[JENKINS-74995] withDockerContainer uses -u with fails for rootless docker

[jenkins-infra-bot]

Hi,

I have rhel 9.6 with selinux enabled. I run a jenkins agent as systemd service. The user which runs the agent has rootless docker.

 

My pipeline job first downloads a repo from git (this set runs outside of docker), then runs build steps in docker.

The issue is that withDockerContainer starts the docker container with -u user_pid:user_group (in my case it is -u 1013:1013) which causes the processes inside of docker to not be able to modify files created by git (or create new directories).

 

I suspect that the issue in this case is that the user inside of docker is mapped to root, but by providing -u option the applications inside of docker run with another user.

 

I do not have any special configuration for docker.

 

systemd file:

[Unit]
Description=Jenkins JNLP Slave service
After=network.target
[Service]
Type=simple
Environment=LANG=C
Environment=DOCKER_HOST=unix:///run/user/1013/docker.sock
WorkingDirectory=/var/agent
ExecStart=/usr/lib/jvm/java-21-zulu-openjdk/bin/java -jar /home/jenkins/agent.jar -url https://ANONYMIZED/ -secret ANONMIZED -name "ANONYMIZED" -webSocket -workDir "/var/agent"
Restart=always
RestartSec=30s
WantedBy=multi-user.target
 

rootless docker is installed according to the docs, without any options.

 

 

I am able to run the pipeline if I provide args to withDockerContainer that overwrite -u by providing -u root:root. But I have to do it for each withDockerContainer execution.

---

Originally reported by pachum_vig, imported from: withDockerContainer uses -u with fails for rootless docker

• status: Open
• priority: Minor
• component(s): docker-workflow-plugin
• resolution: Unresolved
• votes: 0
• watchers: 4
• imported: 2025-12-07

Raw content of original issue

Hi,

I have rhel 9.6 with selinux enabled. I run a jenkins agent as systemd service. The user which runs the agent has rootless docker.

 

My pipeline job first downloads a repo from git (this set runs outside of docker), then runs build steps in docker.

The issue is that withDockerContainer starts the docker container with -u user_pid:user_group (in my case it is -u 1013:1013) which causes the processes inside of docker to not be able to modify files created by git (or create new directories).

 

I suspect that the issue in this case is that the user inside of docker is mapped to root, but by providing -u option the applications inside of docker run with another user.

 

I do not have any special configuration for docker.

 

systemd file:

[Unit]
Description=Jenkins JNLP Slave service
After=network.target
[Service]
Type=simple
Environment=LANG=C
Environment=DOCKER_HOST=unix:///run/user/1013/docker.sock
WorkingDirectory=/var/agent
ExecStart=/usr/lib/jvm/java-21-zulu-openjdk/bin/java -jar /home/jenkins/agent.jar -url https://ANONYMIZED/ -secret ANONMIZED -name "ANONYMIZED" -webSocket -workDir "/var/agent"
Restart=always
RestartSec=30s
WantedBy=multi-user.target
 

rootless docker is installed according to the docs, without any options.
 
 
I am able to run the pipeline if I provide args to withDockerContainer that overwrite -u by providing -u root:root. But I have to do it for each withDockerContainer execution.

[jenkins-infra-bot]

lnlrbr_ing:

• Comment link
• Original comment link (no redirect)
• Raw content of original comment:

  +1 for this issue. A workaround on remote agents is to overwrite the 'id' command to return '0', but it's not a long-term solution.
  
  The problem is here: https://github.com/jenkinsci/docker-workflow-plugin/blob/827a6971ac33b7985b32e03fc4133c07ebc5a2af/src/main/java/org/jenkinsci/plugins/docker/workflow/client/DockerClient.java#L326. We should have the possibility to change the returned value.
  

+1 for this issue. A workaround on remote agents is to overwrite the 'id' command to return '0', but it's not a long-term solution.

The problem is here: https://github.com/jenkinsci/docker-workflow-plugin/blob/827a6971ac33b7985b32e03fc4133c07ebc5a2af/src/main/java/org/jenkinsci/plugins/docker/workflow/client/DockerClient.java#L326. We should have the possibility to change the returned value.

[jenkins-infra-bot]

mrichar2:

• Comment link
• Original comment link (no redirect)
• Raw content of original comment:

  We are running rootless podman on RHEL. Here are the steps I used to get it setup:
  
  1) In containers.conf use "keep-id" for the user namespace (userns = "keep-id")
  2) Run the podman service as user service (run these as the user Jenkins runs as)
  (there may be steps here I am missing that setup the user systemd files)
  export XDG_RUNTIME_DIR=/run/user/<user_id>
  /usr/bin/systemctl --user enable --now podman.socket
  /usr/bin/systemctl --user start podman.service
  3) Enable lingering so the service remains active (Run these are the user Jenkins runs as)
  export XDG_RUNTIME_DIR=/run/user/<user_id>
  /usr/bin/loginctl enable-linger <user>
  4) Set DOCKER_HOST to use the user podman socket
  DOCKER_HOST=unix:///run/user/<user_id>/podman/podman.sock
  

We are running rootless podman on RHEL. Here are the steps I used to get it setup:

1) In containers.conf use "keep-id" for the user namespace (userns = "keep-id")
2) Run the podman service as user service (run these as the user Jenkins runs as)
(there may be steps here I am missing that setup the user systemd files)
export XDG_RUNTIME_DIR=/run/user/
/usr/bin/systemctl --user enable --now podman.socket
/usr/bin/systemctl --user start podman.service
3) Enable lingering so the service remains active (Run these are the user Jenkins runs as)
export XDG_RUNTIME_DIR=/run/user/
/usr/bin/loginctl enable-linger
4) Set DOCKER_HOST to use the user podman socket
DOCKER_HOST=unix:///run/user//podman/podman.sock

[jenkins-infra-bot]

lnlrbr:

• Comment link
• Original comment link (no redirect)
• Raw content of original comment:

  Submitted patch for this issue: JENKINS-74995 Add rootless support #325
  

Submitted patch for this issue: #325