[Fuego] [PATCH 1/1] Remove jenkins user created during build time with host's uid/gid

Tim.Bird at sony.com Tim.Bird at sony.com
Thu Feb 1 00:15:18 UTC 2018


OK - I tried this, using my fuego-clean-install.sh script, and got the following result:

%% in front of lines from my test script:
...
Step 28/29 : COPY setup/entrypoint.sh /
 ---> 9afcd663976c
Removing intermediate container 9f4e60feccc1
Step 29/29 : ENTRYPOINT /entrypoint.sh
 ---> Running in 886672f5f6e4
 ---> 4a7cf228d727
Removing intermediate container 886672f5f6e4
[Warning] One or more build-args [http_proxy https_proxy] were not consumed
Successfully built 4a7cf228d727
Successfully tagged fuego-131:latest
%%+ cd fuego-host-scripts
%%+ ./docker-create-usb-privileged-container.sh fuego-131 fuego-131-container
%%b5f33ad097df02131acd8765423a7a54fd6fb553f23bc86f136bcc165091d85f
%%+ cd ../..
%%+ sudo service netperf stop
%% * Stopping network benchmark server                                                                                                   [fail] 
%%+ set +x
%%After the container starts, run
%%    'fuego-finish-install.sh fuego-131-container' to finish the installation
%%and start tests.
%%Also, You may want to edit ~/bin/fuego-start to use the
%%   container name: fuego-131-container
Starting Fuego container (fuego-131-container)
Remapping Fuego's jenkins uid=107 to uid=0...
usermod: UID '0' already exists
Please create Fuego docker container via docker-create-container.sh script
1000072457 at tlinux:~/work/fuego/next-2018-01-31$

-------
I'm going to try it manually to see if there something about my test script
that is causing the UID at the time the entrypoint.sh is called to be 0.

I'm about to start work on refactoring this script with a sed line to hard-code
the host uid of the building user (or maybe read it from a configuration file
in /fuego-ro/conf.

Let me know if you see something obvious that wrong with my startup sequence.

