I'm running a jenkins server for ci/cd in a docker container based on alpine. The jenkins docker runs processes as 1000, which conflicts with my users. I take that as a base for my own image to add other stuff I need, so in my image I use usermod and such to change the "jenkins" user to 1006, which won't conflict with my users. I also create a group jenkins-data-users with gid=2000 and assign that as the primary group for jenkins.
On my unraid host, I have the jenkins-data-users group with gid=2000 and uid 1006 is jenkins-docker. I have added myself ("paddy" in the listings below) to the jenkins-data-users group. And if it matters, I'm not even sure how to log into the console in unraid as "myself", I only log in as root. So I when I access the various folders as myself, I'm accessing them through the unraid shares from a windows machine.
I use bind-mount to point /var/jenkins_home to /mnt/user/appdata/jenkins.
I have another set up for /deploymentBackups in the container pointed to /mnt/user/appdata/jenkinsDeploymentBackups.
Finally, I have a third with /deployments/offsiteBackup pointed to /mnt/user/appdata/offsiteBackup
User setup on host:
paddy:x:1001:100::/:/bin/false
jenkins-docker:x:1006:100:Jenkins docker runner for access to bind-mounts:/:/bin/false
user setup in container:
jenkins:x:1006:2000:Linux User,,,:/var/jenkins_home:/bin/bash
group setup on host:
jenkins-data-users:x:2000:paddy,jenkins-docker
group setup in container:
jenkins:x:1000:jenkins
jenkins-data-users:x:2000:
Folder setups from the host:
drwxr----- 1 jenkins-docker jenkins-data-users 1268 Jun 27 23:45 jenkins
drwxrw---- 1 paddy jenkins-data-users 0 Jun 26 04:49 jenkinsDeploymentBackups
drwxrwxrwx 1 paddy jenkins-data-users 210 Jun 27 16:24 offsiteBackup
Folder setups in the container:
drwxrw---- 1 1001 jenkins-data-users 0 Jun 26 04:49 deploymentBackups
drwxr-xr-x 1 root root 26 Jun 27 23:53 deployments
drwxrwxrwx 1 1001 jenkins-data-users 210 Jun 27 16:24 deployments/offsiteBackup
The idea is that jenkins writes its data to the jenkins folder, but I need access to back it up, so I, as a member of the data users group, have read rights. I own the other two folders and jenkins just writes to them deploymentBackups is debatable, because in the happy-path, it's only used for jenkins to back up whatever is currently in the deployment path so that it won't be overwritten. But jenkins definitely shouldn't own the offsiteBackups deployment path, as all it is ever doing is pushing a new version. I maintain configuration and whatever else needs doing there, so I own that.
And, at all costs, I DON'T want to rebuild the base docker image. I want to always be able to pull latest from docker up as my base, instead of having to grab their latest dockerfile and look for changes. (Obviously with the caveat that if they ever change their user setup, my extension image is going to barf anyway.)
But this isn't working.
As myself (again, via an unraid share) I can't see anything inside the jenkins folder.
I can see and manipulate the offsiteBackup folder, and jenkins in the container can see and read files I drop there, but I can't read anything new it creates there. And I get invalid operation errors if container jenkins tries to change ownership of what it creates, and I don't know if that is because of a lack of permissions, or a limitation of alpine.
And container jenkins can't cd into deploymentBackups or create anything at all there. I can create something and container jenkins can see it via dir, but it can't view permissions, timestamp, etc, it's just ???? other than the name.
What am I doing wrong? This is sandbox/learning for me, so I'm less concerned with whether I SHOULD be doing something than I am about HOW I can do what I want. For instance, I probably shouldn't have write rights to the deployment folder once ci/cd is dropping files, and all manipulation should go through source control. But if I can ever get it working the way I want, it will be trivial to "break" it later and secure it, whereas if I can't set it up insecure now, then I'll never know what it is that's actually making it secure.