I have built self-hosted ubuntu agents running in docker.
All works fine, build agent is working etc.
except everything in pipeline steps is being executed as root instead of non-root user.
E.g. When I try to execute "npm ci" and I look at my build-agent logs:
; node bin location = /usr/bin/node
; cwd = /azp/agent/_work/1/s/Core
; HOME = /root
vs logs from Microsoft hosted build-agent:
; node bin location = /usr/local/bin/node
; cwd = /home/vsts/work/1/s/Core
; HOME = /home/vsts
this gives me issues in lot of stages as running some commands as root requires different settings etc.
Does anyone know how to change it from ROOT?
I tried within dockerfile and within start.sh script provided by microsoft but that did not worked. Build agent would not start at all if I would execute start.sh as docker user instead of root.
Any clues? ideas?
You can install your linux agent under the account to change it from root like /home/{accountname}/.
Below is the steps about how to install the linux agent under the non-root user.
Connect to linux agent by non-root user
ssh useraccount#linuxIp
Create a folder and cd the folder.
mkdir myagent && cd myagent
Download the package from the url.
wget https://vstsagentpackage.azureedge.net/agent/2.155.1/vsts-agent-linux-x64-2.155.1.tar.gz
Unzip the file.
tar xzf vsts-agent-linux-x64-2.155.1.gz
Config the linux Agent
Related
I am following the following doc to deploy to Kubernetes from Jenkins. I have installed jenkins in my own VM. But getting following error when build is run
+ docker build -t myregistry.azurecr.io/my-svc:latest7 ./my-svc
cannot create user data directory: /var/lib/jenkins/snap/docker/321: Read-only file system
Build step 'Execute shell' marked build as failure
Finished: FAILURE
However all the directories have jenkins use as the owner, I am not sure why it is getting into permission issues.
poc#poc-ubuntu:~$ ls -ltr /var/lib/
drwxr-xr-x 18 jenkins jenkins 4096 Feb 18 16:45 jenkins
Was running into the same exact issue. Here's the workaround (from user Gargoyle (g-rgoyle) here) that worked for me:
Stop Jenkins: service jenkins stop
Manually change Jenkins home dir: mv /var/lib/jenkins /home/jenkins
Change jenkins users homedir in (might not be necessary after #2): usermod -m -d /home/jenkins jenkins
Set homedir in Jenkins config: nano /etc/default/jenkins then go down to variable "JENKINS_HOME" and set value to "/home/$NAME"
Start Jenkins: service jenkins start
I believe you must be extending the Jenkins image. /var/lib/jenkins is a mount point. You can't create a directory at build time from dockerfile. If you need to create a folder in that directory then try to create using init script at container runtime
I've created a jenkins server, and I am trying to build a .net core 2.0.0 project on the server. I've been able to successfully pull from source control and store source files in the workspace. However, I'm running into an issue with running the dotnet build command. This is what I'm getting.
/usr/share/dotnet/sdk/2.0.0/Microsoft.Common.CurrentVersion.targets(4116,5):
error MSB3021: Unable to copy file
"obj/Debug/netcoreapp2.0/ubuntu.16.04-x64/Musify.pdb" to
"bin/Debug/netcoreapp2.0/ubuntu.16.04-x64/Musify.pdb". Access to the
path is denied. [/var/lib/jenkins/workspace/Musify/Musify.csproj]
now, I've given read write and execute permissions to every file and directory in /usr/share/dotnet/sdk/2.0.0/, and I've given read write and execute to every file and directory in my workspace (/var/lib/jenkins/workspace/Musify). I also believe my jenkins user is part of the sudo group.
The weird thing I am experiencing, is that I am able to, as root, run dotnet build in my workspace directory (/var/lib/jenkins/workspace/Musify), and the project builds. I cannot however, get the same results under the jenkins user (who should be part of the sudo group). My question is, how can I verify that Jenkins is using the jenkins system user, and that this user has the correct permissions to run this command. I am hosting jenkins on an ubuntu 16.04 x64 server.
