通过在我自己的the official image中扩展Dockerfile,我在Docker容器中运行Jenkins。
该页面的顶部部分建议将整个$JENKINS_HOME文件夹放入指定的卷中,以便通过UI进行的更改在容器重新启动和重新创建时保持不变。
但是,我不希望整个$JENKINS_HOME文件夹成为此卷的一部分,但只有$JENKINS_HOME/jobs文件夹。原因是:
install_plugins.sh期间,插件由as documented here脚本从基本图像设置。因此,我像这样启动Jenkins容器:
docker run \
-p 8080:8080 \
-p 50000:50000 \
-v jenkins-jobs:/var/jenkins_home/jobs \
my-custom-jenkins-image
容器现在无法正确启动日志中的permission denied错误。通过$JENKINS_HOME检查docker exec container_name_or_id ls -ahl /var/jenkins_home中的权限显示$JENKINS_HOME/jobs现在由root拥有,而不是拥有所有其他文件和子目录以及jenkins本身的$JENKINS_HOME用户。
有趣的是,当将整个$JENKINS_HOME文件夹放入命名卷时,其中的所有文件和子文件夹将由jenkins用户正确拥有。
我怎么才能将jobs文件夹放入命名卷并确保它属于容器内的jenkins用户?
编辑:我的Dockerfile被剥离到最低限度看起来像这样。但是,我并不怀疑任何这一点是根本原因,因为在运行jenkins/jenkins:lts股票图像时会发生同样的事情,如:
docker run \
-p 8080:8080 \
-p 50000:50000 \
-v jenkins-jobs:/var/jenkins_home/jobs \
jenkins/jenkins:lts
基本图像的Dockerfile可以找到on GitHub。
FROM jenkins/jenkins:lts
USER root
# install plugins
COPY plugins.txt /usr/share/jenkins/ref/plugins.txt
RUN /usr/local/bin/install-plugins.sh < /usr/share/jenkins/ref/plugins.txt
# Configuration as code plugin
# The configuration file must be stored outside of the Jenkins home directory
# because this is mounted as a volume - consequently, changes to the file in
# the image would not make it into the container which would override it with
# the previous version from the volume.
ENV CASC_JENKINS_CONFIG=/run/jenkins.yaml
COPY --chown=jenkins:jenkins jenkins.yaml /run/jenkins.yaml
# don't run plugin and admin user setup wizard at first run
ENV JAVA_OPTS="-Djenkins.install.runSetupWizard=false"
USER jenkins
糟糕的解决方法可以解决问题,直到找到更好的解决方案:
Dockerfile:FROM jenkins/jenkins:lts
USER root
# Install additional tools and plugins, set up configuration etc.
# We need the gosu tool to step down from the root user to an unprivileged
# user as part of the entrypoint script.
# See further: https://github.com/tianon/gosu
RUN apt-get -y update && apt-get -y install gosu
# Note that we stay the root user and do not step down to the jenkins user yet.
COPY fix_volume_ownership.sh /usr/local/bin/fix_volume_ownership.sh
ENTRYPOINT ["/sbin/tini", "--", "/usr/local/bin/fix_volume_ownership.sh"]
创建fix_volume_ownership.sh:
#!/bin/bash
# This script is run by the root user in order to have the privileges to change
# ownership of the jobs directory. The jobs directory is mounted as a named
# volume and otherwise is owned by the root user so that the jenkins user
# cannot write into it.
#
# "gosu" finally steps down from the root user to the jenkins user since we
# do not want to run the Jenkins process with root privileges.
#
# /usr/local/bin/jenkins.sh is the original entrypoint script from the base image.
chown -R jenkins:jenkins /var/jenkins_home/jobs
gosu jenkins /usr/local/bin/jenkins.sh
现在,docker exec container_name_or_id ls -ahl /var/jenkins_home将显示jobs子文件夹由jenkins用户正确拥有。此外,docker exec container_name_or_id ps aux将显示Jenkins进程由jenkins用户运行。