search

cider-security-research / cicd-goat

A deliberately vulnerable CI/CD environment. Learn CI/CD security through multiple challenges.
Apache License 2.0
1.95k stars 323 forks source link

jenkins-server not starting: "[WARN tini (7)] Tini is not running as PID 1 and isn't registered as a child subreaper." #56

Closed huornlmj closed 1 year ago

huornlmj commented 1 year ago

Install cicd-goat

$ curl -o cicd-goat/docker-compose.yaml --create-dirs https://raw.githubusercontent.com/cider-security-research/cicd-goat/main/docker-compose.yaml
$ cd cicd-goat && docker-compose up -d

Ubuntu 22.04 and Ubuntu 20.04. Docker version 20.10.21, build 20.10.21-0ubuntu1~22.04.2

$ docker ps
CONTAINER ID   IMAGE                                      COMMAND                  CREATED          STATUS                         PORTS                                                                                               NAMES
cbd97a1cdcfb   docker:20.10.21-dind                       "dockerd-entrypoint.…"   30 minutes ago   Up 30 minutes                  2375-2376/tcp                                                                                       docker
efd39d190e1f   cidersecurity/goat-gitea:latest            "/setup/run.sh"          30 minutes ago   Up 30 minutes                  22/tcp, 0.0.0.0:3000->3000/tcp, :::3000->3000/tcp                                                   gitea
b5fe8c5e6728   localstack/localstack:0.14.1-amd64         "docker-entrypoint.sh"   30 minutes ago   Up 30 minutes                  4510-4559/tcp, 4566/tcp, 5678/tcp                                                                   localstack
8c037b4d677d   cidersecurity/goat-jenkins-agent:latest    "setup-sshd"             30 minutes ago   Up 30 minutes                  22/tcp                                                                                              jenkins-agent
c963e1b59026   cidersecurity/goat-gitlab:latest           "/setup/run.sh"          30 minutes ago   Up 30 minutes (unhealthy)      22/tcp, 443/tcp, 0.0.0.0:5050->5050/tcp, :::5050->5050/tcp, 0.0.0.0:4000->80/tcp, :::4000->80/tcp   gitlab
55eddb2c3f57   cidersecurity/goat-prod:latest             "dockerd-entrypoint.…"   30 minutes ago   Up 30 minutes                  2375-2376/tcp, 0.0.0.0:2222->22/tcp, :::2222->22/tcp, 0.0.0.0:8008->80/tcp, :::8008->80/tcp         prod
16dc909767de   cidersecurity/goat-jenkins-server:latest   "/var/jenkins_home/r…"   30 minutes ago   Restarting (1) 6 seconds ago                                                                                                       jenkins-server
6ee968e97414   cidersecurity/goat-gitlab-runner:latest    "/setup/run.sh"          30 minutes ago   Up 30 minutes                  2375-2376/tcp                                                                                       gitlab-runner
7d92c7e55e1c   cidersecurity/goat-ctfd:latest             "/opt/CTFd/docker-en…"   30 minutes ago   Up 30 minutes                  0.0.0.0:8000->8000/tcp, :::8000->8000/tcp                                                           ctfd

The jenkins-server container is having difficulties.

[WARN  tini (7)] Tini is not running as PID 1 and isn't registered as a child subreaper.
Zombie processes will not be re-parented to Tini, so zombie reaping won't work.
To fix the problem, use the -s option or set the environment variable TINI_SUBREAPER to register Tini as a child subreaper, or run Tini as PID 1.
rm: cannot remove '/var/jenkins_home/secrets.properties': No such file or directory
rm: cannot remove '/var/jenkins_home/jenkins.yaml': No such file or directory
/var/jenkins_home/run.sh: line 14: fg: no job control

This error is repeated over and over again.

TupleType commented 1 year ago

Install cicd-goat

$ curl -o cicd-goat/docker-compose.yaml --create-dirs https://raw.githubusercontent.com/cider-security-research/cicd-goat/main/docker-compose.yaml
$ cd cicd-goat && docker-compose up -d

Ubuntu 22.04 and Ubuntu 20.04. Docker version 20.10.21, build 20.10.21-0ubuntu1~22.04.2

