Specifically, docker on the websites node (and ONLY the websites node) now uses 
userns-remap to the jenkins UID so you no longer need to pass a -u 910:910 
parameter to 'docker run’. Unfortunately, the nature of userns-remap means that 
if you DO specify -u 910:910, things fail in a weird way. Sorry about that, but 
we needed the docker daemon to not be able to arbitrarily write files as root, 
as it was causing problems. This is a change that will make its way to all the 
build nodes eventually.

For normal docker builds, you don’t need to specify anything. The default UID 0 
mapping inside the container will now allow for the container to write to your 
jenkins workspace directory as the jenkins user. If you are specifying -u 
910:910, remove that.

If you are using the jenkins docker pipeline plugin, you will need to add "args 
'-u root’” to the dockerfile blocks of your jenkinsfile. (INFRA-20116)

Technically speaking, these are the changes made:


/etc/docker/daemon.json:

{
  "userns-remap": "jenkins"
}


cml@jenkins-websites-he-de:~$ cat /etc/subuid
lxd:100000:65536
root:100000:65536
dockremap:165536:65536
jenkins:910:1
jenkins:165536:65536

cml@jenkins-websites-he-de:~$ cat /etc/subgid
lxd:100000:65536
root:100000:65536
dockremap:165536:65536
jenkins:910:1
jenkins:165536:65536



-Chris






> On Apr 16, 2020, at 2:30 PM, Udi Meiri <u...@apache.org> wrote:
> 
> Hi,
> 
> Could you share what changes were made?
> 
> Beam is having issues since we use bind mounts to write output to the host.
> Setting UID:GID on the image gives permission errors in the container when
> accessing the mount (can't write).
> Not setting it causes files to be created with the wrong (root:root)
> permissions, causing permission errors on the host (and having to manually
> ssh into Jenkins machines to clear these files as root).
> 
> On 2020/04/10 19:22:57, Chris Lambertus <c...@apache.org> wrote:
>> All,>
>> 
>> Infra has implemented some permissions changes to the docker installation
> on the websites node, and all containers now map to the jenkins UID on the
> host. If you have specified a UID on the command line previously to avoid
> permissions issues, your build may now be broken. Please remove any docker
> run parameters you have which force a UID. The docker daemon will now
> ensure that files created on the host are owned by the jenkins user.>
>> 
>> If you continue to have docker build troubles after removing those
> parameters, please let us know.>
>> 
>> -Chris>
>> 
>> 

Reply via email to