starting jenkins container however encounter permission denied though I have run 'chown' for the volume

Question

I am on my MacBook terminal. I try to have a jenkins container up and running on my local machine.

I firstly created a docker-compose.yml :

version: '3'
services:
  jenkins:
    container_name: jenkins
    image: jenkins/jenkins
    ports:
      - "8080:8080"
    volumes:
      - $PWD/jenkins_home:/var/jenkins_home
    networks:
      - net
networks:
  net:

As you can see in the volumes section, I have defined the jenkins_home folder under my current directory as the volume for jenkins data.

Then under my current directory of my machine, I created a folder named jenkins_home. Here is my current directory:

-rw-r--r--  1 john 1349604816  220 Sep  4 00:08 docker-compose.yml
drwxr-xr-x  2 john 1349604816   64 Sep  4 00:06 jenkins_home

As you can see, I need to change the ownership of jenkins_home folder in order to have jenkins container be able to write data in it (because the uid is not 1000). So, I executed command:

sudo chown 1000:1000 jenkins_home/

Then, my current directory looks like this:

-rw-r--r--  1 john  1349604816  220 Sep  4 00:08 docker-compose.yml
drwxr-xr-x  2 1000     1000         64 Sep  4 00:06 jenkins_home

After that I run my container by command: docker-compose up. But I ended up with error:

Starting jenkins ... done
Attaching to jenkins
jenkins    | touch: cannot touch '/var/jenkins_home/copy_reference_file.log': Permission denied
jenkins    | Can not write to /var/jenkins_home/copy_reference_file.log. Wrong volume permissions?
jenkins exited with code 1

Why I still get the permission error after I changed the ownership of the jenkins_home folder under my current directory on my machine?

P.S. I understand there could be other way to purely have a jenkins container running but still I would like to understand what is wrong with my approach and hopefully could also get it work.

I would bet your `jenkins_home` is not empty and `copy_reference_file.log` is owned by a different user. Could you run `sudo chown -R 1000:1000 ...`? — snahor, Sep 04 '20 at 13:45
My `jenkins_home` is empty actually, and I have tried `sudo chown -R 1000:1000` as well. Same issue exists. — Leem.fin, Sep 04 '20 at 13:47
Do you actually need to directly access the workspace directory from the host? A named volume might not have this problem (and it'd be faster on MacOS). — David Maze, Sep 04 '20 at 15:16
@DavidMaze you might be right, but still I would like to understand what is wrong with my approach. — Leem.fin, Sep 04 '20 at 15:30
Oh boy, I missed the Macbook part, that's a small but giant detail, that weird gid makes sense now. To begin with, Docker uses virtualization on macOS, there's some user/group mapping involved. Unfortunately I cannot help you with this. You could go with the ol' `777`, maybe this can help too: https://stackoverflow.com/a/36092817/94746. Maybe what @DavidMaze said could work. — snahor, Sep 04 '20 at 18:48
@DavidMaze what do you mean "named volume"? Isn't my volume a named volume? — Leem.fin, Sep 05 '20 at 20:29
There are two kinds of "volumes", and what you have here is a [bind mount](https://docs.docker.com/storage/bind-mounts/) (trying to mount a host directory into a container) rather than a [named volume](https://docs.docker.com/storage/volumes/) (Docker-managed persistent storage). There's a little more discussion in the Compose [`volumes:`](https://docs.docker.com/compose/compose-file/#volumes) documentation. — David Maze, Sep 05 '20 at 21:03
Thanks @DavidMaze for the quick reply. Am I right that by removing that `volumes:` section in my docker-compose.yml file I then use the named volume? — Leem.fin, Sep 05 '20 at 21:08
Have you tried this one? https://stackoverflow.com/questions/44065827/jenkins-wrong-volume-permissions — Prashanna, Sep 13 '20 at 13:25

score 0 · Accepted Answer · answered Sep 08 '20 at 09:47

0

Jenkins needs to create or to use existing jenkins_home directory,

When Docker sees that jenkins_home volume in your machine doesn't exists then it will create it with your osx UID & GID.

If you create the jenkins_home folder you must stay with your current directory permissions and not changed them,

Docker running UID isn't the same as your machine, they may have different UID and GID.

Linux namespaces provide isolation for running processes, limiting their access to system resources without the running process being aware of the limitations. For more information on Linux namespaces, see Linux namespaces.

The best way to prevent privilege-escalation attacks from within a container is to configure your container’s applications to run as unprivileged users. For containers whose processes must run as the root user within the container, you can re-map this user to a less-privileged user on the Docker host. The mapped user is assigned a range of UIDs which function within the namespace as normal UIDs from 0 to 65536, but have no privileges on the host machine itself.

