JetBrains / teamcity-docker-agent

TeamCity agent docker image sources
https://hub.docker.com/r/jetbrains/teamcity-agent/
Apache License 2.0
77 stars 64 forks source link

How do you grant permission to a teamcity agent running in AKS? #34

Closed ghost closed 6 years ago

ghost commented 6 years ago

I hit an issue today where I have a bulid step, which involves running an executable file. My build is presently failing, because my TeamCity Agent doesn't have permission apparently to run the EXE. The EXE is located in the build directory. Both the TeamCity Server and the Build Agent reside in Azure Kubernetes Services, and are running version TeamCity.2018.1 Other than this issue, the Build Agent has been working well; it can pull down source code, run NPM commands and the like. It just can't seem to run this EXE.

If the Agent were hosted on a Windows machine, I'd simply RDP on to that machine, amend the User Account under which the Agent Service was running to use an account with elevated permissions, and have confidence that would allow the Build Agent to do what it needs to do. But I'm unsure what the equivalent step I should take is when the Agent is running in Docker / Linux, on AKS.

I've had a look through the TeamCity documentation, but couldn't find any info specific to this scenario. Any ideas how I can achieve what I need to here?

dtretyakov commented 6 years ago

@Rachel-ResDiary, please note that Windows Server Core, used in the windows containers, could not run 32-bit executables and nanoserver image does not have .NET framework required for .NET apps.

Could you please share what kind of windows image do you use (nanoserver/windowsservercore) and text of the error message from this build step?

ghost commented 6 years ago

The exe I'm trying to run is the one produced by this project: https://github.com/garethr/kubeval, The exact error message in TeamCity is;

Step 8/8: Attempt simple call to kubeval.exe for a single Yaml file (Command Line) [18:22:50][Step 8/8] Starting: /opt/buildagent/temp/agentTmp/custom_script2799369918078491552 [18:22:50][Step 8/8] in directory: /opt/buildagent/work/d552e29196bcc095 [18:22:50][Step 8/8] /opt/buildagent/temp/agentTmp/custom_script2799369918078491552: 1: /opt/buildagent/temp/agentTmp/custom_script2799369918078491552: tools/kubeval/kubeval.exe: Permission denied [18:22:50][Step 8/8] Process exited with code 126 [18:22:52][Step 8/8] Process exited with code 126 [18:22:50][Step 8/8] Step Attempt simple call to kubeval.exe for a single Yaml file (Command Line) failed

The EXE it's trying to call was copied from a Windows 10 machine, on which it was installed using Chocolatey. So possibly I need to create a custom TeamCity Agent image and use WGET to install kubeval on it instead. I'm just confused why the error I'm getting is about permissions, rather than it being the wrong type of EXE for the environment in which I'm trying to run it.

ghost commented 6 years ago

PS: Having a closer look at the files used by that Chocolatey installer, it looks like they're 64 bit. It also looks like you can run that project on Linux, going by its usage instructions. But whether I'll need to install it on the Agent directly remains to be seen:

image

dtretyakov commented 6 years ago

@Rachel-ResDiary, you could try downloading this executable via PowerShell script in the build step like that and then use it:

[Net.ServicePointManager]::SecurityProtocol = 'tls12, tls11, tls'
Invoke-WebRequest https://github.com/garethr/kubeval/releases/download/0.7.1/kubeval-windows-amd64.zip -OutFile kubeval.zip
Expand-Archive kubeval.zip -DestinationPath kubeval
& ./kubeval/kubeval.exe
ghost commented 6 years ago

@dtretyakov Thanks for that suggestion. Looks like none of our Agents are able to run Powershell scripts, unfortunately. We likely need to download the appropriate package from here to be able to do that: https://github.com/PowerShell/PowerShell#get-powershell Will give it a go when I'm back at work on Monday.

ghost commented 6 years ago

Thinking about this some more, I'm really back to the same issue. I don't know how to grant elevented permissions to a TeamCity Agent running in Kubernetes. Either permission to run an arbitrary EXE, or to run PowerShell commands. I know what I'd do if the Agent were running on a Windows machine. I'm just not sure how to grant additional privileges to an Agent running in a container inside Kubernetes. I'll leave this open to see if anyone has any suggestions on how to achieve that.