search

jenkinsci / helm-charts

Jenkins helm charts
https://artifacthub.io/packages/helm/jenkinsci/jenkins
Apache License 2.0
562 stars 889 forks source link

Workspace PVC is mounted as root causing JNLP container to fail #796

Open nfalco79 opened 1 year ago

nfalco79 commented 1 year ago

Describe the bug

Every time I'am attempting to mount in the jenkins agent a workspace dynamicPVC, persistentVolumeClaimWorkspaceVolume, ecc, ecc the JNLP sidecar container is not able to start with the following error:

- jnlp -- terminated (1)
-----Logs-------------
Warning: SECRET is defined twice in command-line arguments and the environment variable
Warning: AGENT_NAME is defined twice in command-line arguments and the environment variable
Feb 06, 2023 10:50:18 AM hudson.remoting.jnlp.Main createEngine
INFO: Setting up agent: test-pipeline-49-264r5-lr606-jq829
Feb 06, 2023 10:50:18 AM hudson.remoting.jnlp.Main$CuiListener <init>
INFO: Jenkins agent is running in headless mode.
Feb 06, 2023 10:50:18 AM hudson.remoting.Engine startEngine
INFO: Using Remoting version: 4.11.2
Exception in thread "main" java.io.IOException: The specified working directory should be fully accessible to the remoting executable (RWX): /home/jenkins/agent
    at org.jenkinsci.remoting.engine.WorkDirManager.verifyDirectory(WorkDirManager.java:249)
    at org.jenkinsci.remoting.engine.WorkDirManager.initializeWorkDir(WorkDirManager.java:201)
    at hudson.remoting.Engine.startEngine(Engine.java:306)
    at hudson.remoting.Engine.startEngine(Engine.java:282)
    at hudson.remoting.jnlp.Main.main(Main.java:279)
    at hudson.remoting.jnlp.Main._main(Main.java:274)
    at hudson.remoting.jnlp.Main.main(Main.java:237)

The issue seems to be that every pvc mounter to the jenkins pod template has root permissions.

/home/jenkins$ ls -la
total 12
drwxr-xr-x 3 root root 4096 Feb  6 12:41 .
drwxr-xr-x 1 root root 4096 Feb  6 12:41 ..

there is no way to instruct the pod template about the use of security specification for mounted volumes

Version of Helm and Kubernetes

- Helm: 3.10.3
- Kubernetes: 1.23.12

Chart version

4.3.0

nfalco79 commented 1 year ago

As suggested here the only solution is set in the raw yaml this portion of code

securityContext:
  fsGroup: 1000
hiteshnayak305 commented 8 months ago

+1

ref https://issues.jenkins.io/plugins/servlet/mobile#issue/JENKINS-72211

or

Is this parameter related ? https://www.jenkins.io/doc/book/security/controller-isolation/jep-235/#api-compatibility

or

Is it related to this change? Do we need to upgrade helm binaries ?

in file charts/jenkins/templates/_helpers.tpl

Before : runAsUser: {{ .Values.agent.runAsUser }} runAsGroup: {{ .Values.agent.runAsGroup }}

After: {{- with .Values.agent.runAsUser }} runAsUser: {{ . }} {{- end }} {{- with .Values.agent.runAsGroup }} runAsGroup: {{ . }} {{- end }}

NominalTrajectory commented 7 months ago

You could also add an init container to your yaml template as a workaround:

initContainers:
          - name: workspace-permission-setter
            image: busybox
            command: ["sh", "-c", "chown -R 1000:1000 /home/jenkins/agent"]
            securityContext:
              runAsUser: 0
            volumeMounts:
              - name: workspace-volume
                mountPath: /home/jenkins/agent