[Fuego] [PATCH 1/1] Remove jenkins user created during build time with host's uid/gid
Guilherme Campos Camargo
guicc at profusion.mobi
Wed Jan 31 15:23:01 UTC 2018
Prior to this patch, the fuego-host-scripts/docker-build-image.sh script
was calling docker build passing two `build-arg`s: uid/gid. According to
the comments in the code, it seems that the intention was to make sure
that the jenkins user (needed by Jenkins) would have the same uid/gid as
the user of the host that has called the install script.
Given that the uid/gid of the jenkins user was being set at build time,
the generated image would be configured only for the machine where it's
built, what would prevent jenkins to change files in the /fuego-rw
mountpoint in different hosts.
One approach for allowing jenkins to write to fuego-rw, is to chown
/fuego-rw and it's pre-existing subdirectories during execution time,
what can be done in a docker entrypoint script. That approach per se,
solves the problem, by allowing jenkins to write to the mount point, but
generates a side-effect: the user on the host machine will be able to
inspect, but will not be able to delete/modify the files created by
jenkins (unless it forces it as root).
Another approach would be to change the uid and the gid of the jenkins
user in the first execution, (first call to docker-container-start.sh),
also through the entrypoint. This would solve the problem of the access
from both sides, but has the downside of the need of running a recursive
`chown` in all jenkins files in `/var` (including cache), possibly
taking a long time to be accomplished.
Since most users will need to edit/remove the files from fuego-rw during
usage and also given that `chowning` would ideally take place only once
(first time that the container starts) for a given user, we decided to
use the second approach.
On this patch, we create an entrypoint.sh in which the uid/gid of
Jenkins is mapped to the user's.
Signed-off-by: Guilherme Campos Camargo <guicc at profusion.mobi>
---
Dockerfile | 10 ++++------
fuego-host-scripts/docker-build-image.sh | 13 +------------
fuego-host-scripts/docker-create-container.sh | 10 ++++++++++
setup/entrypoint.sh | 22 ++++++++++++++++++++++
setup/jenkins/setup.sh | 8 --------
5 files changed, 37 insertions(+), 26 deletions(-)
create mode 100755 setup/entrypoint.sh
diff --git a/Dockerfile b/Dockerfile
index 3dad8b4..cc79351 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -96,16 +96,12 @@ RUN echo deb http://emdebian.org/tools/debian/ jessie main > /etc/apt/sources.li
# Download and Install Jenkins
# ==============================================================================
-ENV uid=1000
-ENV gid=${uid}
ARG JENKINS_VERSION=2.32.1
ARG JENKINS_SHA=bfc226aabe2bb089623772950c4cc13aee613af1
ARG JENKINS_URL=https://pkg.jenkins.io/debian-stable/binary/jenkins_${JENKINS_VERSION}_all.deb
ENV JENKINS_HOME=/var/lib/jenkins
-RUN groupadd -g ${gid} jenkins && \
- useradd -l -m -d "${JENKINS_HOME}" -u ${uid} -g ${gid} -G sudo -s /bin/bash jenkins && \
- curl -L -O ${JENKINS_URL} && \
+RUN curl -L -O ${JENKINS_URL} && \
echo "${JENKINS_SHA} jenkins_${JENKINS_VERSION}_all.deb" | sha1sum -c - && \
dpkg -i jenkins_${JENKINS_VERSION}_all.deb && \
rm jenkins_${JENKINS_VERSION}_all.deb
@@ -143,4 +139,6 @@ COPY docs/fuego-docs.pdf $JENKINS_HOME/userContent/docs/fuego-docs.pdf
# Setup startup command
# ==============================================================================
-ENTRYPOINT service jenkins start && service netperf start && /bin/bash
+WORKDIR /
+COPY setup/entrypoint.sh /
+ENTRYPOINT ["/entrypoint.sh"]
diff --git a/fuego-host-scripts/docker-build-image.sh b/fuego-host-scripts/docker-build-image.sh
index a49ffab..d276ee0 100755
--- a/fuego-host-scripts/docker-build-image.sh
+++ b/fuego-host-scripts/docker-build-image.sh
@@ -2,17 +2,6 @@
# $1 - name for the docker image (default: fuego)
DOCKERIMAGE=${1:-fuego}
-if [ "$(id -u)" == "0" ]; then
- JENKINS_UID=$(id -u $SUDO_USER)
- JENKINS_GID=$(id -g $SUDO_USER)
-else
- JENKINS_UID=$(id -u $USER)
- JENKINS_GID=$(id -g $USER)
-fi
-
sudo docker build -t ${DOCKERIMAGE} \
--build-arg http_proxy=${http_proxy} \
- --build-arg https_proxy=${https_proxy} \
- --build-arg uid=${JENKINS_UID} \
- --build-arg gid=${JENKINS_GID} \
- .
