Thanks!
That makes sense, and a welcome change to limit root access.
On Thu, Apr 16, 2020 at 2:46 PM Chris Lambertus <c...@apache.org> wrote:
> Specifically, docker on the websites node (and ONLY the websites node) now
> uses userns-remap to the jenkins UID so you no longer need to pass a -u
> 910:910 parameter to 'docker run’. Unfortunately, the nature of
> userns-remap means that if you DO specify -u 910:910, things fail in a
> weird way. Sorry about that, but we needed the docker daemon to not be able
> to arbitrarily write files as root, as it was causing problems. This is a
> change that will make its way to all the build nodes eventually.
>
> For normal docker builds, you don’t need to specify anything. The default
> UID 0 mapping inside the container will now allow for the container to
> write to your jenkins workspace directory as the jenkins user. If you are
> specifying -u 910:910, remove that.
>
> If you are using the jenkins docker pipeline plugin, you will need to add
> "args '-u root’” to the dockerfile blocks of your jenkinsfile. (INFRA-20116)
>
> Technically speaking, these are the changes made:
>
>
> /etc/docker/daemon.json:
>
> {
> "userns-remap": "jenkins"
> }
>
>
> cml@jenkins-websites-he-de:~$ cat /etc/subuid
> lxd:100000:65536
> root:100000:65536
> dockremap:165536:65536
> jenkins:910:1
> jenkins:165536:65536
>
> cml@jenkins-websites-he-de:~$ cat /etc/subgid
> lxd:100000:65536
> root:100000:65536
> dockremap:165536:65536
> jenkins:910:1
> jenkins:165536:65536
>
>
>
> -Chris
>
>
>
>
>
>
> > On Apr 16, 2020, at 2:30 PM, Udi Meiri <u...@apache.org> wrote:
> >
> > Hi,
> >
> > Could you share what changes were made?
> >
> > Beam is having issues since we use bind mounts to write output to the
> host.
> > Setting UID:GID on the image gives permission errors in the container
> when
> > accessing the mount (can't write).
> > Not setting it causes files to be created with the wrong (root:root)
> > permissions, causing permission errors on the host (and having to
> manually
> > ssh into Jenkins machines to clear these files as root).
> >
> > On 2020/04/10 19:22:57, Chris Lambertus <c...@apache.org> wrote:
> >> All,>
> >>
> >> Infra has implemented some permissions changes to the docker
> installation
> > on the websites node, and all containers now map to the jenkins UID on
> the
> > host. If you have specified a UID on the command line previously to avoid
> > permissions issues, your build may now be broken. Please remove any
> docker
> > run parameters you have which force a UID. The docker daemon will now
> > ensure that files created on the host are owned by the jenkins user.>
> >>
> >> If you continue to have docker build troubles after removing those
> > parameters, please let us know.>
> >>
> >> -Chris>
> >>
> >>
>
>
