Jenkins wrong volume permissions

S

13

32

I have a virtual machine hosting Oracle Linux where I've installed Docker and created containers using a docker-compose file. I placed the jenkins volume under a shared folder but when starting the docker-compose up I got the following error for Jenkins :

jenkins | touch: cannot touch ‘/var/jenkins_home/copy_reference_file.log’: Permission denied jenkins | Can not write to /var/jenkins_home/copy_reference_file.log. Wrong volume permissions? jenkins exited with code 1

Here's the volumes declaration

  volumes:
    - "/media/sf_devops-workspaces/dev-tools/continuous-integration/jenkins:/var/jenkins_home"

Soke answered 19/5, 2017 at 9:5 Comment(5)

Put your entire docker-compose.yml file please – Rope 19/5, 2017 at 9:37

Quick fix: find out the numeric user ID of the user running Jenkins inside the container and change the owner of the host directory to this user ID. – Crim 19/5, 2017 at 9:41

some more ideas: #23544782 – Crim 19/5, 2017 at 9:52

@Rope hastebin.com/bucunekelo.http – Soke 19/5, 2017 at 10:3

@Crim how do I do that ? I'm not using dockerfiles only a docker compose ! the container can't start because of that tho so I can't access it and make commands.. – Soke 19/5, 2017 at 10:14

P

16

The problem is, that your user in the container has different userid:groupid as the user on the host.

you have two possibilities:

You can ensure that the user in the container has the same userid:groupid like the user on the host, which has access to the mounted volume. For this you have to adjust the user in the Dockerfile. Create a user in the dockerfile with the same userid:groupid and then switch to this user https://docs.docker.com/engine/reference/builder/#user
You can ensure that the user on the host has the same userid:groupid like the user in the container. For this, enter the container with docker exec -it <container-name> bash and show the user id id -u <username> group id id -G <username>. Change the permissions of the mounted volume to this userid:groupid.

Piccard answered 19/5, 2017 at 11:19 Comment(5)

I can't start the container thus I can't access it and do the 2nd solution.. for the first one can you add some details about it ? – Soke 19/5, 2017 at 12:51

For the first solution you have to build the docker image. Means you need the Dockerfile and the artifacts which are copied into the Dockerfile. If you have this, you can build the image and also change the Dockerfile. – Piccard 19/5, 2017 at 13:21

@TaoufikJabbari why can't you start the container? In fact you need only the image, you can start it even on another machine. You use another start command so this should work as long as there is bash in the image. – Crim 19/5, 2017 at 15:22

@Crim did I miss something or an image is like a class and the instance are the containers? because If I run a new container it won't impact the one define in the compose because they're two different instances.. – Soke 22/5, 2017 at 9:24

@TaoufikJabbari No that's correct, but just to find out the numeric user id you don't need the exact same container (this is "class information"). – Crim 22/5, 2017 at 9:29

L

33

The easy fix it to use the -u parameter. Keep in mind this will run as a root user (uid=0)

docker run -u 0 -d -p 8080:8080 -p 50000:50000 -v /data/jenkins:/var/jenkins_home jenkins/jenkins:lts

Luhe answered 5/2, 2019 at 21:22 Comment(0)

N

21

As haschibaschi stated your user in the container has different userid:groupid than the user on the host.

To get around this is to start the container without the (problematic) volume mapping, then run bash on the container:

docker run -p 8080:8080 -p 50000:50000 -it jenkins bin/bash

Once inside the container's shell run the id command and you'll get results like:

uid=1000(jenkins) gid=1000(jenkins) groups=1000(jenkins)

Exit the container, go to the folder you are trying to map and run:

chown -R 1000:1000 .

With the permissions now matching, you should be able to run the original docker command with the volume mapping.

Nerissanerita answered 29/3, 2018 at 13:33 Comment(2)

how to do this in windows ? – Emunctory 13/6, 2019 at 11:20

Doesn't work on Mac either. This worked brilliantly on an Alpine Linux host, however, didn't quite work on the Mac M1. I had to do chmod 777 (not the best way) to just get it working. – Inchworm 12/10, 2023 at 19:19

P

16

The problem is, that your user in the container has different userid:groupid as the user on the host.

you have two possibilities:

You can ensure that the user in the container has the same userid:groupid like the user on the host, which has access to the mounted volume. For this you have to adjust the user in the Dockerfile. Create a user in the dockerfile with the same userid:groupid and then switch to this user https://docs.docker.com/engine/reference/builder/#user
You can ensure that the user on the host has the same userid:groupid like the user in the container. For this, enter the container with docker exec -it <container-name> bash and show the user id id -u <username> group id id -G <username>. Change the permissions of the mounted volume to this userid:groupid.

Piccard answered 19/5, 2017 at 11:19 Comment(5)

I can't start the container thus I can't access it and do the 2nd solution.. for the first one can you add some details about it ? – Soke 19/5, 2017 at 12:51

For the first solution you have to build the docker image. Means you need the Dockerfile and the artifacts which are copied into the Dockerfile. If you have this, you can build the image and also change the Dockerfile. – Piccard 19/5, 2017 at 13:21

@TaoufikJabbari why can't you start the container? In fact you need only the image, you can start it even on another machine. You use another start command so this should work as long as there is bash in the image. – Crim 19/5, 2017 at 15:22

@Crim did I miss something or an image is like a class and the instance are the containers? because If I run a new container it won't impact the one define in the compose because they're two different instances.. – Soke 22/5, 2017 at 9:24

@TaoufikJabbari No that's correct, but just to find out the numeric user id you don't need the exact same container (this is "class information"). – Crim 22/5, 2017 at 9:29

I

2

You may be under SELinux. Running the container as privileged solved the issue for me:

sudo docker run --privileged -p 8080:8080 -p 50000:50000 -v /data/jenkins:/var/jenkins_home jenkins/jenkins:lts

From https://docs.docker.com/engine/reference/commandline/run/#full-container-capabilities---privileged:

The --privileged flag gives all capabilities to the container, and it also lifts all the limitations enforced by the device cgroup controller. In other words, the container can then do almost everything that the host can do. This flag exists to allow special use-cases, like running Docker within Docker.

