docker-agent icon indicating copy to clipboard operation
docker-agent copied to clipboard

Published 20 hours ago verified publisher icon jenkinsci

Make user jenkins member of jenkins group

Open jacekbilski opened this issue 7 years ago • 5 comments

Currently, both are set up separately and not bound together. A simple "adduser jenkins jenkins" will suffice.

jacekbilski avatar Oct 29 '18 13:10 jacekbilski

WDYM ? -g adds the user to the group

RUN useradd -c "Jenkins user" -d $HOME -u ${uid} -g ${gid} -m ${user}

see https://github.com/jenkinsci/docker-slave/blob/master/Dockerfile#L33

carlossg avatar Nov 09 '18 15:11 carlossg

Interestingly enough, it should be enough, but isn't:

[xxx@euhrhb0072vdepp test]$ docker pull jenkins/jnlp-slave
Using default tag: latest
latest: Pulling from jenkins/jnlp-slave
bc9ab73e5b14: Already exists
193a6306c92a: Already exists
e5c3f8c317dc: Already exists
a587a86c9dcb: Already exists
a4c7ee7ef122: Already exists
a7c0dad691e9: Already exists
367a6a68b113: Already exists
60c0e52d1ec2: Pull complete
c9d22bc43935: Pull complete
6f0aa2dd88b5: Pull complete
4e8e324f7860: Pull complete
8ccced3434ec: Pull complete
b44ee4063cfb: Pull complete
f8a681b3ae31: Pull complete
Digest: sha256:16aea072f9465dbbe4b07af1f265e34d884be25319b11e25dd8eee736687697d
Status: Downloaded newer image for jenkins/jnlp-slave:latest
[xxx@euhrhb0072vdepp test]$ docker build .
Sending build context to Docker daemon 2.048 kB
Step 1/2 : FROM jenkins/jnlp-slave
 ---> 45f5e76c8a77
Step 2/2 : USER root
 ---> Running in 835154ffd226
 ---> b582299d694e
Removing intermediate container 835154ffd226
Successfully built b582299d694e
[xxx@euhrhb0072vdepp test]$ docker run --rm -ti b582299d694e /bin/bash
root@033859c32b30:~# groups jenkins
jenkins : jenkins
root@033859c32b30:~# adduser jenkins jenkins
Adding user `jenkins' to group `jenkins' ...
Adding user jenkins to group jenkins
Done.
root@033859c32b30:~# groups jenkins
jenkins : jenkins
root@033859c32b30:~# adduser jenkins jenkins
The user `jenkins' is already a member of `jenkins'.
root@033859c32b30:~#

I also doesn't understand that, but there seems to be differences between standard Linux tools as to whether user belongs to a group or not. Oracle installer that I execute says that jenkins is not member of jenkins group and fails. Only after I execute adduser jenkins jenkins it works.

jacekbilski avatar Nov 12 '18 16:11 jacekbilski

It looks like the RUN line may need to have the -N parameter added:

-N, --no-user-group Do not create a group with the same name as the user, but add the user to the group specified by the -g option or by the GROUP variable in /etc/default/useradd. The default behavior (if the -g, -N, and -U options are not specified) is defined by the USERGROUPS_ENAB variable in /etc/login.defs.

slide avatar Jul 12 '19 15:07 slide

Just as a follow-up to this issue, @jacekbilski is this impacting something specific?

slide avatar Apr 14 '20 21:04 slide

That was two customers ago. If I remember correctly I was installing some Oracle software and had to provide a group to properly set some permissions. It was easy to fix in our script just by adding adduser jenkins jenkins, but it still feels weird. Half of the system assumes user jenkins already belongs to group jenkins, the other half doesn't.

jacekbilski avatar Apr 15 '20 12:04 jacekbilski

Closing as I cannot reproduce this 2-year old issue. Tried while working on https://github.com/jenkinsci/docker-agent/pull/320, let's see if the new release (with haodlint DL3046 fixed) still have the issue.

Feel free to reopen if you still have the issue of course!

dduportal avatar Nov 12 '22 17:11 dduportal