Specifically, docker on the websites node (and ONLY the websites node) now uses
userns-remap to the jenkins UID so you no longer need to pass a -u 910:910
parameter to 'docker run’. Unfortunately, the nature of userns-remap means that
if you DO specify -u 910:910, things fail in a weird way. Sorry about that, but
we needed the docker daemon to not be able to arbitrarily write files as root,
as it was causing problems. This is a change that will make its way to all the
build nodes eventually.
For normal docker builds, you don’t need to specify anything. The default UID 0
mapping inside the container will now allow for the container to write to your
jenkins workspace directory as the jenkins user. If you are specifying -u
910:910, remove that.
If you are using the jenkins docker pipeline plugin, you will need to add "args
'-u root’” to the dockerfile blocks of your jenkinsfile. (INFRA-20116)
Technically speaking, these are the changes made:
/etc/docker/daemon.json:
{
"userns-remap": "jenkins"
}
cml@jenkins-websites-he-de:~$ cat /etc/subuid
lxd:100000:65536
root:100000:65536
dockremap:165536:65536
jenkins:910:1
jenkins:165536:65536
cml@jenkins-websites-he-de:~$ cat /etc/subgid
lxd:100000:65536
root:100000:65536
dockremap:165536:65536
jenkins:910:1
jenkins:165536:65536
-Chris
> On Apr 16, 2020, at 2:30 PM, Udi Meiri <u...@apache.org> wrote:
>
> Hi,
>
> Could you share what changes were made?
>
> Beam is having issues since we use bind mounts to write output to the host.
> Setting UID:GID on the image gives permission errors in the container when
> accessing the mount (can't write).
> Not setting it causes files to be created with the wrong (root:root)
> permissions, causing permission errors on the host (and having to manually
> ssh into Jenkins machines to clear these files as root).
>
> On 2020/04/10 19:22:57, Chris Lambertus <c...@apache.org> wrote:
>> All,>
>>
>> Infra has implemented some permissions changes to the docker installation
> on the websites node, and all containers now map to the jenkins UID on the
> host. If you have specified a UID on the command line previously to avoid
> permissions issues, your build may now be broken. Please remove any docker
> run parameters you have which force a UID. The docker daemon will now
> ensure that files created on the host are owned by the jenkins user.>
>>
>> If you continue to have docker build troubles after removing those
> parameters, please let us know.>
>>
>> -Chris>
>>
>>