There a wonderful video explaining how docker works with namespaces

answered Sep 08 '20 at 09:47

Daniel Taub

5,133
7
42
72

I don't understand your answer. It sounds contradictory. Your answer is also contradictory with this accepted answer https://stackoverflow.com/questions/34706077/starting-jenkins-in-docker-container, if I stay with current directory permission like you said how can jenkins write data to the mapped directory on the host? I know Docker running UID different than my host machine that's exactly why I grant permission for Jenkins container to write data to the directory by changing directory ownership `sudo chown 1000:1000 jenkins_home/`. (unless I misunderstand you) – Leem.fin Sep 08 '20 at 11:43
It's not, on a lot of linux distributions the first user uid is 1000, so this https://stackoverflow.com/questions/34706077/starting-jenkins-in-docker-container is about linux and not osx, in osx the uid is most of the time 501 or you can refer it by your username, this https://geek-university.com/linux/uid-user-identifier-gid-group-identifier/ explains uid in linux – Daniel Taub Sep 08 '20 at 12:02
So what is your suggestion to solve the issue overall? By just simply not do the `chown` ? Or by not specify the volume? – Leem.fin Sep 09 '20 at 09:15
Without the `chown` – Daniel Taub Sep 09 '20 at 09:22

J L · Answer 2 · 2023-02-26T15:15:30.780

0

Got the same issue, then I solved it by

delete the existing "/var/jenkins_home" folder
re-create folder "/var/jenkins_home"
re-run the docker run command, started with "docker run -u root..."

edited Feb 26 '23 at 15:15

answered Feb 26 '23 at 11:22

J L

67
2
8

djmonki · Answer 3 · 2020-09-12T06:02:05.890

-2

Does the actual jenkins user/group exist on the Mac? This is what I do on my linux servers where:

ARG user=jenkins
ARG group=jenkins
ARG uid=1000
ARG gid=1000

On my alpine server:

addgroup -g ${gid} ${group}
adduser -u ${uid} -G ${group} -s /bin/bash -D ${user}

to become

addgroup -g 1000 jenkins
adduser -u 1000 -G jenkins -s /bin/bash -D jenkins

On my centos8 server

groupadd -g ${gid} ${group}
useradd -u ${uid} -g ${group} -s /bin/bash -d ${user}

to become

groupadd -g 1000 jenkins
useradd -u 1000 -g jenkins -s /bin/bash -d jenkins

then:

sudo chown jenkins:jenkins jenkins_home/

I do not use Mac, but I presume it is similar

UPDATE Based on all the above, try the following: docker-compose.yml

version: '3'
services:
  jenkins:
    container_name: jenkins
    image: jenkins/jenkins
    ports:
      - 8080:8080
      - 50000:50000
    volumes:
      - $PWD/jenkins_home:/var/jenkins_home
      - /var/run/docker.sock:/var/run/docker.sock
    networks:
      - net
networks:
  net:

I have added the following:

port 50000 (only if you want to attach build slave servers, opposed to just running builds on the master)
volume /var/run/docker.sock (to be able to use the docker daemon with Jenkins, you need to mount the volume)

!!DO THE FOLLOWING!! Delete the original jenkins_home directory that you created before. Now run 'docker-compose up', since the host volume directory does not exist, docker will now create the required directory on the host which is based on the configuration in the docker-compose.yml (in this case '$PWD/jenkins_home'), thus it will now have the correct ownership and permissions for the jenkins container to use it.

If that doesn't work, make the jenkins container run in privileged mode, see below:

version: '3'
services:
  jenkins:
    container_name: jenkins
    image: jenkins/jenkins
    privileged: true
    user: root
    ports:
      - 8080:8080
      - 50000:50000
    volumes:
      - $PWD/jenkins_home:/var/jenkins_home
      - /var/run/docker.sock:/var/run/docker.sock
    networks:
      - net
networks:
  net:

edited Sep 12 '20 at 06:02

answered Sep 04 '20 at 15:48

djmonki

3,020
7
18

Thanks, but do you see what goes wrong with my approach? That's the main mystery I would like to understand . – Leem.fin Sep 04 '20 at 17:10
Sorry, should have been clearer (updated above). From the information that was provided, I could not see any issue with the approach except, there was no clarification that the 'jenkins' user itself exists on your Mac. What I provided was the initial solution of adding the user first to the OS, my examples being Linux based. Your solution just advises that you have given permissions (755) and ownership to gid & uid '1000', but that would not help if the user/group does not exist on the Mac – djmonki Sep 05 '20 at 02:27
On another note, what ownership/permissions show for the shared jenkins_home volume on the Jenkins docker container ? – djmonki Sep 05 '20 at 04:06
Updated your process,based on all the comments above.Does that help ? – djmonki Sep 10 '20 at 02:41
Thanks for your update. You mentioned that don't re-create the `jenkins_home` directory on my mac but docker will create it on my host. But what is the directory path of `jenkins_home` that is created by docker on my host? – Leem.fin Sep 10 '20 at 19:55
It will be what is configured in the docker-compose.yml. So in the case of the above, we have '$PWD/jenkins_home:/var/jenkins_home'. Thus, docker will create the 'jenkins_home' directory in the same directory as the docker-compose.yml due to '$PWD/jenkins_home'. If nothing has changed since the original set-up: 1) Remove all existing containers & images of Jenkins 2) Delete the jenkins_home directory that you created 3) Update your docker-compose.yml with desired changes suggested 4) Run docker-compose up, should see jenkins container starting & creating the 'jenkins_home' directory – djmonki Sep 11 '20 at 09:06
I realised that the solution was not clear, so have re-edited – djmonki Sep 11 '20 at 16:45

starting jenkins container however encounter permission denied though I have run 'chown' for the volume

3 Answers3