Skip to content
This repository has been archived by the owner on Feb 22, 2022. It is now read-only.

[stable/jenkins] Workspace PVC is mounted as root causing JNLP container to fail #23443

Closed
sdusoe opened this issue Aug 4, 2020 · 1 comment
Closed

[stable/jenkins] Workspace PVC is mounted as root causing JNLP container to fail #23443

sdusoe opened this issue Aug 4, 2020 · 1 comment

Comments

@sdusoe
Copy link

sdusoe commented Aug 4, 2020
edited
Loading

Describe the bug
I am attempting to mount in the jenkins workspace as a PVC. When I do this, the JNLP sidecar container is not able to start with the following error:

Aug 04, 2020 6:42:42 PM hudson.remoting.jnlp.Main createEngine
INFO: Setting up agent: casb-pjq20
Aug 04, 2020 6:42:43 PM hudson.remoting.jnlp.Main$CuiListener <init>
INFO: Jenkins agent is running in headless mode.
Aug 04, 2020 6:42:43 PM hudson.remoting.Engine startEngine
INFO: Using Remoting version: 4.0.1
Exception in thread "main" java.io.IOException: The specified working directory should be fully accessible to the remoting executable (RWX): /home/jenkins/agent
	at org.jenkinsci.remoting.engine.WorkDirManager.verifyDirectory(WorkDirManager.java:249)
	at org.jenkinsci.remoting.engine.WorkDirManager.initializeWorkDir(WorkDirManager.java:201)
	at hudson.remoting.Engine.startEngine(Engine.java:288)
	at hudson.remoting.Engine.startEngine(Engine.java:264)
	at hudson.remoting.jnlp.Main.main(Main.java:284)
	at hudson.remoting.jnlp.Main._main(Main.java:279)
	at hudson.remoting.jnlp.Main.main(Main.java:231)

I also checked my main build container to see what the permissions of /home/jenkins/agent looked like:

/home/jenkins$ ls -la
total 12
drwxr-xr-x 3 root root 4096 Aug  4 18:42 .
drwxr-xr-x 1 root root 4096 Aug  4 18:42 ..
drwxr-xr-x 3 root root 4096 Aug  4 17:34 agent
madmin@casb-pjq20:/home/jenkins$ touch agent/
touch: setting times of 'agent/': Permission denied

I have the following in my values.yaml:

master:
  runAsUser: 1000
  fsGroup: 1000

Version of Helm and Kubernetes:
helm version: version.BuildInfo{Version:"v3.0.2", GitCommit:"19e47ee3283ae98139d98460de796c1be1e3975f", GitTreeState:"clean", GoVersion:"go1.13.5"}

kubernetes version: 1.15.12-gke.2

Which chart:

stable/jenkins

What happened:
JNLP container fails to start if workspace mounted as PVC

What you expected to happen:
JNLP container starts successfully

How to reproduce it (as minimally and precisely as possible):
Deploy Jenkins via helm and and mount the workspace as a PVC. Kick off a build using the pod template defined.

Anything else we need to know:

If I set runAsUser and runAsGroup to 0 in my pod template then the JNLP container is able to start
@sdusoe
Copy link
Author

sdusoe commented Aug 5, 2020
edited
Loading

for anyone that stumbles into this, I was able to get this working:

I had to change my approach. Originally, I was creating podTemplates in the jenkins helm chart. Now, I am creating my podTemplate in the Jenkinsfiles directly. Doing it this way, you can specify the security section like so:

securityContext:
  runAsUser: 1000
  fsGroup: 1000

Hope this helps!

@sdusoe sdusoe closed this as completed Aug 5, 2020
@nfalco79 nfalco79 mentioned this issue Feb 6, 2023
Open
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@sdusoe