Re: [cbi-dev] ssh agent - projects-storage.eclipse.org

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [cbi-dev] ssh agent - projects-storage.eclipse.org

From: Olivier Delcroix <odelcroi@xxxxxxxxx>
Date: Wed, 20 Mar 2019 15:08:56 +0100
Delivered-to: cbi-dev@xxxxxxxxxxx
List-archive: <https://www.eclipse.org/mailman/private/cbi-dev>
List-help: <mailto:cbi-dev-request@eclipse.org?subject=help>
List-subscribe: <https://www.eclipse.org/mailman/listinfo/cbi-dev>, <mailto:cbi-dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://www.eclipse.org/mailman/options/cbi-dev>, <mailto:cbi-dev-request@eclipse.org?subject=unsubscribe>

Thanks Mikael, I tried with no success though it simplified my dockerfile.

I'm trying to get it working with your images, either jenkins-jnlp-agent or ssh-client but I have same error, shouldn't it be working? If I extend the default jnlp agent and installed what I need (android-sdk) I'm fine. But no luck there neither..

pipeline {

agent {

kubernetes {

label 'my-pod'

yaml '''

apiVersion: v1

kind: Pod

spec:

containers:

- name: mycontainer

image: 'eclipsecbi/ssh-client:1.0'

command:

- cat

tty: true

volumeMounts:

- name: volume-known-hosts

mountPath: /home/jenkins/.ssh

volumes:

- name: volume-known-hosts

configMap:

name: known-hosts

'''

}

stages {

stage('Test connect') {

steps {

container('mycontainer') {

sshagent(['828b4b17-45cd-467a-ad4c-2b362e8582e5']) {

sh "ssh genie.keyple@xxxxxxxxxxxxxxxxxxxxxxxxxxxx mkdir -p /home/data/httpd/download.eclipse.org/keyple/snapshots"

}

On Wed, Mar 20, 2019 at 1:10 PM Mikaël Barbero <mikael.barbero@xxxxxxxxxxxxxxxxxxxxxx> wrote:

It should be possible to use another user than jenkins if you use a different container than the default jnlp one. IMO, the issue here is that you specifically create a user "user", but it will get a userid assigned by the command useradd.

You should avoid creating the user this way. Instead, you should define the environment variables that will be used by the uid_entrypoint script (https://github.com/eclipse-cbi/dockerfiles/blob/master/scripts/uid_entrypoint).

ENV USER_NAME="user"
ENV HOME="/home/${USER_NAME}"
RUN mkdir -p ${HOME}
WORKDIR $HOME

HTH
Mikaël Barbero
Team Lead - Release Engineering | Eclipse Foundation
📱 (+33) 642 028 039 | 🐦 @mikbarbero
Eclipse Foundation: The Platform for Open Innovation and Collaboration
Le 20 mars 2019 à 12:51, Olivier Delcroix <odelcroi@xxxxxxxxx> a écrit :
Thanks Mickaël for this explanation.

My dockerfile is hereafter, I already use a non root 'user', but then it is messy when jenkins connects, can I have only the jenkins user?
#tag eclipsekeyple/build:ssh
FROM maven:3.6-jdk-8

# Set up environment variables
ENV ANDROID_HOME="/home/user/android-sdk-linux" \
    SDK_URL="https://dl.google.com/android/repository/sdk-tools-linux-3859397.zip" \
    GRADLE_URL="https://services.gradle.org/distributions/gradle-4.5.1-all.zip"

# Create a non-root user
RUN useradd -m user
USER user
WORKDIR /home/user

# Download Android SDK
RUN mkdir "$ANDROID_HOME" .android \
 && cd "$ANDROID_HOME" \
 && curl -o sdk.zip $SDK_URL \
 && unzip sdk.zip \
 && rm sdk.zip \
 && yes | $ANDROID_HOME/tools/bin/sdkmanager --licenses

# Install Gradle
RUN wget $GRADLE_URL -O gradle.zip \
 && unzip gradle.zip \
 && mv gradle-4.5.1 gradle \
 && rm gradle.zip \
 && mkdir .gradle

ENV PATH="/home/user/gradle/bin:${ANDROID_HOME}/tools:${ANDROID_HOME}/platform-tools:${PATH}"

USER root

### give rights to android_home folder
RUN chgrp -R 0 "$ANDROID_HOME" \
 && chmod -R g=u "$ANDROID_HOME"


### user name recognition at runtime w/ an arbitrary uid - for OpenShift deployments
COPY docker_scripts/uid_entrypoint /usr/local/bin/uid_entrypoint
RUN chmod u+x /usr/local/bin/uid_entrypoint && \
    chgrp 0 /usr/local/bin/uid_entrypoint && \
    chmod g=u /usr/local/bin/uid_entrypoint /etc/passwd
### end


ENTRYPOINT [ "uid_entrypoint" ]

USER 1000100000
On Wed, Mar 20, 2019 at 12:08 PM Mikaël Barbero <mikael.barbero@xxxxxxxxxxxxxxxxxxxxxx> wrote:
The USER directive in dockerfile are just the hint for the runtime. Even with a local docker daemon, you can start your image with

$ docker run -it --rm -u 100001:0 busybox

and then in the container, you will see

/ $ id
uid=100001 gid=0(root)

The USER 10001 directive we add at the end of all dockerfiles are just to inform the user that those image are made to not run as root.