Interlineate answered 22/1, 2020 at 18:4 Comment(1)

Worked on RHEL 7.9 – Bound 28/12, 2021 at 17:41

E

1

As an update of @Kiem's response, using $UID to ensure container uses the same user id as the host, you can do this:

docker run -u $UID -d -p 8080:8080 -p 50000:50000 -v /data/jenkins:/var/jenkins_home jenkins/jenkins:lts

Ecclesiasticus answered 23/6, 2021 at 11:26 Comment(1)

Have you actually used this solution? I tried this in jenkins and got the error: groovy.lang.MissingPropertyException: No such property: UID for class: groovy.lang.Binding – Overhang 7/3, 2022 at 13:52

C

1

I had a similar issue with Minikube/Kubernetes just added

securityContext:
  fsGroup: 1000
  runAsUser: 0

under deployment -> spec -> template -> spec

Conversazione answered 11/2, 2022 at 11:40 Comment(0)

K

1

Its good to use a docker-compose.yml.

Init you should give priviledged:true & user:root as follows.

version: '3'
services:
  jenkins:
    container_name: jenkins
    image: jenkins/jenkins:lts
    ports:
      - "8080:8080"
      - "50000:50000"
    privileged: true
    user: root
    volumes:
      - ./jenkins_home:/var/jenkins_home
    restart: always

Then you will be able to up the jenkins container successfully by running "docker-compose up -d".

Katakana answered 3/5, 2023 at 10:8 Comment(0)

B

1

I fixed it by updating permissions.

apiVersion: apps/v1
kind: Deployment
metadata:
  name: jenkins
  namespace: devops-tools
spec:
  replicas: 1
  selector:
    matchLabels:
      app: jenkins-server
  template:
    metadata:
      labels:
        app: jenkins-server
    spec:
      **securityContext:
            fsGroup: 1000
            runAsUser: 0****
      serviceAccountName: jenkins-admin
      containers:
        - name: jenkins
          image: jenkins/jenkins:lts
          resources:
            limits:
              memory: "2Gi"
              cpu: "1000m"
            requests:
              memory: "500Mi"
              cpu: "500m"
          ports:
            - name: httpport
              containerPort: 8080
            - name: jnlpport
              containerPort: 50000
          livenessProbe:
            httpGet:
              path: "/login"
              port: 8080
            initialDelaySeconds: 90
            periodSeconds: 10
            timeoutSeconds: 5
            failureThreshold: 5
          readinessProbe:
            httpGet:
              path: "/login"
              port: 8080
            initialDelaySeconds: 60
            periodSeconds: 10
            timeoutSeconds: 5
            failureThreshold: 3
          volumeMounts:
            - name: jenkins-data
              mountPath: /var/jenkins_home
      volumes:
        - name: jenkins-data
          persistentVolumeClaim:
              claimName: jenkins-pv-claim

Breezeway answered 11/9, 2023 at 13:59 Comment(1)

Please don't add "thank you" as an answer. Once you have sufficient reputation, you will be able to vote up questions and answers that you found helpful. - From Review – Waitabit 18/9, 2023 at 1:19

D

0

Had a similar issue on MacOS, I had installed Jenkins using helm over a Minikube/Kubenetes after many intents I fixed it adding runAsUser: 0 (as root) in the values.yaml I use to deploy jenkins.

master:
  usePodSecurityContext: true
  runAsUser: 0
  fsGroup: 0

Just be careful because that means that you will run all your commands as root.

Dnieper answered 10/8, 2020 at 1:48 Comment(2)

This might actually be a beginning to a solution. Can you create a user with the same UID and GID as the user on the host, and run as that user? I cannot upvote this recommendation to run as root, but it does seem to be on the right track. – Aniseed 11/9, 2020 at 0:51

Yes, you can use any user. – Dnieper 12/9, 2020 at 3:25

B

0

use this command

$ chmod +757 /home/your-user/your-jenkins-data

Bemean answered 14/2, 2023 at 14:16 Comment(1)

While this code may answer the question, providing additional context regarding why and/or how this code answers the question improves its long-term value. – Prejudicial 14/2, 2023 at 19:5

A

-1

This error solve using following commnad.

goto your jenkins data mount path : /media

Run following command :

cd /media
sudo chown -R ubuntu:ubuntu sf_devops-workspaces

restart jenkins docker container

docker-compose restart jenkins

Arterial answered 19/6, 2018 at 7:1 Comment(0)

S

-1

first of all you can verify your current user using echo $USER command and after that you can mention who is the user in the Dockerfile like bellow (in my case user is root) screenshot

Smallminded answered 26/12, 2019 at 9:2 Comment(0)

I

-2

I had same issue it got resolved after disabling the SELINUX. It's not recommended to disable the SELINUX so install custom semodule and enable it. It works. Only changing the permissions won't work on CentOS 7.

Immunity answered 6/5, 2019 at 11:10 Comment(1)

It is not recommended to disable SELinux, instead apply SELinux policy to the directory. – Guileless 18/9, 2019 at 18:11

Recommended topics

Hot tags