NBjXvmXytwOAArTYRbLzdrQJ Posted June 28, 2022 Share Posted June 28, 2022 (edited) I'm running a jenkins server for ci/cd in a docker container based on alpine. The jenkins docker runs processes as 1000, which conflicts with my users. I take that as a base for my own image to add other stuff I need, so in my image I use usermod and such to change the "jenkins" user to 1006, which won't conflict with my users. I also create a group jenkins-data-users with gid=2000 and assign that as the primary group for jenkins. On my unraid host, I have the jenkins-data-users group with gid=2000 and uid 1006 is jenkins-docker. I have added myself ("paddy" in the listings below) to the jenkins-data-users group. And if it matters, I'm not even sure how to log into the console in unraid as "myself", I only log in as root. So I when I access the various folders as myself, I'm accessing them through the unraid shares from a windows machine. I use bind-mount to point /var/jenkins_home to /mnt/user/appdata/jenkins. I have another set up for /deploymentBackups in the container pointed to /mnt/user/appdata/jenkinsDeploymentBackups. Finally, I have a third with /deployments/offsiteBackup pointed to /mnt/user/appdata/offsiteBackup User setup on host: paddy:x:1001:100::/:/bin/false jenkins-docker:x:1006:100:Jenkins docker runner for access to bind-mounts:/:/bin/false user setup in container: jenkins:x:1006:2000:Linux User,,,:/var/jenkins_home:/bin/bash group setup on host: jenkins-data-users:x:2000:paddy,jenkins-docker group setup in container: jenkins:x:1000:jenkins jenkins-data-users:x:2000: Folder setups from the host: drwxr----- 1 jenkins-docker jenkins-data-users 1268 Jun 27 23:45 jenkins drwxrw---- 1 paddy jenkins-data-users 0 Jun 26 04:49 jenkinsDeploymentBackups drwxrwxrwx 1 paddy jenkins-data-users 210 Jun 27 16:24 offsiteBackup Folder setups in the container: drwxrw---- 1 1001 jenkins-data-users 0 Jun 26 04:49 deploymentBackups drwxr-xr-x 1 root root 26 Jun 27 23:53 deployments drwxrwxrwx 1 1001 jenkins-data-users 210 Jun 27 16:24 deployments/offsiteBackup The idea is that jenkins writes its data to the jenkins folder, but I need access to back it up, so I, as a member of the data users group, have read rights. I own the other two folders and jenkins just writes to them deploymentBackups is debatable, because in the happy-path, it's only used for jenkins to back up whatever is currently in the deployment path so that it won't be overwritten. But jenkins definitely shouldn't own the offsiteBackups deployment path, as all it is ever doing is pushing a new version. I maintain configuration and whatever else needs doing there, so I own that. And, at all costs, I DON'T want to rebuild the base docker image. I want to always be able to pull latest from docker up as my base, instead of having to grab their latest dockerfile and look for changes. (Obviously with the caveat that if they ever change their user setup, my extension image is going to barf anyway.) But this isn't working. As myself (again, via an unraid share) I can't see anything inside the jenkins folder. I can see and manipulate the offsiteBackup folder, and jenkins in the container can see and read files I drop there, but I can't read anything new it creates there. And I get invalid operation errors if container jenkins tries to change ownership of what it creates, and I don't know if that is because of a lack of permissions, or a limitation of alpine. And container jenkins can't cd into deploymentBackups or create anything at all there. I can create something and container jenkins can see it via dir, but it can't view permissions, timestamp, etc, it's just ???? other than the name. What am I doing wrong? This is sandbox/learning for me, so I'm less concerned with whether I SHOULD be doing something than I am about HOW I can do what I want. For instance, I probably shouldn't have write rights to the deployment folder once ci/cd is dropping files, and all manipulation should go through source control. But if I can ever get it working the way I want, it will be trivial to "break" it later and secure it, whereas if I can't set it up insecure now, then I'll never know what it is that's actually making it secure. Edited June 28, 2022 by NBjXvmXytwOAArTYRbLzdrQJ Quote Link to comment
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.