might need a

chown -R <USERNAME> <SOME-PATH>

before the gosu command.

You can also change the GID, see my answer here Jenkins in docker with access to host docker and maybe you want to change both to increase security.

Community
  • 1
  • 1
bdruemen
  • 206
  • 2
  • 5
  • 1
    This seems like the best answer by far. The reason one cares about UID of container is to interact with host filesystem, so this is brilliant, get the UID from the mounted volume and do the needful. – Oliver Sep 15 '19 at 18:20
5

You can simply change the UID in /etc/passwd, assuming that no other user has UID 1002.

You will then need to change the ownership of /var/jenkins_home on your host to UID 1002:

chown -R jenkins /var/jenkins_home

In fact, you don't even need a jenkins user on the host to do this; you can simply run:

chown -R 1002 /var/jenkins_home

This will work even if there is no user with UID 1002 available locally.

Another solution is to build your own docker image, based on the Jenkins image, that has an ENTRYPOINT script that looks something like:

#!/bin/sh
chown -R jenkins /var/jenkins_home 
exec "$@"

This will (recursively) chown /var/jenkins_home inside the container to whatever UID is used by the jenkins user (this assumes that your Docker contains is starting as root, which is true unless there was a USER directive in the history of the image).

Update

You can create a new image, based on (FROM ...) the jenkins image, with a Dockerfile that performs the necessary edits to the /etc/passwd file. But that seems a lot of work for not much gain. It's not clear why you're creating jenkins user on the host or if you actually need access to the jenkins home directory on the host.

If all you're doing is providing data persistence, consider using a data volume container and --volumes-from rather than a host volume, because this will isolate the data volume from your host so that UID conflicts don't cause confusion.

larsks
  • 277,717
  • 41
  • 399
  • 399
  • 1
    The issue is the uid the image is using is 102, which IS taken by the host. How can I change the uid of the user inside the container? – CodeChimp Aug 24 '15 at 21:03
1

I had the same error, I turned SELinux off (on CEntOS) and it works. Otherwise, it woukd be better to tune SElinux with SEManage commands.

Benoit_tt
  • 11
  • 2
  • Instead of turning off SELinux, run docker with the --privileged option. Eg: docker run --name jenkins -d -p 8080:8080 -p 50000:50000 -v /home/jenkins:/var/jenkins_home -u 1001 --privileged jenkins – DevOops Jan 23 '16 at 00:22
0

The ideal is to change the user UID in your Dockerfile used by jenkins with the same UID used by the Host (remember that it must be done for non-root users, if root create a new user and configure the service inside the container to that user).

  • Assuming the user's UID on the host is 1003 and the user is called jenkins (use $id to get the user and group id).

Add to your Dockerfile


# Modifies the user's UID and GID

RUN groupmod -g 1003 jenkins && usermod -u 1003 -g 1003 jenkins

# I use a group (docker) on my host to organize the privileges, 
#if that's your # case add the user to this group inside the container.

RUN groupadd -g 998 docker && usermod -aG docker nginx
Jarbson Santana de Jesus
  • 81
  • 1
  • 1