Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Activity
    hervelemeur
    @hervelemeur:matrix.org
    [m]

    Also, I got this code section from Amazon

    Which url?

    DoofusCanadensis
    @kenrachynski:matrix.org
    [m]
    direct from Amazon staff... they built a sample pipeline
    I'd have to ask him where he sourced it
    dduportal
    @dduportal:matrix.org
    [m]
    @timja: as I'm not admin of https://github.com/jenkinsci/docker-inbound-agent and https://github.com/jenkinsci/docker-agent, I cannot check wether there are legacy webhooks and/or deploy keys. I would want to make sure that I can safely close jenkinsci/docker-inbound-agent#295 so I would want to check there are no more "parasitic" deploy builds. Could you help me by checking or granting me permissions?
    Tim Jacomb
    @timja
    @dduportal:matrix.org granted
    dduportal
    @dduportal:matrix.org
    [m]
    AH AH one last "Docker Cloud" SSH deploy keys
    Thanks @timja ! I've removed the remaining SSH key "Docker Cloud" from both repositories (used within the last 3 months for both...).
    Tim Jacomb
    @timja
    let's hope nothing re-adds it :p
    dduportal
    @dduportal:matrix.org
    [m]
    "An old system is maintained by an even older system" :D
    papi83dm
    @papi83dm
    @dduportal:matrix.org I'm trying to switch my custom docker agent image from jenkins/agent to jenkins/inbound-agent. The only different between the two images is the startup script. What is different in that startup script ?
    1 reply
    dduportal
    @dduportal:matrix.org
    [m]
    (we do not have any reason to shrink or not shrink layers honestly: it is just not worth the effort for us)
    papi83dm
    @papi83dm
    more layers takes more time to download the image and process them. What is the docker hub url for this ? https://github.com/jenkins-infra/docker-helmfile/blob/main/Dockerfile
    hervelemeur
    @hervelemeur:matrix.org
    [m]
    dduportal
    @dduportal:matrix.org
    [m]
    @papi83dm: thanks for the link. We (jenkins infra) are switching gradually to using packer (https://github.com/jenkins-infra/packer-images) which generates a single "big" layer.

    @papi83dm: the "download faster" is really not a general rule to be honest. With more layers, if done correctly (e.g. with layers changing frequently on the bottom part), the pull of images can be only on the changed layers which is clearly faster than a 2 Gb single layer. So the rule is "it depends".

    As the adage say "premature optimization is the root of all evil": start by an image that you can build, test and deploy efficiently (so you can add changes to your jenkins quickly) and which meet your goals. Then measure the download/build times and optimize from here.

    papi83dm
    @papi83dm
    @dduportal:matrix.org when I tried to use packer to do my jenkins-agent docker, I was struggling switching to the root user, do they allow that now ?
    4 replies
    DoofusCanadensis
    @kenrachynski:matrix.org
    [m]
    I don’t know about packer, but you can use USER root, do what you need as root, and then USER jenkins when you’re done. In a custom Dockerfile
    papi83dm
    @papi83dm
    @kenrachynski:matrix.org exactly if you are using Dockerfile, however that doesn't seem to be as easy as you described with packer. A few months ago I couldn't get this dockerfile to build with packer.
    FROM jenkins/inbound-agent:3077.vd69cf116da_6f-3-alpine-jdk11
    
    USER root
    RUN apk add --no-cache \
      ca-certificates \
      curl \ 
      jq  
    USER jenkins
    ENTRYPOINT ["/usr/local/bin/jenkins-agent"]
    dduportal
    @dduportal:matrix.org
    [m]
    @papi83dm: packer does not build dockerfiles :)
    dduportal
    @dduportal:matrix.org
    [m]
    @papi83dm: that would be a packer HCL manifest like this:
    source "docker" "jenkins-agent" {
      # parent image
      image = "jenkins/inbound-agent:3077.vd69cf116da_6f-3-alpine-jdk11"
    
