Specifically, docker on the websites node (and ONLY the websites node) now uses userns-remap to the jenkins UID so you no longer need to pass a -u 910:910 parameter to 'docker run’. Unfortunately, the nature of userns-remap means that if you DO specify -u 910:910, things fail in a weird way. Sorry about that, but we needed the docker daemon to not be able to arbitrarily write files as root, as it was causing problems. This is a change that will make its way to all the build nodes eventually.
For normal docker builds, you don’t need to specify anything. The default UID 0 mapping inside the container will now allow for the container to write to your jenkins workspace directory as the jenkins user. If you are specifying -u 910:910, remove that. If you are using the jenkins docker pipeline plugin, you will need to add "args '-u root’” to the dockerfile blocks of your jenkinsfile. (INFRA-20116) Technically speaking, these are the changes made: /etc/docker/daemon.json: { "userns-remap": "jenkins" } cml@jenkins-websites-he-de:~$ cat /etc/subuid lxd:100000:65536 root:100000:65536 dockremap:165536:65536 jenkins:910:1 jenkins:165536:65536 cml@jenkins-websites-he-de:~$ cat /etc/subgid lxd:100000:65536 root:100000:65536 dockremap:165536:65536 jenkins:910:1 jenkins:165536:65536 -Chris > On Apr 16, 2020, at 2:30 PM, Udi Meiri <u...@apache.org> wrote: > > Hi, > > Could you share what changes were made? > > Beam is having issues since we use bind mounts to write output to the host. > Setting UID:GID on the image gives permission errors in the container when > accessing the mount (can't write). > Not setting it causes files to be created with the wrong (root:root) > permissions, causing permission errors on the host (and having to manually > ssh into Jenkins machines to clear these files as root). > > On 2020/04/10 19:22:57, Chris Lambertus <c...@apache.org> wrote: >> All,> >> >> Infra has implemented some permissions changes to the docker installation > on the websites node, and all containers now map to the jenkins UID on the > host. If you have specified a UID on the command line previously to avoid > permissions issues, your build may now be broken. Please remove any docker > run parameters you have which force a UID. The docker daemon will now > ensure that files created on the host are owned by the jenkins user.> >> >> If you continue to have docker build troubles after removing those > parameters, please let us know.> >> >> -Chris> >> >>