$ docker ps
CONTAINER ID   IMAGE                                      COMMAND                  CREATED          STATUS                         PORTS                                                                                               NAMES
cbd97a1cdcfb   docker:20.10.21-dind                       "dockerd-entrypoint.…"   30 minutes ago   Up 30 minutes                  2375-2376/tcp                                                                                       docker
efd39d190e1f   cidersecurity/goat-gitea:latest            "/setup/run.sh"          30 minutes ago   Up 30 minutes                  22/tcp, 0.0.0.0:3000->3000/tcp, :::3000->3000/tcp                                                   gitea
b5fe8c5e6728   localstack/localstack:0.14.1-amd64         "docker-entrypoint.sh"   30 minutes ago   Up 30 minutes                  4510-4559/tcp, 4566/tcp, 5678/tcp                                                                   localstack
8c037b4d677d   cidersecurity/goat-jenkins-agent:latest    "setup-sshd"             30 minutes ago   Up 30 minutes                  22/tcp                                                                                              jenkins-agent
c963e1b59026   cidersecurity/goat-gitlab:latest           "/setup/run.sh"          30 minutes ago   Up 30 minutes (unhealthy)      22/tcp, 443/tcp, 0.0.0.0:5050->5050/tcp, :::5050->5050/tcp, 0.0.0.0:4000->80/tcp, :::4000->80/tcp   gitlab
55eddb2c3f57   cidersecurity/goat-prod:latest             "dockerd-entrypoint.…"   30 minutes ago   Up 30 minutes                  2375-2376/tcp, 0.0.0.0:2222->22/tcp, :::2222->22/tcp, 0.0.0.0:8008->80/tcp, :::8008->80/tcp         prod
16dc909767de   cidersecurity/goat-jenkins-server:latest   "/var/jenkins_home/r…"   30 minutes ago   Restarting (1) 6 seconds ago                                                                                                       jenkins-server
6ee968e97414   cidersecurity/goat-gitlab-runner:latest    "/setup/run.sh"          30 minutes ago   Up 30 minutes                  2375-2376/tcp                                                                                       gitlab-runner
7d92c7e55e1c   cidersecurity/goat-ctfd:latest             "/opt/CTFd/docker-en…"   30 minutes ago   Up 30 minutes                  0.0.0.0:8000->8000/tcp, :::8000->8000/tcp                                                           ctfd

The jenkins-server container is having difficulties.

[WARN  tini (7)] Tini is not running as PID 1 and isn't registered as a child subreaper.
Zombie processes will not be re-parented to Tini, so zombie reaping won't work.
To fix the problem, use the -s option or set the environment variable TINI_SUBREAPER to register Tini as a child subreaper, or run Tini as PID 1.
rm: cannot remove '/var/jenkins_home/secrets.properties': No such file or directory
rm: cannot remove '/var/jenkins_home/jenkins.yaml': No such file or directory
/var/jenkins_home/run.sh: line 14: fg: no job control

This error is repeated over and over again.

Can you clone the repository and try to upgrade the Jenkins docker image in the Dockerfile to the latest? Build the image and let me know if it solves the problem.

huornlmj commented 1 year ago

Assuming it's the ./jenkins-server/Dockerfile file, which changes are needed?

FROM jenkins/jenkins:2.332.1-jdk11
ARG COMMIT_SHA
ARG VERSION

LABEL org.opencontainers.image.vendor="Cider Security" \
    org.opencontainers.image.title="CI/CD Goat - Jenkins server" \
    org.opencontainers.image.description="Deliberately vulnerable CI/CD environment." \
    org.opencontainers.image.url="https://hub.docker.com/r/cidersecurity/goat-jenkins-server" \
    org.opencontainers.image.source="https://github.com/cider-security-research/cicd-goat" \
    org.opencontainers.image.licenses="Apache-2.0" \
    org.opencontainers.image.version=$VERSION \
    org.opencontainers.image.revision=$COMMIT_SHA

ENV JAVA_OPTS "-Djenkins.install.runSetupWizard=false"
ENV SECRETS_FILE /var/jenkins_home/secrets.properties

COPY --chown=jenkins:jenkins flag5.txt /var/jenkins_home/flag5.txt
COPY --chown=jenkins:jenkins run.sh /var/jenkins_home/run.sh
COPY --chown=jenkins:jenkins plugins.txt /usr/share/jenkins/ref/plugins.txt
RUN jenkins-plugin-cli --clean-download-directory -f /usr/share/jenkins/ref/plugins.txt && \
    chmod 755 /var/jenkins_home/run.sh
COPY --chown=jenkins:jenkins secrets.properties /var/jenkins_home/secrets.properties
COPY --chown=jenkins:jenkins jenkins.yaml /var/jenkins_home/jenkins.yaml
COPY --chown=jenkins:jenkins jobdsl/ /var/jenkins_home/jobdsl/
ENTRYPOINT ["/var/jenkins_home/run.sh"]

would it simply be:

FROM jenkins/jenkins:latest ?