      # Persist image on local docker engine
      commit = true
    
      # Image metadatas
      changes = [
        "ENTRYPOINT [\"/usr/local/bin/jenkins-agent\"]",
        "USER jenkins",
      ]
    
      exec_user = "root"
    }
    
    build {
      sources = ["sources.docker.jenkins-agent"]
    
      provisioner "shell" {
        inline = ["apk add --no-cache ca-certificates curl jq"]
      }
    
      post-processor "docker-tag" {
        repository = "custom/agent"
        tags       = ["latest", "1.0.0"]
      }
    }
    papi83dm
    @papi83dm
    @dduportal:matrix.org thanks, looks like th ey added exec_user recently
    looks like they added it in August 16, and I was trying it at the beginning of August
    2 replies
    dduportal
    @dduportal:matrix.org
    [m]
    @papi83dm: yeah, the packer « build/source » syntax is confusing (but powerful)
    Gerome
    @Gthevampire_gitlab

    Hi all, I am following the documentation on how to install Jenkins with docker (https://www.jenkins.io/doc/book/installing/docker/) and I got an error while building the Jenkins image, at plugins installation:

    Step 8/8 : RUN jenkins-plugin-cli --plugins "blueocean:1.25.8 docker-workflow:521.v1a_a_dd2073b_2e"
     ---> Running in 94f2d09719fc
    Unable to create plugin directory: '/usr/share/jenkins/ref/plugins', supply a directory with -d <your-directory>

    There seems to be a problem with the directory ownership but I don't know why I have this error on this machine while it is working on another one of mine. Maybe some docker global configuration ? Do you have any idea where it can come from ?

    Gerome
    @Gthevampire_gitlab
    ok, I found where the issue comes from. It is my /etc/docker/daemon.json that has a userns-remap. But I need to keep it for other dockers so I need to find how to deal with it
    dduportal
    @dduportal:matrix.org
    [m]
    @Gthevampire_gitlab: interesting. The path /usr/share/jenkins/ is expected to be owned by the UID 1000 inside the image. It should not be a data volume so I wonder why there is this error. Do you mind sharing your Dockerfile ?
    Gerome
    @Gthevampire_gitlab
    @dduportal:matrix.org well I am using the one from the Jenkins documentation so I really don't mind sharing :)
    FROM jenkins/jenkins:2.375.1-jdk11
    USER root
    RUN apt-get update && apt-get install -y lsb-release
    RUN curl -fsSLo /usr/share/keyrings/docker-archive-keyring.asc \
      https://download.docker.com/linux/debian/gpg
    RUN echo "deb [arch=$(dpkg --print-architecture) \
      signed-by=/usr/share/keyrings/docker-archive-keyring.asc] \
      https://download.docker.com/linux/debian \
      $(lsb_release -cs) stable" > /etc/apt/sources.list.d/docker.list
    RUN apt-get update && apt-get install -y docker-ce-cli
    USER jenkins
    RUN jenkins-plugin-cli --plugins "blueocean:1.25.8 docker-workflow:521.v1a_a_dd2073b_2e"
    and when exploring the files in the docker, I indeed see that /usr/share/jenkins/ref belongs to root:root
    halkeye
    @halkeye:g4v.dev
    [m]

    Gthevampire_gitlab (Gerome):

    docker run -it --rm jenkins/jenkins:2.375.1-jdk11 ls -ltd /usr/share/jenkins/ref
    drwxr-xr-x 1 jenkins root 4096 Nov 30 11:07 /usr/share/jenkins/ref

    thats so weird, i don't see why it would be root

    Gerome
    @Gthevampire_gitlab

    with this Dockerfile:

    FROM jenkins/jenkins:2.375.1-jdk11
    USER root
    RUN apt-get update && apt-get install -y lsb-release
    RUN curl -fsSLo /usr/share/keyrings/docker-archive-keyring.asc \
      https://download.docker.com/linux/debian/gpg
    RUN echo "deb [arch=$(dpkg --print-architecture) \
      signed-by=/usr/share/keyrings/docker-archive-keyring.asc] \
      https://download.docker.com/linux/debian \
      $(lsb_release -cs) stable" > /etc/apt/sources.list.d/docker.list
    RUN apt-get update && apt-get install -y docker-ce-cli

    And with userns-remap set in /etc/docker/daemon.json I get:

    $ docker run -it --rm myjenkins-blueocean:2.375.1-1 ls -ltd /usr/share/jenkins/ref
    drwxr-xr-x 1 root root 4096 Nov 30 11:07 /usr/share/jenkins/ref
    
    $ docker run -it --rm jenkins/jenkins:2.375.1-jdk11 ls -ltd /usr/share/jenkins/ref
    touch: cannot touch '/var/jenkins_home/copy_reference_file.log': Permission denied
    Can not write to /var/jenkins_home/copy_reference_file.log. Wrong volume permissions?
    dduportal
    @dduportal:matrix.org
    [m]

    interesting, gotta try to reproduce then.

