root user in Jenkinsfile prevent jenkins to execute commands

[martinpring]

Overview of the issue

The jhipster ci-cd subgenerator creates an Jenkinsfile which I have to modify to make it run without errors.

In the Jenkinsfile the user root is used to execute processes inside the docker container. This cause problems when jenkins later want to copy to target directory which now is owned by root.

Motivation for or Use Case

To execute every step in the Jenkinsfile created by the ci-cd subgenerator.

Reproduce the error

$ mkdir jhipsterapp && cd jhipsterapp
$ yo jhipster

Create an monolith application with maven to build the backend

$ yo jhipster:ci-cd

1. Jenkins pipeline
2. What pipeline? 2a. Perform the build in a Docker container 2b. Build and publish a Docker image
3. https://localhost:5000

Add, commit and push to remote git repository

The Jenkinsfile should look like this

#!/usr/bin/env groovy

node {
    stage('checkout') {
        checkout scm
    }

    docker.image('openjdk:8').inside('-u root -e MAVEN_OPTS="-Duser.home=./"') {
        stage('check java') {
            sh "java -version"
        }

        stage('clean') {
            sh "chmod +x mvnw"
            sh "./mvnw clean"
        }

        stage('install tools') {
            sh "./mvnw com.github.eirslett:frontend-maven-plugin:install-node-and-yarn -DnodeVersion=v6.11.3 -DyarnVersion=v1.1.0"
        }

        stage('yarn install') {
            sh "./mvnw com.github.eirslett:frontend-maven-plugin:yarn"
        }

        stage('backend tests') {
            try {
                sh "./mvnw test"
            } catch(err) {
                throw err
            } finally {
                junit '**/target/surefire-reports/TEST-*.xml'
            }
        }

        stage('frontend tests') {
            try {
                sh "./mvnw com.github.eirslett:frontend-maven-plugin:yarn -Dfrontend.yarn.arguments=test"
            } catch(err) {
                throw err
            } finally {
                junit '**/target/test-results/karma/TESTS-*.xml'
            }
        }

        stage('packaging') {
            sh "./mvnw package -Pprod -DskipTests"
            archiveArtifacts artifacts: '**/target/*.war', fingerprint: true
        }

    }

    def dockerImage
    stage('build docker') {
        sh "cp -R src/main/docker target/"
        sh "cp target/*.war target/docker/"
        dockerImage = docker.build('test/jhipsterapp', 'target/docker')
    }

    stage('publish docker') {
        docker.withRegistry('https://loclahost:5000') {
            dockerImage.push 'latest'
        }
    }
}

The projects workspace directory on Jenkins will look like this:

-rw-r--r--    1 jenkins jenkins   1565 Jan  2 18:58 .angular-cli.json
-rw-r--r--    1 jenkins jenkins    475 Jan  2 18:58 .editorconfig
drwxr-xr-x    8 jenkins jenkins   4096 Jan  2 19:28 .git
-rw-r--r--    1 jenkins jenkins   3374 Jan  2 18:58 .gitattributes
-rw-r--r--    1 jenkins jenkins   1931 Jan  2 18:58 .gitignore
drwxr-xr-x    4 root    root      4096 Jan  2 18:59 .m2
drwxr-xr-x    3 jenkins jenkins   4096 Jan  2 18:58 .mvn
-rw-r--r--    1 jenkins jenkins   1171 Jan  2 18:58 .yo-rc.json
-rw-r--r--    1 jenkins jenkins   1832 Jan  2 18:58 Jenkinsfile
-rw-r--r--    1 jenkins jenkins   7052 Jan  2 18:58 README.md
-rwxr-xr-x    1 jenkins jenkins   7058 Jan  2 19:28 mvnw
-rw-r--r--    1 jenkins jenkins   5006 Jan  2 18:58 mvnw.cmd
drwxr-xr-x    3 root    root      4096 Jan  2 19:29 node
drwxr-xr-x 1120 root    root     36864 Jan  2 19:29 node_modules
-rw-r--r--    1 jenkins jenkins   4434 Jan  2 18:58 package.json
-rw-r--r--    1 jenkins jenkins  49644 Jan  2 18:58 pom.xml
-rw-r--r--    1 jenkins jenkins     37 Jan  2 18:58 postcss.config.js
-rw-r--r--    1 jenkins jenkins    117 Jan  2 18:58 proxy.conf.json
drwxr-xr-x    4 jenkins jenkins   4096 Jan  2 18:58 src
drwxr-xr-x    8 root    root      4096 Jan  2 19:30 target <- target directory is owned by root
-rw-r--r--    1 jenkins jenkins    616 Jan  2 18:58 tsconfig-aot.json
-rw-r--r--    1 jenkins jenkins    737 Jan  2 18:58 tsconfig.json
-rw-r--r--    1 jenkins jenkins   3068 Jan  2 18:58 tslint.json
drwxr-xr-x    2 jenkins jenkins   4096 Jan  2 18:58 webpack
-rw-r--r--    1 jenkins jenkins 310798 Jan  2 19:29 yarn.lock

