2

In the below docker file, base image(jenkins/jenkins) is providing a user jenkins with UID 1000 and GID 1000, within container.

FROM jenkins/jenkins

# Install some base packages

# Use non-privileged user provided by base image
USER jenkins # with uid 1000 and GID 1000

# Copy plugins and other stuff

On the docker host(EC2 instance), we also have similar UID & GID created, 

 $ groupadd -g 1000 jenkins
 $ useradd -u 1000 -g jenkins jenkins
 $ mkdir -p /abc/home_folder_for_jenkins
 $ chown -R jenkins:jenkins /abc/home_folder_for_jenkins

to make sure, container can write files to /abc/home_folder_for_jenkins in EC2 instance.

Another aspect that we need to take care in same EC2 instance, is to run containers(other than above container) to run in non-privileged mode.

So, below configuration is performed on docker host(EC2):

$ echo dockremap:165536:65536 > /etc/subuid
$ echo dockremap:165536:65536 > /etc/subgid
$ echo '{"debug":true, "userns-remap":"default"}' > /etc/docker/daemon.json

This dockremap configuration is not allowing jenkins to start and docker container goes in Exited state:

$ ls -l /abc/home_folder_for_jenkins
total 0

After removing docker remap configuration, everything work fine.

Why dockremap configuration not allow the jenkins container to run as jenkins user?

overexchange
  • 15,768
  • 30
  • 152
  • 347
  • Since NS are used, UID 1000 on the host is not the same as UID 1000 in your running container. Try opening a shell in your container using `docker run` or `docker exec` and run your `chown` command from inside the container. You may then check ownership again from the host system and you'll see that owner is not 1000. – Stéphane C. Jun 16 '20 at 06:43

2 Answers2

2

I'm actually fighting with this because it seems not very portable but this is the best I found. As said above on your docker host the UID/GID are the ones from the container + the value in /etc/subuid & /etc/subgid. So your "container root" is 165536 on your host and your user jenkins is 166536 (165536 + 1000).

To come back to your example what you need to do is 

$ mkdir -p /abc/home_folder_for_jenkins
$ chown -R 166536:166536 /abc/home_folder_for_jenkins
Stephane S.
  • 21
  • 2
  • Nope its not working... jenkins container is not able to write in `/abc/home_folder_for_jenkins` – overexchange Feb 21 '20 at 00:43
  • What is the owner of the Jenkins process **from the host** ? (something like `ps aux | grep -i jenkins`) – Stephane S. Feb 21 '20 at 11:11
  • Jenkins container is going in an `Exited` state in seconds. So, I could not `ps aux`. Once I remove user namespace configuration, everything works fine. – overexchange Feb 21 '20 at 11:42
1

User namespaces offset the UID/GID of the user inside the container, and any files inside the container. There is no mapping from the UID/GID inside the container to the external host UID/GID (that would defeat the purpose). Therefore, you would need the offset the UID/GID of the directory being created, or just use a named volume and let docker handle this for you. I believe that UID/GID on the host would be 166536 (165536 + 1000) (I may have an off by one in there, so try opening the directory permissions if this still fails and see what gets created).

BMitch
  • 231,797
  • 42
  • 475
  • 450