Jenkins Docker 映像 - 仅将“作业”文件夹放入命名卷时的权限问题

Question

我通过在我自己的 Dockerfile 中扩展 the official image，在 Docker 容器中运行 Jenkins。

该页面的顶部建议将整个 $JENKINS_HOME 文件夹放入一个命名卷中，以便通过 UI 所做的更改在容器重新启动和重新创建时保持不变。

但是，我不希望整个 $JENKINS_HOME 文件夹成为此卷的一部分，而只是 $JENKINS_HOME/jobs 文件夹。原因如下：

• 在映像构建过程as documented here 期间，由基础映像中的install_plugins.sh 脚本设置插件。
• 所有其他配置都将在configuration-as-code plugin 构建的每个映像上从头开始创建。
• 只有作业不会在每个映像构建中从头开始重新创建，因此应保留在命名卷中。

因此我像这样启动 Jenkins 容器：

docker run \
    -p 8080:8080 \
    -p 50000:50000 \
    -v jenkins-jobs:/var/jenkins_home/jobs \
    my-custom-jenkins-image

容器现在无法正确启动，日志中出现 permission denied 错误。通过docker exec container_name_or_id ls -ahl /var/jenkins_home 检查$JENKINS_HOME 内部的权限显示$JENKINS_HOME/jobs 现在归root 所有，而不是jenkins 用户拥有所有其他文件和子目录以及$JENKINS_HOME 本身。

有趣的是，当将整个 ​​$JENKINS_HOME 文件夹放入命名卷时，其中的所有文件和子文件夹都将正确归 jenkins 用户所有。

我怎样才能只将jobs 文件夹放入一个命名卷中，并确保它属于容器内的jenkins 用户？

编辑： 我的Dockerfile 精简到最低限度看起来像这样。但是，我不怀疑这是根本原因，因为在运行 jenkins/jenkins:lts 股票图像时会发生同样的事情，如下所示：

docker run \
    -p 8080:8080 \
    -p 50000:50000 \
    -v jenkins-jobs:/var/jenkins_home/jobs \
    jenkins/jenkins:lts

基础镜像的Dockerfile可以在on GitHub找到。

FROM jenkins/jenkins:lts

USER root

# install plugins
COPY plugins.txt /usr/share/jenkins/ref/plugins.txt
RUN /usr/local/bin/install-plugins.sh < /usr/share/jenkins/ref/plugins.txt

# Configuration as code plugin
# The configuration file must be stored outside of the Jenkins home directory
# because this is mounted as a volume - consequently, changes to the file in
# the image would not make it into the container which would override it with
# the previous version from the volume.
ENV CASC_JENKINS_CONFIG=/run/jenkins.yaml
COPY --chown=jenkins:jenkins jenkins.yaml /run/jenkins.yaml

# don't run plugin and admin user setup wizard at first run
ENV JAVA_OPTS="-Djenkins.install.runSetupWizard=false"

USER jenkins

Answer 1

在找到更好的解决方案之前解决问题的糟糕解决方法：

1. 将以下行添加到Dockerfile：

FROM jenkins/jenkins:lts

USER root

# Install additional tools and plugins, set up configuration etc.

# We need the gosu tool to step down from the root user to an unprivileged
# user as part of the entrypoint script.
# See further: https://github.com/tianon/gosu
RUN apt-get -y update && apt-get -y install gosu

# Note that we stay the root user and do not step down to the jenkins user yet.
COPY fix_volume_ownership.sh /usr/local/bin/fix_volume_ownership.sh
ENTRYPOINT ["/sbin/tini", "--", "/usr/local/bin/fix_volume_ownership.sh"]

创建fix_volume_ownership.sh:

#!/bin/bash

# This script is run by the root user in order to have the privileges to change
# ownership of the jobs directory. The jobs directory is mounted as a named
# volume and otherwise is owned by the root user so that the jenkins user
# cannot write into it.
#
# "gosu" finally steps down from the root user to the jenkins user since we
# do not want to run the Jenkins process with root privileges.
#
# /usr/local/bin/jenkins.sh is the original entrypoint script from the base image.

chown -R jenkins:jenkins /var/jenkins_home/jobs
gosu jenkins /usr/local/bin/jenkins.sh

现在，docker exec container_name_or_id ls -ahl /var/jenkins_home 将显示jobs 子文件夹正确地归jenkins 用户所有。此外，docker exec container_name_or_id ps aux 会显示 Jenkins 进程正在由jenkins 用户运行。