helm-charts
helm-charts copied to clipboard
jenkinsci
Agent Volume Being Mounted As Root Instead of Jenkins
Describe the bug
We currently have Jenkins installed on AKS with the controller successfully mounted to an Azure File share. We want to mount an Azure Disk volume to the agent. When attempting to mount an Azure Disk volume on the agent, the volume is successfully mounted but as root:root instead of jenkins:jenkins. In the values file all runAsUser, runAsGroup and fsGroup keys are set to 1000 and running the 'id' command on the agent returns uid=1000(jenkins) gid=1000(jenkins) groups=1000(jenkins). So I'm not sure why the volume is being mounted as root.
We are using a custom image for the agent with the following Dockerfile but as you can see the user is switched back to Jenkins afterwards:
FROM jenkins/inbound-agent:4.11.2-4
USER root
RUN apt-get update && apt-get install -y \
curl \
wget \
jq \
&& rm -rf /var/lib/apt/lists/*
USER jenkins
Version of Helm and Kubernetes
- Helm: v3.7.0
- Kubernetes: v1.22.6
Chart version
jenkins-4.1.11
What happened?
1. Create a PVC using the default storage class on AKS:
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: jenkins-pvc-azuredisk
namespace: ict-jenkins
spec:
accessModes:
- ReadWriteOnce
storageClassName: default
resources:
requests:
storage: 32Gi
2. Attempt to mount the volume on the agent using the helm chart:
- type: PVC
claimName: jenkins-pvc-azuredisk
mountPath: /home/jenkins/agent/jenkins-pvc-azuredisk
readOnly: false
3. Run a Jenkins job on the agent and execute ls-l /home/jenkins/agent and you can see the user and group is root not jenkins.
What you expected to happen?
I would expect the properties of /home/jenkins/agent/jenkins-pvc-azuredisk to be: drwxr-xr-x 3 jenkins jenkins 4096 Jul 15 13:19 jenkins-pvc-azuredisk
Instead of: drwxr-xr-x 3 root root 4096 Jul 15 13:19 jenkins-pvc-azuredisk
How to reproduce it
Values file for the agent section
agent:
image: "registry-here.azurecr.io/ict-jenkins-agent"
tag: "1.1.3"
runAsUser: 1000
runAsGroup: 1000
volumes:
- type: PVC
claimName: jenkins-pvc-azuredisk
mountPath: /home/jenkins/agent/jenkins-pvc-azuredisk
readOnly: false
Anything else we need to know?
No response
Yes you are right, here are the settings that i have used to make it work. I have unfortunately used the root user for the agent .
Jenkins agent custom Dockerfile:
FROM jenkins/inbound-agent:3107.v665000b_51092-15
USER root
RUN apt update && apt install apt-transport-https ca-certificates curl gnupg lsb-release -y
RUN curl -fsSL https://download.docker.com/linux/debian/gpg | gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg
RUN echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/debian \
$(lsb_release -cs) stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null
RUN apt-get update && apt -y install docker-ce docker-ce-cli containerd.io
RUN usermod -aG docker jenkins
USER jenkins
Jenkins agent helm values custom file:
agent:
image: "#custom-registry-with-new-jenkins-agent/jenkins-agent"
tag: "latest"
#set the user to root to access the share workspace on the host, as Jenkins create the PVC with root access
#didn't work with Userid 1000
runAsUser: 0
fsGroup: 0
volumes:
- type: HostPath
hostPath: /tmp/jenkins_workspace
mountPath: /tmp/jenkins_workspace
- type: HostPath
hostPath: /var/run/docker.sock
mountPath: /var/run/docker.sock
resources:
requests:
cpu: "512m"
memory: "2048Mi"
limits:
cpu: "512m"
memory: "2048Mi"
workingDir: /tmp/jenkins_workspace