TupleType commented 1 year ago

Please use FROM jenkins/jenkins:2.401-jdk11

huornlmj commented 1 year ago

That's the same as the jenkins-server/Dockerfile file in the main branch. Where or how do you suggest I "try to upgrade the Jenkins docker image in the Dockerfile to the latest?"

TupleType commented 1 year ago

I edited the comment

huornlmj commented 1 year ago

I edited the comment

I'm sorry but I don't understand your instructions. You said you edited your comment, but you simply changed "see if it solves the problem." to "let me know if it solves the problem.". Can you paste a code chunk and file:line numbers I should edit?

TupleType commented 1 year ago

It's ok I meant the other one FROM jenkins/jenkins:2.401-jdk11

huornlmj commented 1 year ago

I used FROM jenkins/jenkins:2.401-jdk11 in the jenkins-server/Dockerfile file and ran docker-compose up -d. The jenkins-server is still restarting with the same error.

TupleType commented 1 year ago

Did you build the image using docker build or docker compose up -d --build jenkins-server?

huornlmj commented 1 year ago

No. This was the detail I was looking for. I assume I should first docker-compose down --remove-orphans and then docker compose up -d --build jenkins-server ?

huornlmj commented 1 year ago

Also, it's docker-compose for me, not docker compose

huornlmj commented 1 year ago

That didn't work.

$ docker-compose up -d --build jenkins-server
Creating network "cicd-goat-cloned_goat" with driver "bridge"
Creating jenkins-server ... done

$ docker ps
CONTAINER ID   IMAGE                                      COMMAND                  CREATED         STATUS                  PORTS                                                                                      NAMES
a8067c22133b   cidersecurity/goat-jenkins-server:latest   "/var/jenkins_home/r…"   7 seconds ago   Up Less than a second   0.0.0.0:8080->8080/tcp, :::8080->8080/tcp, 0.0.0.0:50000->50000/tcp, :::50000->50000/tcp   jenkins-server

$ docker logs -f jenkins-server
[WARN  tini (8)] Tini is not running as PID 1 and isn't registered as a child subreaper.
Zombie processes will not be re-parented to Tini, so zombie reaping won't work.
To fix the problem, use the -s option or set the environment variable TINI_SUBREAPER to register Tini as a child subreaper, or run Tini as PID 1.
/var/jenkins_home/run.sh: line 14: fg: no job control
[WARN  tini (7)] Tini is not running as PID 1 and isn't registered as a child subreaper.
Zombie processes will not be re-parented to Tini, so zombie reaping won't work.
To fix the problem, use the -s option or set the environment variable TINI_SUBREAPER to register Tini as a child subreaper, or run Tini as PID 1.
[/var/jenkins_home/plugins/configuration-as-code.jpi]
  End-of-central-directory signature not found.  Either this file is not
  a zipfile, or it constitutes one disk of a multi-part archive.  In the
  latter case the central directory and zipfile comment will be found on
  the last disk(s) of this archive.
rm: cannot remove '/var/jenkins_home/secrets.properties': No such file or directory
rm: cannot remove '/var/jenkins_home/jenkins.yaml': No such file or directory
/var/jenkins_home/run.sh: line 14: fg: no job control
[WARN  tini (7)] Tini is not running as PID 1 and isn't registered as a child subreaper.
Zombie processes will not be re-parented to Tini, so zombie reaping won't work.
To fix the problem, use the -s option or set the environment variable TINI_SUBREAPER to register Tini as a child subreaper, or run Tini as PID 1.
SNIP
TupleType commented 1 year ago

Have you tried adding more CPU and RAM to the machine?

TupleType commented 1 year ago

If that doesn't work then sadly I don't know what else to do because this problem is specific to your setup. You can check out the project's CI which shows that everything works.

huornlmj commented 1 year ago

Have you tried adding more CPU and RAM to the machine?

Yes I tried that.

huornlmj commented 1 year ago

So my conclusion is that it may be down to either the type of hypervisor the host is running on or the type of CPU.