    Please note that the error /var/jenkins_home/ is related to the volume itself (and is another concern, but unrelated).

    @Gthevampire_gitlab: could you:
    • Try with the command docker run -it --rm --entrypoint='' jenkins/jenkins:2.375.1-jdk11 ls -ltd /usr/share/jenkins/ref again?
    • Open an issue on github.com/jenkinsci/docker with these elements to allow us reproducing?
    4 replies
    Reading that you might be able to map
    the jenkins user.
    papi83dm
    @papi83dm
    Does anyone know how I can add this healthcheck to the inbound-agent ? https://docs.bridgecrew.io/docs/ensure-that-healthcheck-instructions-have-been-added-to-container-images
    1 reply
    dduportal
    @dduportal:matrix.org
    [m]
    @papi83dm: you can aslo build you own image built on top for jenkinsci/inbound-agent of course, and add your custom HEALTHCHECK (https://docs.docker.com/engine/reference/builder/#healthcheck) dockerfile's instruction
    The reason why it is not defined is because it is not an universal feature: other container engine are not using healthcheck the same way. Adding it on the official image create tons of issues (particularly with Kubernetes).
    background is that Docker Engine executes the healthcheck inside* the container so it requires the image to have the required binaries used by the healthcheck, while other system run the healthcheck from outside** the container.
    papi83dm
    @papi83dm
    @dduportal:matrix.org thanks, I'm using kubernetes and also using a custom image off the inbound-agent. I made a change to the image and then it was flagged with that warning. if its not universal and it can create issues I'm going to file an exemption with our security team.
    dduportal
    @dduportal:matrix.org
    [m]
    @papi83dm: it is absolutley possible with Kubernetes as well. But you'll have to define:
    • What do you want to check for?
    • What kind of kubernetes probe do you want to use: liveness or readiness?
    @papi83dm: besides, in the case of "inbound-agent", what is the problem you are trying to solve exactly?
    papi83dm
    @papi83dm
    not exactly a problem, our security team does a check when we update our internal repos and it was flag with that.
    1 reply
    TobiX
    @tobix:ccc.ac
    [m]
    It seems to me that latest of https://hub.docker.com/r/jenkins/inbound-agent/tags has been downgraded to 4.10-3 - was that intentional?
    2 replies
    Tim Jacomb
    @timja
    no can you raise an issue on jenkins-infra/helpdesk please @tobix:ccc.ac
    TobiX
    @tobix:ccc.ac
    [m]
    greatbk
    @greatbk

    We are building the Jenkins docker image by referring to the code below. https://github.com/jenkinsci/docker

    The build is successful using the make tool, but running the docker image results in an error in the jenkins.sh file. The error message is as follows:

    :  invalid option:02 /bin/bash: -

    Docker Execute Commands (use local image):

    docker run --name my-jenkins -d -p 8087:8080 --restart=on-failure -v jenkins_home:/var/jenkins_home jenkins/jenkins:2.356-centos7

    Development Environment:
    windows11, git-bash, make, jq, curl, docker-desktop

    Mark Waite
    @MarkEWaite
    I can't duplicate the problem that you're describing on my Windows 11 computer. The docker run command that you provided works just fine. Running that old a weekly version means that you're running with a known security vulnerability, but it does run for me and does not report any invalid option message.
    1 reply
    shanewalton
    @shanewalton
    What is the correct or best practice for allowing libvirt to work with Jenkins in a container? The libvirt plugin is allowed to be installed, but the container image appears to be missing libvirt-java. Could/should this just be included in the image?
    halkeye
    @halkeye:g4v.dev
    [m]
    @shanewalton: you are encouraged to extend containers as much as you need. In general we don't recommend the main controller do anything, and just have agents do work with whatever tooling you need.