Now, regarding Openshift, in the background it does something like this:

$ docker run -it --rm -u 100010000:0 yourrepo/yourimage

So what matters is to be ready to run as non root.

If you still face issue, feel free to paste your dockerfile here.

Cheers,

Mikaël Barbero
Team Lead - Release Engineering | Eclipse Foundation
📱 (+33) 642 028 039 | 🐦 @mikbarbero
Eclipse Foundation: The Platform for Open Innovation and Collaboration

Le 20 mars 2019 à 12:00, Olivier Delcroix <odelcroi@xxxxxxxxx> a écrit :

Thanks Frederic,
indeed it worked for the jnlp agent :)

Now, for the 100010000 error, I'm executing the script like in https://github.com/eclipse-cbi/dockerfiles/blob/master/ssh-client/1.0/Dockerfile but I end my docker descriptor with USER 100010000 instead of USER 10001

Is that correct?

On Wed, Mar 20, 2019 at 11:51 AM Frederic Gurr <frederic.gurr@xxxxxxxxxxxxxxxxxxxxxx> wrote:
Hi,

In "sshagent ( ['project-storage.eclipse.org-bot-ssh'])" you have to use
the ID (a sequence of numbers). You can use the pipeline syntax
generator to select the right credential and see the corresponding ID.

Obviously the wiki was misleading in that regard. I will improve the
section covering that topic.

Regards,

Fred

On 20.03.19 11:39, Olivier Delcroix wrote:
> Hi folks,
>
> I've been struggling with the ssh agent yersterday with my custom
> container. I can't get rid of the 100010000 user error. I have modified
> my container based on the
> example https://github.com/eclipse-cbi/dockerfiles to run the
> appropriate script in ENTRYPOINT, but I must have missed something.
>
> By the way, in the previous examples, the user is 10001 whereas in the
> openshift it is 100010000, am I understanding it right?
>
> --
>
> So today, I'm trying something much simpler, I execute the following
> basic pipeline within the default container, but I'm getting the error
> "genie.keyple@xxxxxxxxxxxxxxxxxxxxxxxxxxxx
> <mailto:genie.keyple@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>: Permission denied
> (publickey,keyboard-interactive)."
>
> pipeline {
> agent any
> stages {
> stage('Test SSH') {
> steps {
> sshagent ( ['project-storage.eclipse.org-bot-ssh']) {
> sh '''
> ssh genie.keyple@xxxxxxxxxxxxxxxxxxxxxxxxxxxx
> <mailto:genie.keyple@xxxxxxxxxxxxxxxxxxxxxxxxxxxx> mkdir -p
> /home/data/httpd/download.eclipse.org/keyple/snapshots
> <http://download.eclipse.org/keyple/snapshots>
> '''
> }
> }
> }
> }
> }
>
> --
>
> I've been through all the wiki and docs, I think I have reached the
> limits of my capabilities in terms of k8/docker/openshift/devops...
> could I get a hand from someone on my pipelines? I am a bit desperate :)
> do I sound like it?
>
> If you want to have a quick look :
> First pipeline is here
> : https://jenkins.eclipse.org/keyple/job/test_ssh_pipeline/
> Second is here : https://jenkins.eclipse.org/keyple/job/test_jnlp_ssh/
>
> my custom container is attached
>
> Thanks in advance!
> Olivier
>
> _______________________________________________
> cbi-dev mailing list
> cbi-dev@xxxxxxxxxxx
> To change your delivery options, retrieve your password, or unsubscribe from this list, visit
> https://www.eclipse.org/mailman/listinfo/cbi-dev
>

--
Frederic Gurr
Release Engineer | Eclipse Foundation Europe GmbH

Annastr. 46, D-64673 Zwingenberg
Handelsregister: Darmstadt HRB 92821
Managing Directors: Ralph Mueller, Mike Milinkovich, Chris Laroque
_______________________________________________
cbi-dev mailing list
cbi-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/cbi-dev
_______________________________________________
cbi-dev mailing list
cbi-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/cbi-dev

_______________________________________________
cbi-dev mailing list
cbi-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/cbi-dev
_______________________________________________
cbi-dev mailing list
cbi-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/cbi-dev
_______________________________________________
cbi-dev mailing list
cbi-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/cbi-dev

Follow-Ups:
- Re: [cbi-dev] ssh agent - projects-storage.eclipse.org
  - From: Olivier Delcroix

References:
- [cbi-dev] ssh agent - projects-storage.eclipse.org
  - From: Olivier Delcroix
- Re: [cbi-dev] ssh agent - projects-storage.eclipse.org
  - From: Frederic Gurr
- Re: [cbi-dev] ssh agent - projects-storage.eclipse.org
  - From: Olivier Delcroix
- Re: [cbi-dev] ssh agent - projects-storage.eclipse.org
  - From: Mikaël Barbero
- Re: [cbi-dev] ssh agent - projects-storage.eclipse.org
  - From: Olivier Delcroix
- Re: [cbi-dev] ssh agent - projects-storage.eclipse.org
  - From: Mikaël Barbero

Prev by Date: Re: [cbi-dev] ssh agent - projects-storage.eclipse.org
Next by Date: [cbi-dev] CBI Maven Plugins Snapshots not being publish
Previous by thread: Re: [cbi-dev] ssh agent - projects-storage.eclipse.org
Next by thread: Re: [cbi-dev] ssh agent - projects-storage.eclipse.org
Index(es):
- Date
- Thread

Breadcrumbs