Here's an Ubuntu 22.04 VM that it works on ($ lscpu)

$ lscpu
Architecture:            x86_64
  CPU op-mode(s):        32-bit, 64-bit
  Address sizes:         43 bits physical, 48 bits virtual
  Byte Order:            Little Endian
CPU(s):                  4
  On-line CPU(s) list:   0-3
Vendor ID:               GenuineIntel
  Model name:            Intel(R) Core(TM) i7-8665U CPU @ 1.90GHz
    CPU family:          6
    Model:               142
    Thread(s) per core:  1
    Core(s) per socket:  1
    Socket(s):           4
    Stepping:            12
    BogoMIPS:            4224.00
    Flags:               fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ss syscall nx pdpe1gb rdtscp lm constant_tsc arch_perfmon nopl xtopology tsc_reliable nonstop_tsc cpuid tsc_known_freq pni pclmulqdq ssse3 fma cx16 pci
                         d sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand hypervisor lahf_lm abm 3dnowprefetch cpuid_fault invpcid_single ssbd ibrs ibpb stibp ibrs_enhanced fsgsbase tsc_adjust bmi1 avx2 smep bmi2 invpcid rdseed adx smap clflu
                         shopt xsaveopt xsavec xsaves arat md_clear flush_l1d arch_capabilities
Virtualisation features: 
  Hypervisor vendor:     VMware
  Virtualisation type:   full
Caches (sum of all):     
  L1d:                   128 KiB (4 instances)
  L1i:                   128 KiB (4 instances)
  L2:                    1 MiB (4 instances)
  L3:                    32 MiB (4 instances)
NUMA:                    
  NUMA node(s):          1
  NUMA node0 CPU(s):     0-3
Vulnerabilities:         
  Itlb multihit:         KVM: Mitigation: VMX unsupported
  L1tf:                  Not affected
  Mds:                   Not affected
  Meltdown:              Not affected
  Mmio stale data:       Vulnerable: Clear CPU buffers attempted, no microcode; SMT Host state unknown
  Retbleed:              Mitigation; Enhanced IBRS
  Spec store bypass:     Mitigation; Speculative Store Bypass disabled via prctl
  Spectre v1:            Mitigation; usercopy/swapgs barriers and __user pointer sanitization
  Spectre v2:            Mitigation; Enhanced IBRS, IBPB conditional, RSB filling, PBRSB-eIBRS SW sequence
  Srbds:                 Unknown: Dependent on hypervisor status
  Tsx async abort:       Not affected

And here's an Ubuntu 22.04 VM that it DOESN'T work on:

$ lscpu
Architecture:            x86_64
  CPU op-mode(s):        32-bit, 64-bit
  Address sizes:         42 bits physical, 48 bits virtual
  Byte Order:            Little Endian
CPU(s):                  8
  On-line CPU(s) list:   0-7
Vendor ID:               GenuineIntel
  Model name:            Intel(R) Xeon(R) CPU E5-2699 v4 @ 2.20GHz
    CPU family:          6
    Model:               79
    Thread(s) per core:  1
    Core(s) per socket:  1
    Socket(s):           8
    Stepping:            1
    BogoMIPS:            4394.91
    Flags:               fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts mmx fxsr sse sse2 ss syscall nx pdpe1gb rdtscp lm c
                         onstant_tsc arch_perfmon pebs bts nopl xtopology tsc_reliable nonstop_tsc cpuid tsc_known_freq pni pclmulqdq ssse3 fma cx16 pcid sse4_1
                          sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand hypervisor lahf_lm abm 3dnowprefetch cpuid_fault invpcid_singl
                         e pti ssbd ibrs ibpb stibp fsgsbase tsc_adjust bmi1 hle avx2 smep bmi2 invpcid rtm rdseed adx smap xsaveopt arat md_clear flush_l1d arc
                         h_capabilities
Virtualization features:
  Hypervisor vendor:     VMware
  Virtualization type:   full
Caches (sum of all):
  L1d:                   256 KiB (8 instances)
  L1i:                   256 KiB (8 instances)
  L2:                    2 MiB (8 instances)
  L3:                    440 MiB (8 instances)
NUMA:
  NUMA node(s):          1
  NUMA node0 CPU(s):     0-7
Vulnerabilities:
  Itlb multihit:         KVM: Mitigation: VMX unsupported
  L1tf:                  Mitigation; PTE Inversion
  Mds:                   Mitigation; Clear CPU buffers; SMT Host state unknown
  Meltdown:              Mitigation; PTI
  Mmio stale data:       Mitigation; Clear CPU buffers; SMT Host state unknown
  Spec store bypass:     Mitigation; Speculative Store Bypass disabled via prctl and seccomp
  Spectre v1:            Mitigation; usercopy/swapgs barriers and __user pointer sanitization
  Spectre v2:            Mitigation; Retpolines, IBPB conditional, IBRS_FW, STIBP disabled, RSB filling
  Srbds:                 Not affected
  Tsx async abort:       Mitigation; Clear CPU buffers; SMT Host state unknown