Just installed GitLab runner service and tried to run a basic job.
I got the following output:
Password: su: Authentication failure
ERROR: Job failed: prepare environment: exit status 1. Check https://docs.gitlab.com/runner/shells/index.html#shell-profile-loading for more information
Googling, I found that the contents of the .bash_logout may be a problem, but my .bash_logout was blank. I created and added ssh keys for the gitlab-runner user, and was able to manually clone via ssh, but I can't get the job to run. Anyone experienced this that can offer a suggestion?
I found the issue was in the pam file. root couldn't su to gitlab-runner
Background story: GitLab runner is running as root user, in order to retrieve for example the /etc/gitlab-runner/config.toml file. If your gitlab-runner is already running rootless you might want to remove the --user gitlab-runner from the systemd service file. However, most likely your Gitlab Runner is running as root.
If you increase the security on your host machine and disable the root user and the su command. You could enable this again by editing /etc/pam.d/su file and set:
auth sufficient pam_rootok.so
Or only allow the root user to use the su command to only switch to the gitlab-runner user (without password):
auth [success=ignore default=1] pam_succeed_if.so user = gitlab-runner
auth sufficient pam_succeed_if.so use_uid user = root
Related
When I ssh into an aws ec2 Linux instance, I am ec2-user. The instance is a Jenkins master. When I try su - jenkins and entered the correct password, the system says Last login: .... which looks like the switching succeeded. But whoami says I'm still ec2-user.
What am I missing? Thanks!
jenkins is a service account, it doesn't have a shell by design. It is generally accepted that service accounts shouldn't be able to log in interactively.
if you really want to login as Jenkins, you can do so with: sudo su -s /bin/bash jenkins
I've created a jenkins server, and I am trying to build a .net core 2.0.0 project on the server. I've been able to successfully pull from source control and store source files in the workspace. However, I'm running into an issue with running the dotnet build command. This is what I'm getting.
/usr/share/dotnet/sdk/2.0.0/Microsoft.Common.CurrentVersion.targets(4116,5):
error MSB3021: Unable to copy file
"obj/Debug/netcoreapp2.0/ubuntu.16.04-x64/Musify.pdb" to
"bin/Debug/netcoreapp2.0/ubuntu.16.04-x64/Musify.pdb". Access to the
path is denied. [/var/lib/jenkins/workspace/Musify/Musify.csproj]
now, I've given read write and execute permissions to every file and directory in /usr/share/dotnet/sdk/2.0.0/, and I've given read write and execute to every file and directory in my workspace (/var/lib/jenkins/workspace/Musify). I also believe my jenkins user is part of the sudo group.
The weird thing I am experiencing, is that I am able to, as root, run dotnet build in my workspace directory (/var/lib/jenkins/workspace/Musify), and the project builds. I cannot however, get the same results under the jenkins user (who should be part of the sudo group). My question is, how can I verify that Jenkins is using the jenkins system user, and that this user has the correct permissions to run this command. I am hosting jenkins on an ubuntu 16.04 x64 server.
UPDATE:
At the command line on your jenkins host run
ps -ef | grep jenkins
the first column will give you the USERID and it should be, as you say, jenkins
Then if you can login as jenkins to the host where the jenkins server is running run the following ....
groups
this will list out the groups that jenkins is a part of
If you want to fix the dotnet build issue take following actions:
Set DOTNET_CLI_HOME environment variable on the docker to a common
path like /tmp on the container. This path is used by the dotnet
to create necessary files to build the project. Check
Dotnet build permission denied in Docker container running Jenkins
Use -o or another accessible path to create the artifacts in the desired directory. e.g. dotnet build -o /tmp/dotnet/build/
microsoftisnotthatbad.sln
Re the jenkins user problem, run whoami in the container. If you get whoami: cannot find name for user ID blahblah it means the user is not found in the passwd file. There are 2 answers under Docker Plugin for Jenkins Pipeline - No user exists for uid 1005, if item 1 did not work, try the second:
Mount the host passwd to the container.
If the jenkins user is logged using an identity provider like LDAP on the Jenkins server or the slave server your job is using, the passwd file of the host will not have the jenkins user. Check the other answer on that post.
My linux user account has the rights to run a particular sudo command without a password prompt. I am trying to implements jenkins to run this command. It is set up to ssh as my user account on the box with the Publish Over SSH plugin.
When I am in the box $USER shows the correct user, but when I try to run "sudo {command}" (which runs without password when I am using that box normally with my user) it requires password. What is causing this behavior?
Because it is configured to do so. There is file /etc/sudoers specifying these rules and there is respective manual page describing how does this file and the roles work. It is probably a good start to read.
I am trying to test a scheduled job on Rundeck by running specific commands on a 16.04 Ubuntu box, and one of those will be to switch the user from root to nodeworker.
the sequence is:
Accessing the right directory as root
cd /var/www/... (Runs with no issues)
Switching to user nodeworker, no password needed
su nodeworker
running the command git pull origin master
I tried running it with sudo su - nodeworker -c "command here", same issue, that did not work either. I ended up tailing the auth.log to find that su is giving an error for starting a session when the root session is existing, and I have no idea of a fix for it:
pam_systemd(su:session): Cannot create session: Already running in a session
And I found this issue reported for Debian, https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=825949
same here with rundeck user. it's used to work but not anymore. Workaround solution is creating the user (system type) manually before install the rundeck
I am getting below error while installing BigInsight in my Linux machine (RedHat 6.6). Kindly help me how to resolve this.
[ERROR] Prerequisite check - Failed to use given credentials to access nodes.Either provide root password during add node or make sure BI admin user exists on new nodes and passwordless ssh is setup from management node to new nodes that are being added. Please revisit Secure Shell page from installer UI or SSH section in response file to make sure all prerequisites are satisfied, then re-run the command.
Execute the following as root on the server and rerun
ssh-keygen -t rsa ( leave blanks at all prompts )
cat /root/.ssh/*.pub >> /root/.ssh/authorized_keys
then try root#localhost , this should not ask you for a password.