Open aporwal3 opened 2 years ago
pls, anyone got any fix to this, facing same issue :(
Facing same issue pls suggest on the same
The issue is the alpine controller image when trying to git checkout a pipeline Jenkinsfile. Only fix I see at the moment is to use centos7 instead.
Anyone from Jenkins able to address this?
After some more digging, this appears to be an issue with persistence on some storage providers.
I had disabled persistence, even set it to an emptyDir, both work with the alpine image. As soon as I enable persistence with our EFS driver, all of our permissions are set for UID and GID 1004 instead of 1000. This seems to cause the alpine image issues, but not the centos7 image, not sure on debian, as our security policies don't allow debian.
I am currently tracking down an issue in our cluster where fsGroup
is just ignored when using the EFS CSI driver.
This may be related. https://github.com/kubernetes-sigs/aws-efs-csi-driver/issues/125
thank you so much @jslay-excella for that advise. We will try to use centos7 and check.
thank you so much @jslay-excella for that advise. We will try to use centos7 and check.
You could also try updating your EFS CSI Driver to anything 1.3.6+, and set the parameters uid
and gid
on the StorageClass
to 1000
. Also could switch to another storage class that doesn't use EFS, such as gp2
or gp3
, if you have those available. These CSI Drivers should respect securityContext.fsGroup
.
These parameters are documented here.
I can also confirm this issue.
The StorageClass used is efs-sc with gidRangeStart: 1000
and gidRangeEnd: 2000
, thus the PVC was created with files under ownership 1001,1002, etc
But as specified the jenkins user has uid
and gid
1000
So I used the solution proposed by @jslay-excella and created a dedicated StorageClass for Jenkins with uid
and gid
set to 1000
and specified in the Jenkins helm chart and it worked
I arrived here while investigating https://stackoverflow.com/questions/76279791/jenkins-pipeline-from-scp-throws-stderr-fatal-not-in-a-git-directory/76399342#76399342
When i switched to centos7 based image jenkins/jenkins:lts-centos7-jdk11, Everything works fine without any modification to StorageClass. I was using debian based image earlier so the issue exists in debian image as well.
Any idea what difference centos7 and debian have with EFS?
I arrived here while investigating https://stackoverflow.com/questions/76279791/jenkins-pipeline-from-scp-throws-stderr-fatal-not-in-a-git-directory/76399342#76399342
When i switched to centos7 based image jenkins/jenkins:lts-centos7-jdk11, Everything works fine without any modification to StorageClass. I was using debian based image earlier so the issue exists in debian image as well.
Any idea what difference centos7 and debian have with EFS?
I don't think that there is any significant different between centos7 and Debian with EFS. The not a git directory
message is reported by recent versions of command line git because they have fixed a security issue that was exposed when command line git attempted to operate on a directory that is not owned by the current user. See this Jenkins community discussion for more details.
JENKINS-70540 provides a series of steps that can show the problem without requiring a container image.
The solution is to identify the root problem that is causing the ownership of the directories or files to be different than the current operating system user.
@MarkEWaite You are right. The reason centos7 image is working is because it's using an old version of git.
$ docker run -it jenkins/jenkins:lts-jdk11 git --version
git version 2.30.2
$ docker run -it jenkins/jenkins:lts-centos7-jdk11 git --version
git version 1.8.3.1
If you wish to circumvent the newly introduced security checks (I should point out that they're probably implemented for good reason and it's generally not recommended to disable them 😅), you have the option to execute the following command:
git config --global --add safe.directory "*"
You can run this command within any git repository on the Jenkins master.
Alternatively, you can achieve the same effect by creating a ~/.gitconfig
file with the following content:
[safe]
directory = *
I found that this solution resolved the issues I was encountering with Jenkins, which had been deployed via this helm chart and was running on AWS EKS with EFS mounting.
HI @tareksamni
I already have entry but still its failing while performing scm checkout, do we need cleanup any workspace inside the master pod where the jenkins is running or what else we can do for fixing this issue, right now we are facing issue in prod environment.
[safe]
directory = *
HI @tareksamni
I already have entry but still its failing while performing scm checkout, do we need cleanup any workspace inside the master pod where the jenkins is running or what else we can do for fixing this issue, right now we are facing issue in prod environment.
[safe] directory = *
If you've performed that operation on the Jenkins controller and on every Jenkins agent, then you have successfully disabled the security improvement from command line git. That should be enough. I'm not aware of any need for additional cleanup so long as that configuration exists on the Jenkins controller and on every Jenkins agent.
+
HI @tareksamni I already have entry but still its failing while performing scm checkout, do we need cleanup any workspace inside the master pod where the jenkins is running or what else we can do for fixing this issue, right now we are facing issue in prod environment.
[safe] directory = *
If you've performed that operation on the Jenkins controller and on every Jenkins agent, then you have successfully disabled the security improvement from command line git. That should be enough. I'm not aware of any need for additional cleanup so long as that configuration exists on the Jenkins controller and on every Jenkins agent.
What actually this command will do, is that mandatory for git config global level ?
What actually this command will do, is that mandatory for git config global level ?
The not a git directory
message is reported by recent versions of command line git because they have fixed a security issue that was exposed when command line git attempted to operate on a directory that is not owned by the current user. See this Jenkins community discussion for more details.
What actually this command will do, is that mandatory for git config global level ?
The
not a git directory
message is reported by recent versions of command line git because they have fixed a security issue that was exposed when command line git attempted to operate on a directory that is not owned by the current user. See this Jenkins community discussion for more details.
You mean to say security issue reported in git version, if yes can you pls tell me what is the version issue has been identified ?
You mean to say security issue reported in git version, if yes can you pls tell me what is the version issue has been identified ?
I won't do that.
You said earlier that you are affected in production. If you're affected in production, then I think it is quite reasonable that you should read the already linked pages very carefully and understand them thoroughly.
If I read the pages to you, I'm doing you a disservice by not allowing you to read them and understand them yourself. The Jenkins community discussion includes links to the security issue reported against command line git. It outlines the root of the problem and why it is more valuable to solve the root of the problem instead of applying a temporary fix.
Describe the bug
Git checkout is not working when using pipeline jenkins jobs.
Version of Helm and Kubernetes
Chart version
jenkins-4.2.3
What happened?
What you expected to happen?
Jenkins pipeline job should successfully be able to checkout the repository.
How to reproduce it
Anything else we need to know?
No response