Use jenkins user inside docker jobs instead of root #494
Conversation
Create a user in the Dockerfile that matches the current user, and switch to this user before using commands that touch the workspace folders. Signed-off-by: Steve Peters <[email protected]>
j-rivero
changed the title
|
I think that the PR is a good step forward to reduce the use of root in the CI pipeline. It is probably the easiest one (more complicate would probably be the execution of docker without sudo) but this one is important. Thank Steve. Code looks good to me. I would like to check a couple of things more: GPU build with this branch and debbuilder with this branch. My goal is to execute the merge and do the manual operations in the next two days. |
sounds good. It might be useful to schedule a meeting with you, me and the current build farmer @mjcarroll to coordinate the merge and manual operations |
I was thinking on performing all the operations during Wednesday Europe morning if we have a clear plan with the steps ready. I'm happy to take any help. |
|
have you run any test builds with these latest changes? |
…ith root" This reverts commit 61f11d6.
Signed-off-by: Jose Luis Rivero <[email protected]>
j-rivero
force-pushed
the
scpeters/docker_rootless
branch
from
12517b6 to
ec40caa
Compare
Signed-off-by: Jose Luis Rivero <[email protected]>
Signed-off-by: Jose Luis Rivero <[email protected]>
|
Made some modifications to this PR (sorry I should have used a different branch) and run a battery of tests:
I think we are ready to re-review @scpeters |
| echo '# END SECTION' | ||
|
|
||
| echo '# BEGIN SECTION: install nvidia-docker1 (in docker)' | ||
| apt-get install -y wget nvidia-340 nvidia-modprobe | ||
| sudo apt-get install -y wget nvidia-340 nvidia-modprobe | ||
| wget -P /tmp https://github.com/NVIDIA/nvidia-docker/releases/download/v1.0.1/nvidia-docker_1.0.1-1_amd64.deb | ||
| dpkg -i /tmp/nvidia-docker*.deb && rm /tmp/nvidia-docker*.deb |
There was a problem hiding this comment.
I expect this line and the apt-key and add-apt-repository commands may need sudo as well
|
thanks for the additional testing. I think we can merge soon and catch further issues when they arise |
+1. I'll plan the migration via slack. |
| # Create a user with passwordless sudo | ||
| ARG USERID | ||
| ARG USER | ||
| RUN adduser --uid \$USERID --gecos "Developer" --disabled-password \$USER |
There was a problem hiding this comment.
I would recommend a slightly more complete arguments to the user. In particular set the group ID as well.
I have a good example at: https://github.com/osrf/rocker/blob/acbbff59d6aef6a9654eabc0ff7e3f823936d6e3/src/rocker/templates/user_snippet.Dockerfile.em#L9
There was a problem hiding this comment.
Thanks! I've included GID handlng in ef59662
|
Another short round of tests:
|
|
Changed machines:
Merging- |
I have noticed some times when Jenkins fails to clear a workspace for a job. After investigating the machines over ssh, I have noticed the remaining folders contain files owned by
root. This is caused by our use of therootuser in the docker-based Ubuntu CI jobs. To avoid using therootuser, this pull request creates a user in the Dockerfile that matches the current user, and switch to this user before using commands that touch the workspace folders.I have tested with the following job:
In order for this job to pass, I had to manually call
sudo chown -R jenkins:jenkinson both the build machine's workspace folder and on the shared/srv/ccachefolder. To merge this; I recommend taking all the Linux nodes of build.osrfoundation.org offline, then sanitizing the workspace and/srv/ccachefolders of each Linux node, then bringing them back online.edit
commands to run on migration:
sudo find /var/lib/jenkins/workspace -user root -exec chown jenkins {} \; # chown symbolic links too sudo find /var/lib/jenkins/workspace -user root -exec chown -h jenkins {} \; sudo chown jenkins -R /srv/ccache