UPDATE:
At the command line on your jenkins host run
ps -ef | grep jenkins
the first column will give you the USERID and it should be, as you say, jenkins
Then if you can login as jenkins to the host where the jenkins server is running run the following ....
groups
this will list out the groups that jenkins is a part of
If you want to fix the dotnet build issue take following actions:
Set DOTNET_CLI_HOME environment variable on the docker to a common
path like /tmp on the container. This path is used by the dotnet
to create necessary files to build the project. Check
Dotnet build permission denied in Docker container running Jenkins
Use -o or another accessible path to create the artifacts in the desired directory. e.g. dotnet build -o /tmp/dotnet/build/
microsoftisnotthatbad.sln
Re the jenkins user problem, run whoami in the container. If you get whoami: cannot find name for user ID blahblah it means the user is not found in the passwd file. There are 2 answers under Docker Plugin for Jenkins Pipeline - No user exists for uid 1005, if item 1 did not work, try the second:
Mount the host passwd to the container.
If the jenkins user is logged using an identity provider like LDAP on the Jenkins server or the slave server your job is using, the passwd file of the host will not have the jenkins user. Check the other answer on that post.
I am new to linux world. So please excuse for any stupid questions.
I have a linux machine and I don’t have root access. I have service account which have full access to app folder. My login (ssh) credentials don’t have access to that app folder.
So I will follow the below process.
1) Copy the app folder in windows machine to /tmp/ in linux using winscp.
2) Login to the machine using putty.
3) Change the user to service account using below command.
sudo su – “service account”
4) Then I will copy app files from /tmp/ folder to /app/ folder and start the other configurations.
I want to automate the above process. So for I did below.
#Copy files to tmp folder
winscp.com -hostkey=* user:"password"#host /command "put D:/app_folder/ /tmp/ app_folder"
#Execute the script remotely
plink user:#host -m D:\Install_app.sh
The above script is running fine until I run test echo commands. It is started throwing errors when I run configuration commands due to user don’t have access to app folder. Only service account has access. But service account doesn’t have remote login access. So I can’t run the script with service account.
So I tried to run commands inside the script with service account. I tried below
Echo “password” | sudo –S su - “service account” “commands”
It is not working. Could you please let me know is there any other way to achieve this. I want to change user inside the script, once script start executing.
Note: The process is following by linux admin team due to security reason. So I can’t change the process :(.
Error:
Failed to connect to repository : Command "/usr/bin/git ls-remote -h file:///home/myuser/path/to/project HEAD" returned status code 128:
stdout:
stderr: fatal: 'home/myuser/path/to/project' does not appear to be a git repository
fatal: The remote end hung up unexpectedly
I have tried the following:
chmod 777 to the repo folder(folder containing .git directory)
chowned to jenkins:jenkins on the repo folder
tried to clone into another folder from this local repo folder: this works!
When I run the above command: /usr/bin/git ls-remote -h file:///home/myuser/path/to/project HEAD on cmd I get the branches.
My questions are:
why is git ls-remote -h ... command called when it should be git clone ...?
How to configure jenkins git plugin to fetch code from local repo
My environment:
RHEL 5.9
Jenkins 1.519 installed as a service(no Web container)
Git plugin
When installing Jenkins as a service, by default, Jenkins does not create a user directory as in: /home/jenkins. Jenkins default home directory is set to /var/lib/jenkins. From my work-around, as you would expect, jenkins has trouble accessing local resources from other users directory.
I moved my cloned repo under Jenkins default home directory i.e. under /var/lib/jenkins so my Repository URLin Jenkins Project configuration looks like: file:///${JENKINS_HOME}/repo/<myprojectname>
UPDATE:
The above works fine ...but I found a better way to do it from this blog
The steps are outlined here:
look up /etc/init.d/jenkins script. There are a few $JENKINS variables defined
. This should lead you to the sysconfig for jenkins i.e. /etc/sysconfig/jenkins.
Stop your jenkins instance:
sudo /sbin/service jenkins stop
Take a backup
cp /etc/sysconfig/jenkins /etc/sysconfig/jenkins.bak
In this file, change the following property:
$JENKINS_USER="<your desired user>"
Change ownership of all related Jenkins directories:
chown -R <your desired user>:<your user group> /var/lib/jenkins
chown -R <your desired user>:<your user group> /var/cache/jenkins
chown -R <your desired user>:<your user group> /var/log/jenkins
Restart jenkins and that error should disappear
sudo /sbin/service jenkins start
This error should go away now!
