I've added this information on the wiki: https://wiki.eclipse.org/Jenkins#My_build_fails_with_.22No_user_exists_for_uid_1000100000.22.2C_what.27s_the_issue.3F
Thanks.
Mikaël Barbero
Team Lead - Release Engineering | Eclipse Foundation 📱 (+33) 642 028 039 | 🐦 @mikbarbero
Forgot to tell you that the "command:" directive in the pod template overrides the entrypoint directive in the Dockerfile. So you should change the pod template to:
kubernetes { label 'my-pod' yaml ''' apiVersion: v1 kind: Pod spec: containers: - name: mycontainer image: 'eclipsekeyple/build:ssh6' command: ["/usr/local/bin/uid_entrypoint"] args: ["cat"] tty: true volumeMounts: - name: volume-known-hosts mountPath: /home/jenkins/.ssh volumes: - name: volume-known-hosts configMap: name: known-hosts ''' }
Cheers,
Mikaël Barbero
Team Lead - Release Engineering | Eclipse Foundation 📱 (+33) 642 028 039 | 🐦 @mikbarbero
Hi,
I'm still trying to ssh in my custom container with a simple pipeline you can see hereafter. I'm printing the /etc/passwd file, but my id does not show. It seems that the entry_point script is not executed or not doing what it is supposed to do.
I'm not sure of where to continue.
Thanks for your help, Olivier
Here is the log of the pipeline
Started by user Missing name
Running in Durability level: MAX_SURVIVABILITY
[Pipeline] podTemplate
[Pipeline] {
[Pipeline] node
Still waiting to schedule task
‘my-pod-k8t27-rplpv’ is offline
Agent my-pod-k8t27-rplpv is provisioned from template Kubernetes Pod Template
Agent specification [Kubernetes Pod Template] (my-pod):
yaml:
apiVersion: v1
kind: Pod
spec:
containers:
- name: mycontainer
image: 'eclipsekeyple/build:ssh6'
command:
- cat
tty: true
volumeMounts:
- name: volume-known-hosts
mountPath: /home/jenkins/.ssh
volumes:
- name: volume-known-hosts
configMap:
name: known-hosts
Running on my-pod-k8t27-rplpv in /home/jenkins/workspace/test_ssh_pipeline
[Pipeline] {
[Pipeline] stage
[Pipeline] { (Test connect)
[Pipeline] container
[Pipeline] {
[Pipeline] sshagent
[ssh-agent] Using credentials genie.keyple (ssh://genie.keyple@xxxxxxxxxxxxxxxxxxxxxxxxxxxx)
[ssh-agent] Looking for ssh-agent implementation...
[ssh-agent] Exec ssh-agent (binary ssh-agent on a remote machine)
Executing shell script inside container [mycontainer] of pod [my-pod-k8t27-rplpv]
Executing command: "ssh-agent"
exit
SSH_AUTH_SOCK=/tmp/ssh-zV6SUTLhturH/agent.23; export SSH_AUTH_SOCK;
SSH_AGENT_PID=24; export SSH_AGENT_PID;
echo Agent pid 24;
SSH_AUTH_SOCK=/tmp/ssh-zV6SUTLhturH/agent.23
SSH_AGENT_PID=24
Running ssh-add (command line suppressed)
Identity added: /home/jenkins/workspace/test_ssh_pipeline@tmp/private_key_8734908814888382531.key (/home/jenkins/workspace/test_ssh_pipeline@tmp/private_key_8734908814888382531.key)
[ssh-agent] Started.
[Pipeline] {
[Pipeline] sh
+ head -n 50 /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/bin/false
[Pipeline] sh
+ ssh genie.keyple@xxxxxxxxxxxxxxxxxxxxxxxxxxxx mkdir -p /home/data/httpd/download.eclipse.org/keyple/snapshots
No user exists for uid 1000100000
[Pipeline] }
Executing shell script inside container [mycontainer] of pod [my-pod-k8t27-rplpv]
Executing command: "ssh-agent" "-k"
exit
unset SSH_AUTH_SOCK;
unset SSH_AGENT_PID;
echo Agent pid 24 killed;
[ssh-agent] Stopped.