Did this work for you?
 -- Tim


> -----Original Message-----
> From: Guilherme Campos Camargo
> Sent: Wednesday, January 31, 2018 7:23 AM
> To: fuego at lists.linuxfoundation.org
> Subject: [Fuego] [PATCH 1/1] Remove jenkins user created during build time
> with host's uid/gid
> 
> Prior to this patch, the fuego-host-scripts/docker-build-image.sh script
> was calling docker build passing two `build-arg`s: uid/gid. According to
> the comments in the code, it seems that the intention was to make sure
> that the jenkins user (needed by Jenkins) would have the same uid/gid as
> the user of the host that has called the install script.
> 
> Given that the uid/gid of the jenkins user was being set at build time,
> the generated image would be configured only for the machine where it's
> built, what would prevent jenkins to change files in the /fuego-rw
> mountpoint in different hosts.
> 
> One approach for allowing jenkins to write to fuego-rw, is to chown
> /fuego-rw and it's pre-existing subdirectories during execution time,
> what can be done in a docker entrypoint script. That approach per se,
> solves the problem, by allowing jenkins to write to the mount point, but
> generates a side-effect: the user on the host machine will be able to
> inspect, but will not be able to delete/modify the files created by
> jenkins (unless it forces it as root).
> 
> Another approach would be to change the uid and the gid of the jenkins
> user in the first execution, (first call to docker-container-start.sh),
> also through the entrypoint.  This would solve the problem of the access
> from both sides, but has the downside of the need of running a recursive
> `chown` in all jenkins files in `/var` (including cache), possibly
> taking a long time to be accomplished.
> 
> Since most users will need to edit/remove the files from fuego-rw during
> usage and also given that `chowning` would ideally take place only once
> (first time that the container starts) for a given user, we decided to
> use the second approach.
> 
> On this patch, we create an entrypoint.sh in which the uid/gid of
> Jenkins is mapped to the user's.
> 
> Signed-off-by: Guilherme Campos Camargo <guicc at profusion.mobi>
> ---
>  Dockerfile                                    | 10 ++++------
>  fuego-host-scripts/docker-build-image.sh      | 13 +------------
>  fuego-host-scripts/docker-create-container.sh | 10 ++++++++++
>  setup/entrypoint.sh                           | 22 ++++++++++++++++++++++
>  setup/jenkins/setup.sh                        |  8 --------
>  5 files changed, 37 insertions(+), 26 deletions(-)
>  create mode 100755 setup/entrypoint.sh
> 
> diff --git a/Dockerfile b/Dockerfile
> index 3dad8b4..cc79351 100644
> --- a/Dockerfile
> +++ b/Dockerfile
> @@ -96,16 +96,12 @@ RUN echo deb http://emdebian.org/tools/debian/
> jessie main > /etc/apt/sources.li
>  # Download and Install Jenkins
>  #
> ==========================================================
> ====================
> 
> -ENV uid=1000
> -ENV gid=${uid}
>  ARG JENKINS_VERSION=2.32.1
>  ARG JENKINS_SHA=bfc226aabe2bb089623772950c4cc13aee613af1
>  ARG JENKINS_URL=https://pkg.jenkins.io/debian-
> stable/binary/jenkins_${JENKINS_VERSION}_all.deb
>  ENV JENKINS_HOME=/var/lib/jenkins
> 
> -RUN groupadd -g ${gid} jenkins && \
> -    useradd -l -m -d "${JENKINS_HOME}" -u ${uid} -g ${gid} -G sudo -s
> /bin/bash jenkins && \
> -    curl -L -O ${JENKINS_URL} && \
> +RUN curl -L -O ${JENKINS_URL} && \
>      echo "${JENKINS_SHA} jenkins_${JENKINS_VERSION}_all.deb" | sha1sum
> -c - && \
>      dpkg -i jenkins_${JENKINS_VERSION}_all.deb && \
>      rm jenkins_${JENKINS_VERSION}_all.deb
> @@ -143,4 +139,6 @@ COPY docs/fuego-docs.pdf
> $JENKINS_HOME/userContent/docs/fuego-docs.pdf
>  # Setup startup command
>  #
> ==========================================================
> ====================
> 
> -ENTRYPOINT service jenkins start && service netperf start && /bin/bash
> +WORKDIR /
> +COPY setup/entrypoint.sh /
> +ENTRYPOINT ["/entrypoint.sh"]
> diff --git a/fuego-host-scripts/docker-build-image.sh b/fuego-host-
> scripts/docker-build-image.sh
> index a49ffab..d276ee0 100755
> --- a/fuego-host-scripts/docker-build-image.sh
> +++ b/fuego-host-scripts/docker-build-image.sh
> @@ -2,17 +2,6 @@
>  # $1 - name for the docker image (default: fuego)
>  DOCKERIMAGE=${1:-fuego}
> 
> -if [ "$(id -u)" == "0" ]; then
> -	JENKINS_UID=$(id -u $SUDO_USER)
> -	JENKINS_GID=$(id -g $SUDO_USER)
> -else
> -	JENKINS_UID=$(id -u $USER)
> -	JENKINS_GID=$(id -g $USER)
> -fi
> -
>  sudo docker build -t ${DOCKERIMAGE} \
>      --build-arg http_proxy=${http_proxy} \
> -    --build-arg https_proxy=${https_proxy} \
> -    --build-arg uid=${JENKINS_UID} \
> -    --build-arg gid=${JENKINS_GID} \
> -    .
> +    --build-arg https_proxy=${https_proxy} .
> diff --git a/fuego-host-scripts/docker-create-container.sh b/fuego-host-
> scripts/docker-create-container.sh
> index 9e3d61a..cba2c6e 100755
> --- a/fuego-host-scripts/docker-create-container.sh
> +++ b/fuego-host-scripts/docker-create-container.sh
> @@ -17,6 +17,14 @@ if [ ! -d $DIR/../../fuego-core ]; then
>     exit 1
>  fi
> 
> +if [ "${UID}" == "0" ]; then
> +	uid=$(id -u "${SUDO_USER}")
> +	gid=$(id -g "${SUDO_USER}")
> +else
> +	uid="${UID}"
> +	gid=$(id -g "${USER}")
> +fi
> +
>  sudo docker create -it --name ${DOCKERCONTAINER} \
>      -v /boot:/boot:ro \
>      -v $DIR/../fuego-rw:/fuego-rw \
> @@ -24,5 +32,7 @@ sudo docker create -it --name ${DOCKERCONTAINER} \
>      -v $DIR/../../fuego-core:/fuego-core:ro \
>      -e http_proxy=${http_proxy} \
>      -e https_proxy=${https_proxy:-$http_proxy} \
> +    -e UID=${uid} \
> +    -e GID=${gid} \
>      --net="host" ${DOCKERIMAGE} || \
>      echo "Could not create fuego-container. See error messages."
> diff --git a/setup/entrypoint.sh b/setup/entrypoint.sh
> new file mode 100755
> index 0000000..bbec498
> --- /dev/null
> +++ b/setup/entrypoint.sh
> @@ -0,0 +1,22 @@
> +#!/bin/bash
> +set -e
> +
> +function map_jenkins_uid_to_host() {
> +    if [ "$(id -u jenkins)" = "${UID}" ]; then
> +        return 0
> +    fi
> +
> +    echo "Remapping Fuego's jenkins uid=$(id -u jenkins) to uid=${UID}..."
> +
> +    usermod -u "${UID}" jenkins
> +    groupmod -g "${GID}" jenkins
> +    chown -R "${UID}":"${GID}" \
> +        /var/lib/jenkins /var/cache/jenkins /var/log/jenkins /fuego-rw
> +}
> +
> +service jenkins stop >> /dev/null
> +map_jenkins_uid_to_host
> +service jenkins start
> +service netperf start
> +
> +exec /bin/bash
> diff --git a/setup/jenkins/setup.sh b/setup/jenkins/setup.sh
> index 26b7643..b95fa91 100755
> --- a/setup/jenkins/setup.sh
> +++ b/setup/jenkins/setup.sh
> @@ -2,14 +2,6 @@
> 
>  set -e
> 
> -user=jenkins
> -group=jenkins
> -uid=1000
> -gid=${uid}
> -
> -# groupadd -g ${gid} ${group}
> -# useradd -l -m -d "${JENKINS_HOME}" -u ${uid} -g ${gid} -G sudo -s
> /bin/bash ${user}
> -
>  cp config.xml jenkins.model.JenkinsLocationConfiguration.xml
> "${JENKINS_HOME}"
> 
>  echo 'JENKINS_ARGS="${JENKINS_ARGS} --prefix=/fuego"' >>
> /etc/default/jenkins
> --
> 2.16.1
> 
> _______________________________________________
> Fuego mailing list
> Fuego at lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/fuego


More information about the Fuego mailing list