It's been a while since this question was asked, but I had this problem today and there are very few resources. Most probably, because people tend to connect to git repositories remotely.
I checked using strace what exactly jenkins was doing and yes, it was a problem with permissions.
But I solved it in a simpler way than answer #2 - by adding jenkins to the git server group - in my case, git1:
root# gpasswd -a jenkins git1
root# service jenkins restart
I'm running Jenkins on Windows and had the same problem. I was able to solve this by having the Jenkins service log in as my user on my laptop.
(Windows 7)
Open Task Manager (Ctrl + Shift + Escape)
(Windows 10 only) Click on More Details in the lower left corner of the pop up window
Go to the Services tab
Click the Services... button
Find "Jenkins" in the list of services
Right-click "Jenkins" and click on Properties
Click the Log On tab in the Jenkins Properties window
Choose This account: under Log on as:
Enter your username and password
Click OK
Restart the Jenkins service
Then Bob's your uncle.
Jenkins uses git clone command only for the first time when a workspace is configured for a project. Further instances uses the git ls-remote command.
I had the same issue when I configured Jenkins. It was resolved by playing around with the SSH Keys. This looks like a configuration issue as well. Check if SSH Keys are setup for the Jenkins account.
Also, see the step by step procedure of configuration of SSH in the link provided. This might not give you exact solution, but can point you to the solution.
http://oodlestechnologies.com/blogs/How-to-setup-Jenkins-With-Grails-on-Ubuntu
I find that the other solutions are a bit "hacky" for me. What I did was move the Jenkins Home folder from /Users/Shared/ to /Users/[myacccount]/. This way, my Jenkins will have access to my repos and to my Android SDK (because that's where I use Jenkins for). Then change the JENKINS_HOME environment variable. I did this by entering the JENKINS_HOME in my .bash_profile (but there are other ways to do this).
Note: I use OSX
Instead of file:/// you can also use ssh:// as in this answer:
ssh://YOUR_USER#localhost/PATH_TO_YOUR_PROJECT
Note that you need to do the standard ssh setup:
Generate a keypair using ssh-keygen if you don't already have one in ~/.ssh
Paste private key (default ~/.ssh/id_rsa) into Jenkins (project settings, git repo, credentials)
Paste public key into ~/.ssh/authorized_keys
I'm trying to get a fairly simple deploy process going for a Node app using Gitolite. I have Gitolite setup and working on my server, and I'm able to push to it fine.
Gitolite is running under a user called git, and I've setup a node user that I'm hoping to use to run the Node app.
My plan is to push the Node app to Gitolite, and then use a post-receive hook script to move the app files to the directory where the app lives, in this case /var/local/node-apps/my-node-app/. I created the Node app folder like this:
sudo mkdir -p /var/local/node-apps/my-node-app
sudo chown node /var/local/node-apps/my-node-app
The problem is that I'm a Unix noob and I haven't got my head round file/folder permissions and wotnot.
/var/local/node-apps (and also /var/local/node-apps/my-node-app) is owned by the node user, so when the git user tries to checkout to this location I get a bunch of permission denied errors. The command I'm using in the post-receive is:
GIT_WORK_TREE=/var/local/node-apps/my-node-app git checkout -f
And I get errors like this:
remote: error: git checkout-index: unable to create file XXXX (Permission denied)
remote: fatal: cannot create directory at 'XXXX': Permission denied
What's the best way to resolve this? Do I need to grant the git user password-less sudo rights to su as the node user? Or can this be somehow fixed by changing groups and folder permissions? Or a different approach entirely? I'm lost!
Thanks!
Using sudo would certainly work, you have one example at "post-receive hook permission denied “unable to create file” error", wrapping the git commands in a script.
Changed post-receive to:
sudo sh /usr/local/sbin/prgetsimpleappscom
Changed sudoers with visudo
git ALL = (root) NOPASSWD: /bin/sh /usr/local/sbin/prgetsimpleappscom
The other approach would be a cron job as node user regularly fetching and (if there are new commit) pulling in the destination repo.