[Pipeline] // sshagent
[Pipeline] }
[Pipeline] // container
[Pipeline] }
[Pipeline] // stage
[Pipeline] }
[Pipeline] // node
[Pipeline] }
[Pipeline] // podTemplate
[Pipeline] End of Pipeline
ERROR: script returned exit code 255
Finished: FAILURE
And the docker file : #tag eclipsekeyple/build:ssh FROM openjdk:8-jdk # Set up environment variables ENV USER_NAME="jenkins" ENV HOME="/home/${USER_NAME}" ### user name recognition at runtime w/ an arbitrary uid - for OpenShift deployments COPY docker_scripts/uid_entrypoint /usr/local/bin/uid_entrypoint RUN chmod u+x /usr/local/bin/uid_entrypoint && \ chgrp 0 /usr/local/bin/uid_entrypoint && \ chmod g=u /usr/local/bin/uid_entrypoint /etc/passwd ### end RUN mkdir -p ${HOME} WORKDIR $HOME ENTRYPOINT [ "/usr/local/bin/uid_entrypoint" ]
docker_scripts/uid_entrypoint : #!/bin/sh if ! whoami &> /dev/null; then if [ -w /etc/passwd ]; then echo "${USER_NAME:-default}:x:$(id -u):0:${USER_NAME:-default} user:${HOME}:/sbin/nologin" >> /etc/passwd fi fi exec "$@"
Thanks Mikael, I tried with no success though it simplified my dockerfile. I'm trying to get it working with your images, either jenkins-jnlp-agent or ssh-client but I have same error, shouldn't it be working? If I extend the default jnlp agent and installed what I need (android-sdk) I'm fine. But no luck there neither..
pipeline { agent { kubernetes { label 'my-pod' yaml ''' apiVersion: v1 kind: Pod spec: containers: - name: mycontainer image: 'eclipsecbi/ssh-client:1.0' command: - cat tty: true volumeMounts: - name: volume-known-hosts mountPath: /home/jenkins/.ssh volumes: - name: volume-known-hosts configMap: name: known-hosts ''' } } stages { stage('Test connect') { steps { container('mycontainer') { sshagent(['828b4b17-45cd-467a-ad4c-2b362e8582e5']) { } } } } } }
It should be possible to use another user than jenkins if you use a different container than the default jnlp one. IMO, the issue here is that you specifically create a user "user", but it will get a userid assigned by the command useradd.
ENV USER_NAME="user" ENV HOME="/home/${USER_NAME}" RUN mkdir -p ${HOME} WORKDIR $HOME
HTH
Mikaël Barbero
Team Lead - Release Engineering | Eclipse Foundation 📱 (+33) 642 028 039 | 🐦 @mikbarbero
Thanks Mickaël for this explanation. My dockerfile is hereafter, I already use a non root 'user', but then it is messy when jenkins connects, can I have only the jenkins user?
#tag eclipsekeyple/build:ssh FROM maven:3.6-jdk-8
# Set up environment variables ENV ANDROID_HOME="/home/user/android-sdk-linux" \ SDK_URL="https://dl.google.com/android/repository/sdk-tools-linux-3859397.zip" \ GRADLE_URL="https://services.gradle.org/distributions/gradle-4.5.1-all.zip"
# Create a non-root user RUN useradd -m user USER user WORKDIR /home/user
# Download Android SDK RUN mkdir "$ANDROID_HOME" .android \ && cd "$ANDROID_HOME" \ && curl -o sdk.zip $SDK_URL \ && unzip sdk.zip \ && rm sdk.zip \ && yes | $ANDROID_HOME/tools/bin/sdkmanager --licenses
# Install Gradle RUN wget $GRADLE_URL -O gradle.zip \ && unzip gradle.zip \ && mv gradle-4.5.1 gradle \ && rm gradle.zip \ && mkdir .gradle
ENV PATH="/home/user/gradle/bin:${ANDROID_HOME}/tools:${ANDROID_HOME}/platform-tools:${PATH}"
USER root
### give rights to android_home folder RUN chgrp -R 0 "$ANDROID_HOME" \ && chmod -R g=u "$ANDROID_HOME"
### user name recognition at runtime w/ an arbitrary uid - for OpenShift deployments COPY docker_scripts/uid_entrypoint /usr/local/bin/uid_entrypoint RUN chmod u+x /usr/local/bin/uid_entrypoint && \ chgrp 0 /usr/local/bin/uid_entrypoint && \ chmod g=u /usr/local/bin/uid_entrypoint /etc/passwd ### end
ENTRYPOINT [ "uid_entrypoint" ]
USER 1000100000
The USER directive in dockerfile are just the hint for the runtime. Even with a local docker daemon, you can start your image with
$ docker run -it --rm -u 100001:0 busybox
and then in the container, you will see
/ $ id uid=100001 gid=0(root)
The USER 10001 directive we add at the end of all dockerfiles are just to inform the user that those image are made to not run as root.
