RE: Run jenkins jobs as different user or switch user during the execution
you could do something along the line of su testuser -c 'command to run as testuser' From: jenkinsci-users@googlegroups.com [jenkinsci-users@googlegroups.com] on behalf of Amit Chettri [amitchettri...@gmail.com] Sent: Wednesday, October 07, 2020 9:24 PM To: Jenkins Users Subject: Run jenkins jobs as different user or switch user during the execution Hello, I have a requirement where I need to switch user in between in the pipeline run : : steps { script { sh """ sudo su - testuser whoami """ : : : } } but during the pipeline run user is not switch and its still the jenkins user + sudo su - testuser Last login: Thu Oct 8 00:35:26 IST 2020 + whoami jenkins how can I run the job as a different user or switch user to testuser without making any change to $ sudo vim /etc/sysconfig/jenkins -- You received this message because you are subscribed to the Google Groups "Jenkins Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/38B822B13B092D4C832A97382607EFDF07CFA3AD%40ERDE.irisgmbh.local.
RE: Kubernetes Plugin: How to run commands within agent container as non-root?
Hi Vincent, I am fairly certain, that the images are identical, as I used to pod image from the jenkins logs (jenkins/inbound-agent:4.3-4). The second image I used in the pipeline for the build process was https://hub.docker.com/r/kasproject/kas which also should have a non-root user (builder, uid 3). I am not sure how Jenkins handles the containerisation, but unless there is some magic in the background I do not understand, it should be one of those images. Best regards Mit freundlichen Grüßen Jasper Orschulko Build- und Configurationsmanager Tel. +49 30 58 58 14 265 Fax +49 30 58 58 14 999 jasper.orschu...@irisgmbh.de<mailto:jasper.orschu...@irisgmbh.de> • • • • • • • • • • • • • • • • • • • • • • • • • • iris-GmbH infrared & intelligent sensors Ostendstraße 1-14 | 12459 Berlin Geschäftsführer M.-O. Brammann | R. Bönick | A. Thun Amtsgericht Berlin-Charlottenburg HRB 41 448 | USt-ID-Nr. DE 137228225 www.irisgmbh.de From: jenkinsci-users@googlegroups.com [jenkinsci-users@googlegroups.com] on behalf of Vincent Latombe [vincent.lato...@gmail.com] Sent: Friday, September 11, 2020 11:50 AM To: Jenkins Users Subject: Re: Kubernetes Plugin: How to run commands within agent container as non-root? > [Pipeline] container What is your container definition? I really doubt it is the same image as what you're running through docker CLI. Vincent Le jeu. 10 sept. 2020 à 19:59, iris Jasper Orschulko mailto:jasper.orschu...@irisgmbh.de>> a écrit : I am trying to run a Pipeline in a Kubernetes agent, which needs to execute commands as non-root user. So I tried setting the securityContext of the Pod to 1000 (the default jenkins user) as described here: https://plugins.jenkins.io/kubernetes/. However, the user does not exist in the container within Kubernetes: [Pipeline] { [Pipeline] stage [Pipeline] { (Yocto Build) [Pipeline] container [Pipeline] { [Pipeline] script [Pipeline] { [Pipeline] sh + set -ex + cat /etc/passwd root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin _apt:x:100:65534::/nonexistent:/usr/sbin/nologin However, when running the same image (jenkins/inbound-agent:4.3-4) in docker directly, there is a jenkins user: sudo docker run -it --rm jenkins/inbound-agent:4.3-4 bash jenkins@255a3961e41e:~$ cat /etc/passwd root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin _apt:x:100:65534::/nonexistent:/usr/sbin/nologin jenkins:x:1000:1000:Jenkins user:/home/jenkins:/bin/sh Any ideas why this might be the case? Is this intentional? If so, what would be the right way to run the container as non-root? Best regards Mit freundlichen Grüßen Jasper Orschulko Build- und Configurationsmanager Tel. +49 30 58 58 14 265 Fax +49 30 58 58 14 999 jasper.orschu...@irisgmbh.de<mailto:jasper.orschu...@irisgmbh.de> • • • • • • • • • • • • • • • • • • • • • • • • • • iris-GmbH infrared & intelligent sensors Ostendstraße 1-14 | 12459 Berlin Geschäftsführer M.-O. Brammann | R. Bönick | A. Thun Amtsgericht Berlin-Charlottenburg HRB 41 448 | USt-ID-Nr. DE 137228225 www.irisgmbh.de<http://www.irisgmbh.de> -- You received this message because you are subscribed to the Google Groups "Jenkins Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to
Kubernetes Plugin: How to run commands within agent container as non-root?
I am trying to run a Pipeline in a Kubernetes agent, which needs to execute commands as non-root user. So I tried setting the securityContext of the Pod to 1000 (the default jenkins user) as described here: https://plugins.jenkins.io/kubernetes/. However, the user does not exist in the container within Kubernetes: [Pipeline] { [Pipeline] stage [Pipeline] { (Yocto Build) [Pipeline] container [Pipeline] { [Pipeline] script [Pipeline] { [Pipeline] sh + set -ex + cat /etc/passwd root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin _apt:x:100:65534::/nonexistent:/usr/sbin/nologin However, when running the same image (jenkins/inbound-agent:4.3-4) in docker directly, there is a jenkins user: sudo docker run -it --rm jenkins/inbound-agent:4.3-4 bash jenkins@255a3961e41e:~$ cat /etc/passwd root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin _apt:x:100:65534::/nonexistent:/usr/sbin/nologin jenkins:x:1000:1000:Jenkins user:/home/jenkins:/bin/sh Any ideas why this might be the case? Is this intentional? If so, what would be the right way to run the container as non-root? Best regards Mit freundlichen Grüßen Jasper Orschulko Build- und Configurationsmanager Tel. +49 30 58 58 14 265 Fax +49 30 58 58 14 999 jasper.orschu...@irisgmbh.de • • • • • • • • • • • • • • • • • • • • • • • • • • iris-GmbH infrared & intelligent sensors Ostendstraße 1-14 | 12459 Berlin Geschäftsführer M.-O. Brammann | R. Bönick | A. Thun Amtsgericht Berlin-Charlottenburg HRB 41 448 | USt-ID-Nr. DE 137228225 www.irisgmbh.de -- You received this message because you are subscribed to the Google Groups "Jenkins Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/38B822B13B092D4C832A97382607EFDF07CF24E0%40ERDE.irisgmbh.local.