Changing the user's uid in a pre-build docker container (jenkins)

前端 未结 3 961
半阙折子戏
半阙折子戏 2021-02-14 15:50

I am new to docker, so if this is a fairly obvious process that I am missing, I do apologize for the dumb question up front.

I am setting up a continuous integration ser

相关标签:
3条回答
  • 2021-02-14 16:18

    Please take a look at the docker file I just uploaded: https://github.com/bdruemen/jenkins-docker-uid-from-volume/blob/master/Dockerfile . Here the UID is extracted from a mounted volume (host directory), with

    stat -c '%u' <VOLUME-PATH>
    

    Then the UID of the container user is changed to the same value with

    usermod -u <UID>
    

    This has to be done as root, but then root privileges are dropped with

    gosu <USERNAME> <COMMAND>
    

    Everything is done in the ENTRYPOINT, so the real UID is unknown until you run

    docker run -d -v <HOST-DIRECTORY>:<VOLUME-PATH> ...
    

    Note that after changing the UID, there might be some other files no longer accessible for the process in the container, so you might need a

    chown -R <USERNAME> <SOME-PATH>
    

    before the gosu command.

    You can also change the GID, see my answer here Jenkins in docker with access to host docker and maybe you want to change both to increase security.

    0 讨论(0)
  • 2021-02-14 16:22

    I had the same error, I turned SELinux off (on CEntOS) and it works. Otherwise, it woukd be better to tune SElinux with SEManage commands.

    0 讨论(0)
  • 2021-02-14 16:36

    You can simply change the UID in /etc/passwd, assuming that no other user has UID 1002.

    You will then need to change the ownership of /var/jenkins_home on your host to UID 1002:

    chown -R jenkins /var/jenkins_home
    

    In fact, you don't even need a jenkins user on the host to do this; you can simply run:

    chown -R 1002 /var/jenkins_home
    

    This will work even if there is no user with UID 1002 available locally.

    Another solution is to build your own docker image, based on the Jenkins image, that has an ENTRYPOINT script that looks something like:

    #!/bin/sh
    chown -R jenkins /var/jenkins_home 
    exec "$@"
    

    This will (recursively) chown /var/jenkins_home inside the container to whatever UID is used by the jenkins user (this assumes that your Docker contains is starting as root, which is true unless there was a USER directive in the history of the image).

    Update

    You can create a new image, based on (FROM ...) the jenkins image, with a Dockerfile that performs the necessary edits to the /etc/passwd file. But that seems a lot of work for not much gain. It's not clear why you're creating jenkins user on the host or if you actually need access to the jenkins home directory on the host.

    If all you're doing is providing data persistence, consider using a data volume container and --volumes-from rather than a host volume, because this will isolate the data volume from your host so that UID conflicts don't cause confusion.

    0 讨论(0)
提交回复
热议问题