Now, regarding Openshift, in the background it does something like this:
$ docker run -it --rm -u 100010000:0 yourrepo/yourimage
So what matters is to be ready to run as non root.
If you still face issue, feel free to paste your dockerfile here.
Cheers,
Mikaël Barbero
Team Lead - Release Engineering | Eclipse Foundation 📱 (+33) 642 028 039 | 🐦 @mikbarbero
Thanks Frederic, indeed it worked for the jnlp agent :)
Is that correct?
Hi,
In "sshagent ( ['project-storage.eclipse.org-bot-ssh'])" you have to use
the ID (a sequence of numbers). You can use the pipeline syntax
generator to select the right credential and see the corresponding ID.
Obviously the wiki was misleading in that regard. I will improve the
section covering that topic.
Regards,
Fred
On 20.03.19 11:39, Olivier Delcroix wrote:
> Hi folks,
>
> I've been struggling with the ssh agent yersterday with my custom
> container. I can't get rid of the 100010000 user error. I have modified
> my container based on the
> example https://github.com/eclipse-cbi/dockerfiles to run the
> appropriate script in ENTRYPOINT, but I must have missed something.
>
> By the way, in the previous examples, the user is 10001 whereas in the
> openshift it is 100010000, am I understanding it right?
>
> --
>
> So today, I'm trying something much simpler, I execute the following
> basic pipeline within the default container, but I'm getting the error
> "genie.keyple@xxxxxxxxxxxxxxxxxxxxxxxxxxxx
> <mailto:genie.keyple@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>: Permission denied
> (publickey,keyboard-interactive)."
>
> pipeline {
> agent any
> stages {
> stage('Test SSH') {
> steps {
> sshagent ( ['project-storage.eclipse.org-bot-ssh']) {
> sh '''
> ssh genie.keyple@xxxxxxxxxxxxxxxxxxxxxxxxxxxx
> <mailto:genie.keyple@xxxxxxxxxxxxxxxxxxxxxxxxxxxx> mkdir -p
> /home/data/httpd/download.eclipse.org/keyple/snapshots
> <http://download.eclipse.org/keyple/snapshots>
> '''
> }
> }
> }
> }
> }
>
> --
>
> I've been through all the wiki and docs, I think I have reached the
> limits of my capabilities in terms of k8/docker/openshift/devops...
> could I get a hand from someone on my pipelines? I am a bit desperate :)
> do I sound like it?
>
> If you want to have a quick look :
> First pipeline is here
> : https://jenkins.eclipse.org/keyple/job/test_ssh_pipeline/
> Second is here : https://jenkins.eclipse.org/keyple/job/test_jnlp_ssh/
>
> my custom container is attached
>
> Thanks in advance!
> Olivier
>
> _______________________________________________
> cbi-dev mailing list
> cbi-dev@xxxxxxxxxxx
> To change your delivery options, retrieve your password, or unsubscribe from this list, visit
> https://www.eclipse.org/mailman/listinfo/cbi-dev
>
--
Frederic Gurr
Release Engineer | Eclipse Foundation Europe GmbH
Annastr. 46, D-64673 Zwingenberg
Handelsregister: Darmstadt HRB 92821
Managing Directors: Ralph Mueller, Mike Milinkovich, Chris Laroque
_______________________________________________
cbi-dev mailing list
cbi-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/cbi-dev
_______________________________________________ cbi-dev mailing list cbi-dev@xxxxxxxxxxxTo change your delivery options, retrieve your password, or unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/cbi-dev
_______________________________________________
cbi-dev mailing list
cbi-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/cbi-dev
_______________________________________________ cbi-dev mailing list cbi-dev@xxxxxxxxxxxTo change your delivery options, retrieve your password, or unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/cbi-dev
_______________________________________________
cbi-dev mailing list
cbi-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/cbi-dev
_______________________________________________ cbi-dev mailing list cbi-dev@xxxxxxxxxxxTo change your delivery options, retrieve your password, or unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/cbi-dev
|