+ --build-arg https_proxy=${https_proxy} .
diff --git a/fuego-host-scripts/docker-create-container.sh b/fuego-host-scripts/docker-create-container.sh
index 9e3d61a..cba2c6e 100755
--- a/fuego-host-scripts/docker-create-container.sh
+++ b/fuego-host-scripts/docker-create-container.sh
@@ -17,6 +17,14 @@ if [ ! -d $DIR/../../fuego-core ]; then
exit 1
fi
+if [ "${UID}" == "0" ]; then
+ uid=$(id -u "${SUDO_USER}")
+ gid=$(id -g "${SUDO_USER}")
+else
+ uid="${UID}"
+ gid=$(id -g "${USER}")
+fi
+
sudo docker create -it --name ${DOCKERCONTAINER} \
-v /boot:/boot:ro \
-v $DIR/../fuego-rw:/fuego-rw \
@@ -24,5 +32,7 @@ sudo docker create -it --name ${DOCKERCONTAINER} \
-v $DIR/../../fuego-core:/fuego-core:ro \
-e http_proxy=${http_proxy} \
-e https_proxy=${https_proxy:-$http_proxy} \
+ -e UID=${uid} \
+ -e GID=${gid} \
--net="host" ${DOCKERIMAGE} || \
echo "Could not create fuego-container. See error messages."
diff --git a/setup/entrypoint.sh b/setup/entrypoint.sh
new file mode 100755
index 0000000..bbec498
--- /dev/null
+++ b/setup/entrypoint.sh
@@ -0,0 +1,22 @@
+#!/bin/bash
+set -e
+
+function map_jenkins_uid_to_host() {
+ if [ "$(id -u jenkins)" = "${UID}" ]; then
+ return 0
+ fi
+
+ echo "Remapping Fuego's jenkins uid=$(id -u jenkins) to uid=${UID}..."
+
+ usermod -u "${UID}" jenkins
+ groupmod -g "${GID}" jenkins
+ chown -R "${UID}":"${GID}" \
+ /var/lib/jenkins /var/cache/jenkins /var/log/jenkins /fuego-rw
+}
+
+service jenkins stop >> /dev/null
+map_jenkins_uid_to_host
+service jenkins start
+service netperf start
+
+exec /bin/bash
diff --git a/setup/jenkins/setup.sh b/setup/jenkins/setup.sh
index 26b7643..b95fa91 100755
--- a/setup/jenkins/setup.sh
+++ b/setup/jenkins/setup.sh
@@ -2,14 +2,6 @@
set -e
-user=jenkins
-group=jenkins
-uid=1000
-gid=${uid}
-
-# groupadd -g ${gid} ${group}
-# useradd -l -m -d "${JENKINS_HOME}" -u ${uid} -g ${gid} -G sudo -s /bin/bash ${user}
-
cp config.xml jenkins.model.JenkinsLocationConfiguration.xml "${JENKINS_HOME}"
echo 'JENKINS_ARGS="${JENKINS_ARGS} --prefix=/fuego"' >> /etc/default/jenkins
--
2.16.1
More information about the Fuego
mailing list