0

I'm trying to setup Groovy in jenkins, so that it automatically is installed on an agent when performing jobs on it.

This is my global configuration:

enter image description here

This is my groovy build-step:

enter image description here

When I run the job, I get this error:

enter image description here

The user testrpm does have sudo rights. Where is the problem ?

paddy3k
  • 149
  • 1
  • 11

1 Answers1

1

I wouldn't install groovy on agent nodes. You should just use groovy wrapper which will download the groovy and run that without needing to install anything into directories jenkins doesn't have permissions for.

Short of that I would NOT grant sudo rights to testrpm either. That's going to be bad mojo. Instead you can add testrpm to a group that allows right access to /opt or /opt/groovy-4.0.0. You are unzipping something into a nested directory so you'll have to grant access to /opt to write to that directory which could be dangerous if you have other things in that directory. You may nest it in a subdirectory to isolate it from other things. If you do these steps on the machine using a user with sudo rights (not in your build script) then it should work:

sudo mkdir /opt/jenkins
sudo chgrp jenkins /opt/jenkins
sudo usermod -a -G jenkins testrpm
sudo chmod 770 /opt/jenkins

Another option would be to pick a directoy testrpm already has write access to that without needing to grant permissions to it.

chubbsondubs
  • 37,646
  • 24
  • 106
  • 138
  • Thanks for all the hints! The testmachine I'm using has no internet connection, so downloading anything is not possible. But I will implement your other ideas / example! I'm still a bit curious why the sudo unzip not works. It's done as user "testrpm" which currently has sudoer permissions. If I'm executing this command on the server itself, it works. Thanks for your help ! – paddy3k Feb 19 '23 at 21:11
  • Could it be that testrpm has sudo'er permissions on the master node, but not the agent nodes? Anyway I just want to re-iterate you don't want to give sudoer permissions to testrpm. The fact that the server doesn't have internet access limits the dangers of doing that, but if you ever did give it you might forget that testrpm has this power and wind up with a very big vulnerability. – chubbsondubs Feb 19 '23 at 21:28
  • 1
    thanks again for pointing to it and I agree! No it has also sudo'er permissions on the target node. These are purely test nodes which have no connection to critical infrastructure like ldap or anything else. Naked VM's which get resettet with every jenkins run, because they are used for test purposes only (eg. installing own rpm packages). – paddy3k Feb 20 '23 at 06:20