Jenkins + Docker: How to control docker user when using Image.inside command

docker jenkins jenkins-pipeline
RoK picture RoK · Mar 6, 2017 · Viewed 24.4k times · Source

Dear Stackoverflow Community,

I am trying to setup a Jenkins CI pipeline using docker images as containers for my build processes. I am defining a Jenkinsfile to have a build pipeline as code. I am doing something like this:

node {
  docker.withRegistry('http://my.registry.com', 'docker-credentials') {     
      def buildimage = docker.image('buildimage:latest');
      buildimage.pull();
      buildimage.inside("")
      {
        stage('Checkout sources') {
          git url: '...', credentialsId: '...'
        }

        stage('Run Build and Publish') {
            sh "..."
        }
      }
  }
}

Unfortunately I am stumbling upon a weird behavior of the Docker pipeline plugin. In the build output I can see that the Image.inside(...) command triggers the container with a

docker run -t -d -u 1000:1000 ...

This makes my build fail, because the user defined in the Dockerfile does not have the UID 1000 ... another user is actually taken. I even tried specifying which user should be used within the Jenkinsfile

node {
  docker.withRegistry('http://my.registry.com', 'docker-credentials') {     
      def buildimage = docker.image('buildimage:latest');
      buildimage.pull();
      buildimage.inside("-u otheruser:othergroup")
      {
        stage('Checkout sources') {
          git url: '...', credentialsId: '...'
        }

        stage('Run Build and Publish') {
            sh "..."
        }
      }
  }
}

but this leads to a duplicate -u switch in the resulting docker run command 

docker run -t -d -u 1000:1000 -u otheruser:othergroup ...

and obviously only the first -u is applied because my build still fails. I also did debugging using whoami to validate my assumptions.

So my questions: how can I change this behavior? Is there a switch where I can turn the -u 1000:1000 off? Is this even a bug? I actually like to work with the Docker plugin because it simplifies the usage of an own docker registry with credentials maintained in Jenkins. However, is there another simple way to get to my goal if the Docker Plugin is not usable?

Thank you in advance for your time

Answer

Steven Shi picture Steven Shi · Aug 23, 2018

I found you can actually change user by adding args like following. Although -u 1000:1000 will still be there in the docker run, you will an additional -u [your user] after 1000:1000. Docker will acutally use latest -u parameter

agent {
  docker {
    image 'your image'
    args '-u root --privileged'
  }
}

Related questions

Error "The input device is not a TTY"

I am running the following command from my Jenkinsfile. However, I get the error "The input device is not a TTY". docker run -v $PWD:/foobar -it cloudfoundry/cflinuxfs2 /foobar/script.sh Is there a way to run the script …

Read More
Docker: Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock

I am new to docker. I just tried to use docker in my local machine(Ubuntu 16.04) with Jenkins. I configured a new job with below pipeline script. node { stage('Build') { docker.image('maven:3.3.3').inside { sh 'mvn --version' } } } But it …

Read More
Does Jenkins Pipeline Plug-in support Docker Compose?

I'm looking for a way to run Docker-enabled build consisting of multiple containers in Jenkins 2.0. Are there any plans for native support of Docker Compose in Pipeline, or through CloudBees docker plugins for pipeline. Or can/must this be addressed …

Read More