search

jenkinsci / helm-charts

Jenkins helm charts
https://artifacthub.io/packages/helm/jenkinsci/jenkins
Apache License 2.0
571 stars 890 forks source link

Agent Volume Being Mounted As Root Instead of Jenkins #666

Open bsloan-icl opened 2 years ago

bsloan-icl commented 2 years ago

Describe the bug

We currently have Jenkins installed on AKS with the controller successfully mounted to an Azure File share. We want to mount an Azure Disk volume to the agent. When attempting to mount an Azure Disk volume on the agent, the volume is successfully mounted but as root:root instead of jenkins:jenkins. In the values file all runAsUser, runAsGroup and fsGroup keys are set to 1000 and running the 'id' command on the agent returns uid=1000(jenkins) gid=1000(jenkins) groups=1000(jenkins). So I'm not sure why the volume is being mounted as root.

We are using a custom image for the agent with the following Dockerfile but as you can see the user is switched back to Jenkins afterwards:

FROM jenkins/inbound-agent:4.11.2-4
USER root
RUN apt-get update && apt-get install -y \
    curl \
    wget \
    jq \
&& rm -rf /var/lib/apt/lists/*
USER jenkins

Version of Helm and Kubernetes

- Helm: v3.7.0
- Kubernetes: v1.22.6

Chart version

jenkins-4.1.11

What happened?

1. Create a PVC using the default storage class on AKS:
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: jenkins-pvc-azuredisk
  namespace: ict-jenkins
spec:
  accessModes:
    - ReadWriteOnce
  storageClassName: default
  resources:
    requests:
      storage: 32Gi
2. Attempt to mount the volume on the agent using the helm chart:
  - type: PVC
    claimName: jenkins-pvc-azuredisk
    mountPath: /home/jenkins/agent/jenkins-pvc-azuredisk
    readOnly: false
3. Run a Jenkins job on the agent and execute ls-l /home/jenkins/agent and you can see the user and group is root not jenkins.

What you expected to happen?

I would expect the properties of /home/jenkins/agent/jenkins-pvc-azuredisk to be: drwxr-xr-x 3 jenkins jenkins 4096 Jul 15 13:19 jenkins-pvc-azuredisk

Instead of: drwxr-xr-x 3 root root 4096 Jul 15 13:19 jenkins-pvc-azuredisk

How to reproduce it

Values file for the agent section

agent:
  image: "registry-here.azurecr.io/ict-jenkins-agent"
  tag: "1.1.3"
  runAsUser: 1000
  runAsGroup: 1000
  volumes: 
  - type: PVC
      claimName: jenkins-pvc-azuredisk
      mountPath: /home/jenkins/agent/jenkins-pvc-azuredisk
      readOnly: false

Anything else we need to know?

No response

stevelaclasse commented 1 year ago

Yes you are right, here are the settings that i have used to make it work. I have unfortunately used the root user for the agent .

Jenkins agent custom Dockerfile:

FROM jenkins/inbound-agent:3107.v665000b_51092-15
USER root
RUN apt update && apt install apt-transport-https ca-certificates curl gnupg lsb-release -y
RUN curl -fsSL https://download.docker.com/linux/debian/gpg | gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg
RUN echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/debian \
    $(lsb_release -cs) stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null
RUN apt-get update && apt -y install docker-ce docker-ce-cli containerd.io 

RUN usermod -aG docker jenkins

USER jenkins

Jenkins agent helm values custom file:

agent:
  image: "#custom-registry-with-new-jenkins-agent/jenkins-agent"
  tag: "latest"
  #set the user to root to access the share workspace on the host, as Jenkins create the PVC with root access
  #didn't work with Userid 1000
  runAsUser: 0
  fsGroup: 0
  volumes:
  - type: HostPath
    hostPath: /tmp/jenkins_workspace
    mountPath: /tmp/jenkins_workspace
  - type: HostPath
    hostPath: /var/run/docker.sock
    mountPath: /var/run/docker.sock
  resources:
    requests:
      cpu: "512m"
      memory: "2048Mi"
    limits:
      cpu: "512m"
      memory: "2048Mi"
  workingDir: /tmp/jenkins_workspace