英文:
Jenkins kubernetes build user permission problem
问题
我试图进行一些ssh + git子模块构建,最初在尝试拉取代码时遇到了这个错误:
子模块 'xxx' (git@host:thing/subdir/repo.git) 已注册到路径 'repo'
子模块 'yyy' (git@host:thing/subdir/yyy.git) 已注册到路径 'yyy'
克隆到 '/home/jenkins/agent/workspace/thing/AAA/releaser/xxx'...
uid 1000 没有对应的用户
致命错误:无法从远程仓库读取。
这让我想到了这个解决方案:
安全上下文:
允许特权升级:false
能力:
丢弃:
- 所有
只读根文件系统:true
以非root用户运行:true
运行用户:65534
现在,这个方法有效,但我看到了一些关于无法将主机密钥保存到/.ssh的非关键错误,但它仍然检出了代码,所以我不在乎,因为每次运行都像是第一次一样。
然而,我现在遇到了一个不同的问题,它确实需要我永久解决这个用户问题:
+ mc别名设置jenkins-user ****
mc:<ERROR>无法保存新的mc配置。mkdir /.mc:权限被拒绝。
我需要运行minio mc客户端,当我提供凭据时,它尝试将它们保存到/.mc,但无法保存并导致别名命令失败,从而导致整个构建失败。
因此,我需要找到更好的方法来解决最初的用户问题,或者告诉它在这个pod中运行时使用一个非特权目录,比如/tmp。
所以,如果有人可以协助解决任何一个问题,我都愿意接受解决方案。
英文:
I am trying to do some ssh + git sub module builds, and initially I was getting this error when trying to pull code:
Submodule 'xxx' (git@host:thing/subdir/repo.git) registered for path 'repo'
Submodule 'yyy' (git@host:thing/subdir/yyy.git) registered for path 'yyy'
Cloning into '/home/jenkins/agent/workspace/thing/AAA/releaser/xxx'...
No user exists for uid 1000
fatal: Could not read from remote repository.
Which led me to this solution:
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- all
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 65534
Now, this worked, but I was seeing some non critical errors about not being able to save the host key to /.ssh, but it still checked out the code and so I didn't care since every run is like it's the first time.
However, I am now running into a different problem that really requires me to solve this user issue permanently:
+ mc alias set jenkins-user ****
mc: <ERROR> Unable to save new mc config. mkdir /.mc: permission denied.
I need to run the minio mc client - and when I give it creds it tries to save them to /.mc and it can't and fails the aliasing command, and thus the whole build.
So, I need to figure out a better way to solve the initial user problem, or tell it that, when running in this pod, to use a non privileged directory like /tmp.
So, I am open to a solution to either issue if someone can assist
答案1
得分: 1
好的,以下是翻译好的部分:
首先,我不得不在一个包含我所需内容的自定义 Docker 镜像中添加了具有正确用户 ID 的 Jenkins 用户。
然后,我不得不更新 Pod 定义,以在与之前投诉的相同用户下运行:
如果您需要更多翻译,请告诉我。
英文:
Ok, I ended up solving it with a mix of Kubernetes changes and Dockerfile changes.
First, I had to add the Jenkins user with the right user id to a custom docker image that contained what I needed
FROM minio/mc
RUN \
microdnf update --nodocs && \
microdnf install git zip findutils --nodocs && \
microdnf clean all
RUN adduser --home-dir /home/jenkins/ --shell /bin/sh --uid 1000 jenkins
USER jenkins
WORKDIR /home/jenkins
ENTRYPOINT ["sh"]
Then, I had to update the pod definition to run under the same user that it was complaining about before:
apiVersion: v1
kind: Pod
metadata:
annotations: {}
spec:
securityContext:
allowPrivilegeEscalation: false
runAsUser: 1000
containers:
-
name: releaser
image: docker.io/chb0docker/releaser:latest
imagePullPolicy: Always
command:
- cat
tty: true
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论