Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [cbi-dev] ssh agent - projects-storage.eclipse.org

Thanks !

On Thu, Mar 21, 2019 at 4:16 PM Mikaël Barbero <mikael.barbero@xxxxxxxxxxxxxxxxxxxxxx> wrote:
Forgot to tell you that the "command:" directive in the pod template overrides the entrypoint directive in the Dockerfile. So you should change the pod template to:

    kubernetes {
      label 'my-pod'
      yaml '''
apiVersion: v1
kind: Pod
spec:
  containers:
  - name: mycontainer
    image: 'eclipsekeyple/build:ssh6'
    command: ["/usr/local/bin/uid_entrypoint"]
    args: ["cat"]
    tty: true
    volumeMounts:
    - name: volume-known-hosts
      mountPath: /home/jenkins/.ssh
  volumes:
  - name: volume-known-hosts
    configMap:
      name: known-hosts
'''
    }


Cheers,

Mikaël Barbero 
Team Lead - Release Engineering | Eclipse Foundation
📱 (+33) 642 028 039 | 🐦 @mikbarbero
Eclipse Foundation: The Platform for Open Innovation and Collaboration

Le 21 mars 2019 à 16:05, Olivier Delcroix <odelcroi@xxxxxxxxx> a écrit :

Hi,

I'm still trying to ssh in my custom container with a simple pipeline you can see hereafter. I'm printing the /etc/passwd file, but my id does not show. It seems that the entry_point script is not executed or not doing what it is supposed to do.

I'm not sure of where to continue.

Thanks for your help,
Olivier



Here is the log of the pipeline 

Started by user Missing name
Running in Durability level: MAX_SURVIVABILITY
[Pipeline] podTemplate
[Pipeline] {
[Pipeline] node
Still waiting to schedule task
‘my-pod-k8t27-rplpv’ is offline
Agent my-pod-k8t27-rplpv is provisioned from template Kubernetes Pod Template
Agent specification [Kubernetes Pod Template] (my-pod): 
yaml:

apiVersion: v1
kind: Pod
spec:
  containers:
  - name: mycontainer
    image: 'eclipsekeyple/build:ssh6'
    command:
    - cat
    tty: true
    volumeMounts:
    - name: volume-known-hosts
      mountPath: /home/jenkins/.ssh
  volumes:
  - name: volume-known-hosts
    configMap:
      name: known-hosts


Running on my-pod-k8t27-rplpv in /home/jenkins/workspace/test_ssh_pipeline
[Pipeline] {
[Pipeline] stage
[Pipeline] { (Test connect)
[Pipeline] container
[Pipeline] {
[Pipeline] sshagent
[ssh-agent] Using credentials genie.keyple (ssh://genie.keyple@xxxxxxxxxxxxxxxxxxxxxxxxxxxx)
[ssh-agent] Looking for ssh-agent implementation...
[ssh-agent]   Exec ssh-agent (binary ssh-agent on a remote machine)
Executing shell script inside container [mycontainer] of pod [my-pod-k8t27-rplpv]
Executing command: "ssh-agent" 
exit
SSH_AUTH_SOCK=/tmp/ssh-zV6SUTLhturH/agent.23; export SSH_AUTH_SOCK;
SSH_AGENT_PID=24; export SSH_AGENT_PID;
echo Agent pid 24;
SSH_AUTH_SOCK=/tmp/ssh-zV6SUTLhturH/agent.23
SSH_AGENT_PID=24
Running ssh-add (command line suppressed)
Identity added: /home/jenkins/workspace/test_ssh_pipeline@tmp/private_key_8734908814888382531.key (/home/jenkins/workspace/test_ssh_pipeline@tmp/private_key_8734908814888382531.key)
[ssh-agent] Started.
[Pipeline] {
[Pipeline] sh
+ head -n 50 /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/bin/false
[Pipeline] sh
+ ssh genie.keyple@xxxxxxxxxxxxxxxxxxxxxxxxxxxx mkdir -p /home/data/httpd/download.eclipse.org/keyple/snapshots
No user exists for uid 1000100000
[Pipeline] }
Executing shell script inside container [mycontainer] of pod [my-pod-k8t27-rplpv]
Executing command: "ssh-agent" "-k" 
exit
unset SSH_AUTH_SOCK;
unset SSH_AGENT_PID;
echo Agent pid 24 killed;
[ssh-agent] Stopped.
[Pipeline] // sshagent
[Pipeline] }
[Pipeline] // container
[Pipeline] }
[Pipeline] // stage
[Pipeline] }
[Pipeline] // node
[Pipeline] }
[Pipeline] // podTemplate
[Pipeline] End of Pipeline
ERROR: script returned exit code 255
Finished: FAILURE


