Your second image runs as root and its /etc/passwd matches what you were seeing in your pipeline.
➭ docker run --entrypoint /bin/bash -ti kasproject/kas root@ffa3dff671f9:/# cat /etc/passwd root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin _apt:x:100:65534::/nonexistent:/usr/sbin/nologin Vincent Le mar. 15 sept. 2020 à 10:49, iris Jasper Orschulko < jasper.orschu...@irisgmbh.de> a écrit : > Hi Vincent, > > I am fairly certain, that the images are identical, as I used to pod image > from the jenkins logs (jenkins/inbound-agent:4.3-4). The second image I > used in the pipeline for the build process was > https://hub.docker.com/r/kasproject/kas which also should have a non-root > user (builder, uid 30000). I am not sure how Jenkins handles the > containerisation, but unless there is some magic in the background I do not > understand, it should be one of those images. > > Best regards > > Mit freundlichen Grüßen > > Jasper Orschulko > Build- und Configurationsmanager > > Tel. +49 30 58 58 14 265 > Fax +49 30 58 58 14 999 > jasper.orschu...@irisgmbh.de > > • • • • • • • • • • • • • • • • • • • • • • • • • • > > iris-GmbH > infrared & intelligent sensors > Ostendstraße 1-14 | 12459 Berlin > > Geschäftsführer > M.-O. Brammann | R. Bönick | A. Thun > Amtsgericht Berlin-Charlottenburg > HRB 41 448 | USt-ID-Nr. DE 137228225 > > www.irisgmbh.de > > > ------------------------------ > *From:* jenkinsci-users@googlegroups.com [jenkinsci-users@googlegroups.com] > on behalf of Vincent Latombe [vincent.lato...@gmail.com] > *Sent:* Friday, September 11, 2020 11:50 AM > *To:* Jenkins Users > *Subject:* Re: Kubernetes Plugin: How to run commands within agent > container as non-root? > > > [Pipeline] container > > What is your container definition? I really doubt it is the same image as > what you're running through docker CLI. > > Vincent > > > Le jeu. 10 sept. 2020 à 19:59, iris Jasper Orschulko < > jasper.orschu...@irisgmbh.de> a écrit : > >> I am trying to run a Pipeline in a Kubernetes agent, which needs to >> execute commands as non-root user. So I tried setting the securityContext >> of the Pod to 1000 (the default jenkins user) as described here: >> https://plugins.jenkins.io/kubernetes/. However, the user does not exist >> in the container within Kubernetes: >> >> [Pipeline] { >> [Pipeline] stage >> [Pipeline] { (Yocto Build) >> [Pipeline] container >> [Pipeline] { >> [Pipeline] script >> [Pipeline] { >> [Pipeline] sh >> >> + set -ex >> + cat /etc/passwd >> root:x:0:0:root:/root:/bin/bash >> daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin >> bin:x:2:2:bin:/bin:/usr/sbin/nologin >> sys:x:3:3:sys:/dev:/usr/sbin/nologin >> sync:x:4:65534:sync:/bin:/bin/sync >> games:x:5:60:games:/usr/games:/usr/sbin/nologin >> man:x:6:12:man:/var/cache/man:/usr/sbin/nologin >> lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin >> mail:x:8:8:mail:/var/mail:/usr/sbin/nologin >> news:x:9:9:news:/var/spool/news:/usr/sbin/nologin >> uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin >> proxy:x:13:13:proxy:/bin:/usr/sbin/nologin >> www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin >> backup:x:34:34:backup:/var/backups:/usr/sbin/nologin >> list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin >> irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin >> gnats:x:41:41:Gnats Bug-Reporting System >> (admin):/var/lib/gnats:/usr/sbin/nologin >> nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin >> _apt:x:100:65534::/nonexistent:/usr/sbin/nologin >> >> However, when running the same image (jenkins/inbound-agent:4.3-4) in >> docker directly, there is a jenkins user: >> >> sudo docker run -it --rm jenkins/inbound-agent:4.3-4 bash >> jenkins@255a3961e41e:~$ cat /etc/passwd >> root:x:0:0:root:/root:/bin/bash >> daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin >> bin:x:2:2:bin:/bin:/usr/sbin/nologin >> sys:x:3:3:sys:/dev:/usr/sbin/nologin >> sync:x:4:65534:sync:/bin:/bin/sync >> games:x:5:60:games:/usr/games:/usr/sbin/nologin >> man:x:6:12:man:/var/cache/man:/usr/sbin/nologin >> lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin >> mail:x:8:8:mail:/var/mail:/usr/sbin/nologin >> news:x:9:9:news:/var/spool/news:/usr/sbin/nologin >> uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin >> proxy:x:13:13:proxy:/bin:/usr/sbin/nologin >> www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin >> backup:x:34:34:backup:/var/backups:/usr/sbin/nologin >> list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin >> irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin >> gnats:x:41:41:Gnats Bug-Reporting System >> (admin):/var/lib/gnats:/usr/sbin/nologin >> nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin >> _apt:x:100:65534::/nonexistent:/usr/sbin/nologin >> jenkins:x:1000:1000:Jenkins user:/home/jenkins:/bin/sh >> >> Any ideas why this might be the case? Is this intentional? If so, what >> would be the right way to run the container as non-root? >> >> Best regards >> >> Mit freundlichen Grüßen >> >> Jasper Orschulko >> Build- und Configurationsmanager >> >> Tel. +49 30 58 58 14 265 >> Fax +49 30 58 58 14 999 >> jasper.orschu...@irisgmbh.de >> >> • • • • • • • • • • • • • • • • • • • • • • • • • • >> >> iris-GmbH >> infrared & intelligent sensors >> Ostendstraße 1-14 | 12459 Berlin >> >> Geschäftsführer >> M.-O. Brammann | R. Bönick | A. Thun >> Amtsgericht Berlin-Charlottenburg >> HRB 41 448 | USt-ID-Nr. DE 137228225 >> >> www.irisgmbh.de >> >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Jenkins Users" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to jenkinsci-users+unsubscr...@googlegroups.com. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/jenkinsci-users/38B822B13B092D4C832A97382607EFDF07CF24E0%40ERDE.irisgmbh.local >> . >> > -- > You received this message because you are subscribed to the Google Groups > "Jenkins Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to jenkinsci-users+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/jenkinsci-users/CAH-zGCiznE%2Bu38q4NJ0Bj2k9PSgZ7iQvLJRemTO5c%2BbypGWYAw%40mail.gmail.com > <https://groups.google.com/d/msgid/jenkinsci-users/CAH-zGCiznE%2Bu38q4NJ0Bj2k9PSgZ7iQvLJRemTO5c%2BbypGWYAw%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "Jenkins Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/CAH-zGCjNk_%2BwwZdy6T4FLqiQwxu%2BYwzRMv2JmoaOUk_imr%3DK_w%40mail.gmail.com.