Related issues

Suggest a Fix

• Remove '-u root' in Jenkinsfile, like this: docker.image('openjdk:8').inside('-e MAVEN_OPTS="-Duser.home=./"') everything will run as expected and the projects workspace directory on Jenkins will now look like this:

drwxr-xr-x   10 jenkins jenkins   4096 Jan  3 14:34 .
drwxr-xr-x    4 jenkins jenkins   4096 Jan  3 13:05 ..
-rw-r--r--    1 jenkins jenkins   1565 Jan  3 13:05 .angular-cli.json
-rw-r--r--    1 jenkins jenkins    475 Jan  3 13:05 .editorconfig
drwxr-xr-x    8 jenkins jenkins   4096 Jan  3 14:32 .git
-rw-r--r--    1 jenkins jenkins   3374 Jan  3 13:05 .gitattributes
-rw-r--r--    1 jenkins jenkins   1931 Jan  3 13:05 .gitignore
drwxr-xr-x    4 jenkins jenkins   4096 Jan  3 13:05 .m2
drwxr-xr-x    3 jenkins jenkins   4096 Jan  3 13:05 .mvn
-rw-r--r--    1 jenkins jenkins   1171 Jan  3 13:05 .yo-rc.json
-rw-r--r--    1 jenkins jenkins   1808 Jan  3 13:05 Jenkinsfile
-rw-r--r--    1 jenkins jenkins   7052 Jan  3 13:05 README.md
-rwxr-xr-x    1 jenkins jenkins   7058 Jan  3 14:32 mvnw
-rw-r--r--    1 jenkins jenkins   5006 Jan  3 13:05 mvnw.cmd
drwxr-xr-x    3 jenkins jenkins   4096 Jan  3 14:34 node
drwxr-xr-x 1120 jenkins jenkins  36864 Jan  3 14:34 node_modules
-rw-r--r--    1 jenkins jenkins   4434 Jan  3 13:05 package.json
-rw-r--r--    1 jenkins jenkins  49644 Jan  3 13:05 pom.xml
-rw-r--r--    1 jenkins jenkins     37 Jan  3 13:05 postcss.config.js
-rw-r--r--    1 jenkins jenkins    117 Jan  3 13:05 proxy.conf.json
drwxr-xr-x    4 jenkins jenkins   4096 Jan  3 13:05 src
drwxr-xr-x   11 jenkins jenkins   4096 Jan  3 14:36 target <- Now target directory is owned by jenkins
-rw-r--r--    1 jenkins jenkins    616 Jan  3 13:05 tsconfig-aot.json
-rw-r--r--    1 jenkins jenkins    737 Jan  3 13:05 tsconfig.json
-rw-r--r--    1 jenkins jenkins   3068 Jan  3 13:05 tslint.json
drwxr-xr-x    2 jenkins jenkins   4096 Jan  3 13:05 webpack
-rw-r--r--    1 jenkins jenkins 310798 Jan  3 14:34 yarn.lock

JHipster Version(s)

