JENKINS-74995 Add rootless support #325
Conversation
|
+1 |
|
Does anyone have an update on whether this pull request will be reviewed and merged to add support for a rootless Docker setup ? |
|
While replacing Docker with Podman in our CI, the Docker Workflow plugin would hang trying to start the first process inside the container. As you said, adding |
|
Exactly what we needed for docker rootless, thank you 🙏 Tested and validated :) |
|
@jglick any chance to have a look? |
|
@sschuberth no, I am not maintaining this plugin. In general, if it does not perfectly fit your needs the first time you try to use it, and every time thereafter, just do not use it. Run |
…ces in workspace path (jenkinsci#326)
Co-authored-by: Mark <[email protected]>
Bumps [org.jenkins-ci.plugins:plugin](https://github.com/jenkinsci/plugin-pom) from 5.5 to 5.7. - [Release notes](https://github.com/jenkinsci/plugin-pom/releases) - [Changelog](https://github.com/jenkinsci/plugin-pom/blob/master/CHANGELOG.md) - [Commits](jenkinsci/plugin-pom@plugin-5.5...plugin-5.7) --- updated-dependencies: - dependency-name: org.jenkins-ci.plugins:plugin dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
The plugin BOM agents seem to have the `docker` command available but the user running the agent is not authorized to use the `docker` command. Previously that was detected by calling `docker ps` and detecting the failure. Restores a change made in * jenkinsci#331 Testing done Confirmed that I could see the same failure on a local computer as is seen on https://ci.jenkins.io/job/Tools/job/bom/job/master/3968/testReport/org.jenkinsci.plugins.docker.workflow/DockerDSLTest/ The computer had Docker CE installed by the specific user running the test did not have permission to access Docker. Prior to this change, the tests failed with the message: CANNOT CONNECT TO THE DOCKER DAEMON AT UNIX:///VAR/RUN/DOCKER.SOCK. IS THE DOCKER DAEMON RUNNING? After making this change, the tests pass on that computer with the specific user that does not have permission to access Docker.
….password` are set
…88.v7fe26526366e (jenkinsci#345) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [org.jenkins-ci.plugins:plugin](https://github.com/jenkinsci/plugin-pom) from 5.9 to 5.12. - [Release notes](https://github.com/jenkinsci/plugin-pom/releases) - [Changelog](https://github.com/jenkinsci/plugin-pom/blob/master/CHANGELOG.md) - [Commits](jenkinsci/plugin-pom@plugin-5.9...plugin-5.12) --- updated-dependencies: - dependency-name: org.jenkins-ci.plugins:plugin dependency-version: '5.12' dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]>
….v6ffa_18d90c9f (jenkinsci#356) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Remove UID:GID in rootless mode
|
@jglick: Asking thousands of users to update all their pipelines is simply not feasible. This plugin has become the de facto standard across many organizations. However, its current implementation grants excessive privileges, raising serious security concerns for the CI environment. For instance, as it stands, any user can mount the host’s /etc directory as a volume with full read/write access. The proposed change eliminates this vulnerability. |
|
We would also greatly appreciate if we could continue using this plugin in our company after switching to rootless Docker. @lnlrbr some tests seem to be failing, is this an issue of the CI or is there something left to do? @jglick i fail to understand your point. Almost anything can also be done with CLI commands but as we all know, the devil lies in the details, so getting it right is not as easy as it sounds in the first place. Apparently you were contributing to this plugin, but if this is not the case anymore, maybe @basil or @dwnusbaum can help out (i just tried to find some contributors based on merged PRs)? |
Exactly. And a prepackaged version purporting to support everyone’s use cases perfectly is far harder.
I would not count on it. |
I would agree if this was about some additional niche feature, but adapting to an improvement of the underlying tool does not fall into this category. |
|
@petermbauer I've tried to rebase my fork from the base branch but for some reasons Github doesn't like it. At the same time, if proposals are not even considered and are treated with contempt, why bother? |
|
If someone would like to adopt the plugin, nobody is stopping you. This would mean committing to maintaining it: triaging issues and PRs, understanding the broad range of potential use cases that people have tried over the years that must be maintained for compatibility, testing routinely on different platforms which are not friendly to the sort of automated tests we can run on ci.jenkins.io, etc. |
12 participants
Resolve problem described in [JENKINS-74995].
Summary: It's not possible to use rootless mode with the actual implementation as the plugin retrieves the user (agent) UID:GID via the 'id' command and the returned value is not the one expected in a rootless environment (i.e. "0:0"), so builds fail.
The provided change adds a test to look if we are in a rootless environment and returns the relevant value if needed.
Testing done
Tests were done with builds executed on two Linux nodes, one configured with Docker rootless mode and the other with Podman.
The pipelines include a 'docker' and a 'dockerfile' agent section.
There is some write access in the "build" stage to the mounted workspace.
If builds are done with the not modified plugin, the run part is done under the current (jenkins) user '-u 1001:1001', and builds can failed for not enough permissions on mounted volumes, or can lead to files owned to root inside the workspaces.
With builds done with the modified plugin, if a rootless environment is detected, the docker run part is done with the user parameter set to '-u 0:0'.
Submitter checklist