And the docker file :
#tag eclipsekeyple/build:ssh
FROM openjdk:8-jdk
# Set up environment variables
ENV USER_NAME="jenkins"
ENV HOME="/home/${USER_NAME}"
### user name recognition at runtime w/ an arbitrary uid - for OpenShift deployments
COPY docker_scripts/uid_entrypoint /usr/local/bin/uid_entrypoint
RUN chmod u+x /usr/local/bin/uid_entrypoint && \
chgrp 0 /usr/local/bin/uid_entrypoint && \
chmod g=u /usr/local/bin/uid_entrypoint /etc/passwd
### end
RUN mkdir -p ${HOME}
WORKDIR $HOME
ENTRYPOINT [ "/usr/local/bin/uid_entrypoint" ]

docker_scripts/uid_entrypoint :
#!/bin/sh
if ! whoami &> /dev/null; then
if [ -w /etc/passwd ]; then
echo "${USER_NAME:-default}:x:$(id -u):0:${USER_NAME:-default} user:${HOME}:/sbin/nologin" >> /etc/passwd
fi
fi
exec "$@"


On Wed, Mar 20, 2019 at 3:08 PM Olivier Delcroix <odelcroi@xxxxxxxxx> wrote:
Thanks Mikael, I tried with no success though it simplified my dockerfile.

I'm trying to get it working with your images, either jenkins-jnlp-agent or ssh-client but I have same error, shouldn't it be working? If I extend the default jnlp agent and installed what I need (android-sdk) I'm fine. But no luck there neither..

pipeline {
  agent {
    kubernetes {
      label 'my-pod'
      yaml '''
apiVersion: v1
kind: Pod
spec:
  containers:
  - name: mycontainer
    image: 'eclipsecbi/ssh-client:1.0'
    command:
    - cat
    tty: true
    volumeMounts:
    - name: volume-known-hosts
      mountPath: /home/jenkins/.ssh
  volumes:
  - name: volume-known-hosts
    configMap:
      name: known-hosts
'''
    }
  }
  stages {
    stage('Test connect') {
      steps {
        container('mycontainer') {
          sshagent(['828b4b17-45cd-467a-ad4c-2b362e8582e5']) {
             sh "ssh genie.keyple@xxxxxxxxxxxxxxxxxxxxxxxxxxxx mkdir -p /home/data/httpd/download.eclipse.org/keyple/snapshots"
            }
        }
      }
    }
  }
}

On Wed, Mar 20, 2019 at 1:10 PM Mikaël Barbero <mikael.barbero@xxxxxxxxxxxxxxxxxxxxxx> wrote:
It should be possible to use another user than jenkins if you use a different container than the default jnlp one. IMO, the issue here is that you specifically create a user "user", but it will get a userid assigned by the command useradd.

You should avoid creating the user this way.  Instead, you should define the environment variables that will be used by the uid_entrypoint script (https://github.com/eclipse-cbi/dockerfiles/blob/master/scripts/uid_entrypoint).

ENV USER_NAME="user"
ENV HOME="/home/${USER_NAME}"
RUN mkdir -p ${HOME}
WORKDIR $HOME

HTH

Mikaël Barbero 
Team Lead - Release Engineering | Eclipse Foundation
📱 (+33) 642 028 039 | 🐦 @mikbarbero
Eclipse Foundation: The Platform for Open Innovation and Collaboration

Le 20 mars 2019 à 12:51, Olivier Delcroix <odelcroi@xxxxxxxxx> a écrit :

Thanks Mickaël for this explanation.

My dockerfile is hereafter, I already use a non root 'user', but then it is messy when jenkins connects, can I have only the jenkins user? 

#tag eclipsekeyple/build:ssh
FROM maven:3.6-jdk-8

# Set up environment variables
ENV ANDROID_HOME="/home/user/android-sdk-linux" \
SDK_URL="https://dl.google.com/android/repository/sdk-tools-linux-3859397.zip" \
GRADLE_URL="https://services.gradle.org/distributions/gradle-4.5.1-all.zip"

# Create a non-root user
RUN useradd -m user
USER user
WORKDIR /home/user

# Download Android SDK
RUN mkdir "$ANDROID_HOME" .android \
&& cd "$ANDROID_HOME" \
&& curl -o sdk.zip $SDK_URL \
&& unzip sdk.zip \
&& rm sdk.zip \
&& yes | $ANDROID_HOME/tools/bin/sdkmanager --licenses

# Install Gradle
RUN wget $GRADLE_URL -O gradle.zip \
&& unzip gradle.zip \
&& mv gradle-4.5.1 gradle \
&& rm gradle.zip \
&& mkdir .gradle

ENV PATH="/home/user/gradle/bin:${ANDROID_HOME}/tools:${ANDROID_HOME}/platform-tools:${PATH}"

USER root

### give rights to android_home folder
RUN chgrp -R 0 "$ANDROID_HOME" \
&& chmod -R g=u "$ANDROID_HOME"


### user name recognition at runtime w/ an arbitrary uid - for OpenShift deployments
COPY docker_scripts/uid_entrypoint /usr/local/bin/uid_entrypoint
RUN chmod u+x /usr/local/bin/uid_entrypoint && \
chgrp 0 /usr/local/bin/uid_entrypoint && \
chmod g=u /usr/local/bin/uid_entrypoint /etc/passwd
### end


ENTRYPOINT [ "uid_entrypoint" ]

USER 1000100000



On Wed, Mar 20, 2019 at 12:08 PM Mikaël Barbero <mikael.barbero@xxxxxxxxxxxxxxxxxxxxxx> wrote:
The USER directive in dockerfile are just the hint for the runtime. Even with a local docker daemon, you can start your image with

$ docker run -it --rm -u 100001:0 busybox

and then in the container, you will see

/ $ id
uid=100001 gid=0(root)

The USER 10001 directive we add at the end of all dockerfiles are just to inform the user that those image are made to not run as root.