4.10.0

JHipster configuration

{
  "generator-jhipster": {
    "promptValues": {
      "packageName": "com.company.test"
    },
    "jhipsterVersion": "4.10.0",
    "baseName": "jhipsterapp",
    "packageName": "com.company.test",
    "packageFolder": "com/company/test",
    "serverPort": "8080",
    "authenticationType": "jwt",
    "hibernateCache": "ehcache",
    "clusteredHttpSession": false,
    "websocket": false,
    "databaseType": "sql",
    "devDatabaseType": "h2Disk",
    "prodDatabaseType": "mysql",
    "searchEngine": false,
    "messageBroker": false,
    "serviceDiscoveryType": false,
    "buildTool": "maven",
    "enableSocialSignIn": false,
    "enableSwaggerCodegen": false,
    "jwtSecretKey": "",
    "clientFramework": "angularX",
    "useSass": false,
    "clientPackageManager": "yarn",
    "applicationType": "monolith",
    "testFrameworks": [
      "gatling",
      "cucumber",
      "protractor"
    ],
    "jhiPrefix": "jhi",
    "enableTranslation": false
  }

Entity configuration(s) entityName.json files generated in the .jhipster directory

Browsers and Operating System

Jenkins run on Ubuntu Server 16.04 ( Ubuntu 16.04.3 LTS )

• [x] Checking this box is mandatory (this is just to show you read everything)

[pascalgrimaud]

We have no feedback on this part. Happy to see some users !

So, it seems you're right. @martinpring : would you like to contribute to fix it ?

[cbornet]

The openjdk image only has a user root so if you do that you’ll be logged as an anonymous user. Some tools such as bower don’t like that and will fail.

[cbornet]

The correct way to fix it is to do a userns-remap. See #4600 for details

[pascalgrimaud]

The workflow is more complex than I thought. If I understand well:

• Jenkins is installed on a machine, with jenkins user
• The clone/checkout is done by jenkins
• Then, the build is done inside Docker, with user root, so the target folder belongs to root
• After that, Jenkins tried to copy some files into target folder, but it can't

[gmarziou]

I know this has been discussed at length in #4600 but I really wonder whether the use of Docker should be a question of ci-cd generator. Beside this user mapping issue, I'm also concerned by memory settings for both java and node as we know it's something to be careful with in Docker, this morning I just had to increase max_old_space_size to 6GB for webpack prod build.

[martinpring]

@pascalgrimaud the workflow is as you described it. I'm out of town a few days but will read what is said in #4600 It seems that this issue will affect more things so I will follow the discussion further.

[PierreBesson]

IMO we already have a standard way to build docker image and that is using the dockerfile maven plugin. I know doing this with the Jenkinsfile might give a better UI and access to Jenkins API but it would be better if we stick to the standard way which is mvn dockerfile:build

[cbornet]

@PierreBesson the problem would be that if you use a docker image to build you need to do docker-in-docker which is a PITA...

[gmarziou]

@cbornet I understand that the use of docker is meant to install as less as possible dependencies/plugins in Jenkins but as far as I know the only dependency our builds have is the JDK, mvn and gradle are installed locally due to wrappers, node/npm/yarn are also installed locally due to frontend-maven-plugin.

So I really think docker should be an option.

[cbornet]

@gmarziou it IS an option 😃

[gmarziou]

😳 Oops, sorry it's been long time since I used it . Just did it now and it's great. :)

[pascalgrimaud]

One solution I found is to add a new question: Do you use a Dockerized Jenkins version ?

• Normal Jenkins: without -u root
• Dockerized Jenkins: like now

What do you think?

[cbornet]

I don’t think this is linked to using a dockerized jenkins

[jdubois]

This has been stuck for more than 2 months, should we close it as we can't find a good solution? I understand we need to use userns-remap but that's a lot of work, and it's complex to test - if nobody volunteers to do this, let's close this

[pascalgrimaud]

yes, let's close this In all case, I need to test the CICD before the JHipster release v5, and will probably rework this sub generator as we won't need bower/gulp anymore