search

genuinetools / img

Standalone, daemon-less, unprivileged Dockerfile and OCI compatible container image builder.
https://blog.jessfraz.com/post/building-container-images-securely-on-kubernetes/
MIT License
3.88k stars 230 forks source link

nsenter bug when running inside of a Jenkins-Slave #284

Open frankvHoof93 opened 4 years ago

frankvHoof93 commented 4 years ago

When trying to build a container inside of a jenkins-slave on a k8s-cluster I get the following error: nsenter: cannot change root filesystem propagation: Permission denied

I'm also not sure what the 'securityannotations' in the readme mean. When I set these annotations (under the container-template in Jenkins) the slave never spins up

DockerFile for slave:

# Jenkins Base Slave Image. Latest is NOT used to prevent updates from breaking this Image
FROM jenkins/jnlp-slave:4.0.1-1 
# Many of the commands in this file will not run as the Jenkins user. Thus, we switch to the Root-User here
USER root
# Versions of Tooling to Download
ENV NODE_VERSION=12.x 
# Version 12.16.1 is the latest LTS-version at this time
# Get base dependencies
RUN apt-get update              && \
  apt-get install -y curl

# Get the Node Install
RUN curl -sL https://deb.nodesource.com/setup_${NODE_VERSION} | bash

# Install Node and npm
RUN apt-get update              && \
    apt-get install -y nodejs

# Install apt-transport-https for Yarn repository
RUN apt-get install apt-transport-https -y

# Add Yarn repository
RUN curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | apt-key add -   && \
    echo "deb https://dl.yarnpkg.com/debian/ stable main" | tee /etc/apt/sources.list.d/yarn.list

# Install Yarn
RUN apt-get update              && \
    apt-get install -y yarn

# Install dependencies for IMG
RUN apt-get update -y           && \
    apt-get install -y uidmap && \
    apt-get install -y seccomp

# Add GenuineTools IMG (for executing Docker commands)
RUN export IMG_SHA256="41aa98ab28be55ba3d383cb4e8f86dceac6d6e92102ee4410a6b43514f4da1fa" && \
    curl -fSL "https://github.com/genuinetools/img/releases/download/v0.5.7/img-linux-amd64" -o "/usr/local/bin/img" && \
    echo "${IMG_SHA256}  /usr/local/bin/img" | sha256sum -c - && \
    chmod a+x "/usr/local/bin/img"

# Set User to Jenkins
USER jenkins

ENV USER jenkins

In my slave (Jenkinsfile) I'm trying to run: sh "img build -t dockerregistry:5000/${name}:latest ." (I'm running a private registry within the same namespace

kekoav commented 4 years ago

Can you fix the formatting of that Dockerfile? Use triple backticks (```) to wrap the code instead of quote.