Now, regarding Openshift, in the background it does something like this:

$ docker run -it --rm -u 100010000:0 yourrepo/yourimage

So what matters is to be ready to run as non root. 

If you still face issue, feel free to paste your dockerfile here.

Cheers,

Mikaël Barbero 
Team Lead - Release Engineering | Eclipse Foundation
📱 (+33) 642 028 039 | 🐦 @mikbarbero
Eclipse Foundation: The Platform for Open Innovation and Collaboration

Le 20 mars 2019 à 12:00, Olivier Delcroix <odelcroi@xxxxxxxxx> a écrit :

Thanks Frederic, 
indeed it worked for the jnlp agent :)

Now, for the 100010000 error, I'm executing the script like in https://github.com/eclipse-cbi/dockerfiles/blob/master/ssh-client/1.0/Dockerfile but I end my docker descriptor with USER 100010000 instead of USER 10001

Is that correct?


On Wed, Mar 20, 2019 at 11:51 AM Frederic Gurr <frederic.gurr@xxxxxxxxxxxxxxxxxxxxxx> wrote:
Hi,

In "sshagent ( ['project-storage.eclipse.org-bot-ssh'])" you have to use
the ID (a sequence of numbers). You can use the pipeline syntax
generator to select the right credential and see the corresponding ID.

Obviously the wiki was misleading in that regard. I will improve the
section covering that topic.

Regards,

Fred

On 20.03.19 11:39, Olivier Delcroix wrote:
> Hi folks,
>
> I've been struggling with the ssh agent yersterday with my custom
> container. I can't get rid of the 100010000 user error. I have modified
> my container based on the
> example https://github.com/eclipse-cbi/dockerfiles to run the
> appropriate script in ENTRYPOINT, but I must have missed something. 
>
> By the way, in the previous examples, the user is 10001 whereas in the
> openshift it is 100010000, am I understanding it right? 
>
> --
>
> So today, I'm trying something much simpler, I execute the following
> basic pipeline within the default container, but I'm getting the error
> "genie.keyple@xxxxxxxxxxxxxxxxxxxxxxxxxxxx
> <mailto:genie.keyple@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>: Permission denied
> (publickey,keyboard-interactive)."
>
> pipeline {
>   agent any
>   stages {
>     stage('Test SSH') {
>       steps {
>         sshagent ( ['project-storage.eclipse.org-bot-ssh']) {
>           sh '''
>             ssh genie.keyple@xxxxxxxxxxxxxxxxxxxxxxxxxxxx
> <mailto:genie.keyple@xxxxxxxxxxxxxxxxxxxxxxxxxxxx> mkdir -p
> /home/data/httpd/download.eclipse.org/keyple/snapshots
> <http://download.eclipse.org/keyple/snapshots>
>           '''
>         }
>       }
>     }
>   }
> }
>
> --
>
> I've been through all the wiki and docs, I think I have reached the
> limits of my capabilities in terms of k8/docker/openshift/devops...
> could I get a hand from someone on my pipelines? I am a bit desperate :)
> do I sound like it? 
>
> If you want to have a quick look : 
> First pipeline is here
> : https://jenkins.eclipse.org/keyple/job/test_ssh_pipeline/
> Second is here : https://jenkins.eclipse.org/keyple/job/test_jnlp_ssh/
>
> my custom container is attached
>
> Thanks in advance!
> Olivier
>
> _______________________________________________
> cbi-dev mailing list
> cbi-dev@xxxxxxxxxxx
> To change your delivery options, retrieve your password, or unsubscribe from this list, visit
> https://www.eclipse.org/mailman/listinfo/cbi-dev
>

--
Frederic Gurr
Release Engineer | Eclipse Foundation Europe GmbH

Annastr. 46, D-64673 Zwingenberg
Handelsregister: Darmstadt HRB 92821
Managing Directors: Ralph Mueller, Mike Milinkovich, Chris Laroque
_______________________________________________
cbi-dev mailing list
cbi-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/cbi-dev
_______________________________________________
cbi-dev mailing list
cbi-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/cbi-dev

_______________________________________________
cbi-dev mailing list
cbi-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/cbi-dev
_______________________________________________
cbi-dev mailing list
cbi-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/cbi-dev

_______________________________________________
cbi-dev mailing list
cbi-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/cbi-dev
_______________________________________________
cbi-dev mailing list
cbi-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/cbi-dev

_______________________________________________
cbi-dev mailing list
cbi-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/cbi-dev

Back to the top