I'm trying to run rootless Podman containers with
podman container create --name postgres --expose 5432 --memory 512M --hostname postgres --volume /home/user/some/path/postgres:/var/lib/postgresql/data:Z,U --userns keep-id --env POSTGRES_USER=admin --env POSTGRES_PASSWORD=secret docker.io/postgres:14
but I'm getting the error message
Error: error stat'ing file `/home/user/some/path/postgres`: Permission denied: OCI permission denied
The destination path /home/user/some/path is within a gocryptfs mount. Mapping the volume outside the path works flawlessly.
So far I thought that --userns keep-id should avoid permission issues for rootless containers but if I'm removing the option I'm getting the error message
chown: changing ownership of '/var/lib/postgresql/data': Operation not permitted
As far as I understood, providing the options --uidmap and --gidmap could help as well but I'm not sure how I can provide the proper values for it.
Under the hood I'm using Ansible to configure the containers.
EDIT: Now I also created a Podman issue.
The reason for this error was that the mount wasn't done with the fuse parameter allow_other.
Make sure that you had done with /etc/subuid and /etc/subgid configuration, as it described here:
https://github.com/containers/podman/blob/main/docs/tutorials/rootless_tutorial.md
Rootless Podman requires the user running it to have a range of UIDs listed in the files /etc/subuid and /etc/subgid.
...
The format of this file is USERNAME:UID:RANGE
username as listed in /etc/passwd or in the output of getpwent.
The initial UID allocated for the user.
The size of the range of UIDs allocated for the user.
Example:
# cat /etc/subuid
johndoe:100000:65536
test:165536:65536
running a container-job in an azure pipeline, I use a docker image ( conan ) which expects the build commands to be run under conan.
While I'm able to bootstrap the container in azure with --user root without issues using options
resources:
containers:
- container: builder
image: conanio/clang8
options: --user root
When I run a job
jobs:
- job: do_that
container: builder
steps:
- task: Bash#3
inputs:
targetType: inline
script: whoami
noProfile: false
noRc: false
I see that the user is 1001 which has been craeted by the azure bootstrap. I cannot use sudo / su since the user is not allowed to use sudo. I ask myself how would I ever run as a different user? The user has a specific ENV setup due to python shims for conan, special setups in ~/.conan, and all those kind of things.
This exact steps in azp runs automatically during the "container initialization" (right after docker create) in az using docker exec are:
# Grant user 'conan' SUDO privilege and allow it run any command without authentication.
groupadd azure_pipelines_sudo
usermod -a -G azure_pipelines_sudo conan
su -c "echo '%azure_pipelines_sudo ALL=(ALL:ALL) NOPASSWD:ALL' >> /etc/sudoers"
# Allow user 'conan' run any docker command without SUDO.
stat -c %g /var/run/docker.sock
bash -c "cat /etc/group"
groupadd -g 117 azure_pipelines_docker
usermod -a -G azure_pipelines_docker conan
The semantic idea is:
extract which user the image is designed to run on by default ( in our case conan / 1000
create a group azure_pipelines_sudo
grant this user sudo permissions without password requirements
grant this user conan permissions to access the docker socket aka run docker in docker commands
Seeing this setup I really wonder, why effectively then the docker exec statement is run using something along the lines as
docker exec -u 1001 ..
So effectively when the actual job is run, it is not using the user conan (1000) - so the one being configured to have all the capabilities like sudo / docker access - if that is by design, why doing the setup 2-4 at all?
Somewhat this looks like either a design flaw, a bug, or just a huge misunderstanding on my side.
I have seen this question but even though the title assumes, it is a very different question
Right now, this is not possible. I'am not sure what this whole concept is about, but for me that is not only an issue, it is an showstopper because one cannot workaround this issue.
Even though it is a simple answer - at least it is one.
Update:
This is not available at present.
For your concern:
So effectively when the actual job is run, it is not using the user conan (1000) - so the one being configured to have all the capabilities like sudo / docker access - if that is by design, why doing the setup 2-4 at all?
There is some related info in our official doc may related to this: since Azure Pipelines will docker create an awaiting container and docker exec a series of commands which expect the container is always up and running. https://learn.microsoft.com/en-us/azure/devops/pipelines/process/container-phases?view=azure-devops&tabs=yaml#linux-based-containers
There are three different authentication tokens used by an agent:
Agent registration token: used only when registering the agent in the agent pool
Listener OAuth token: used by the agent when listening for new jobs
Job-specific OAuth token: used by the agent when running an individual job
Even though that link question is not related to yours. But there is a comment is correct:
The agent itself is setup to run as a user. When the build runs it
runs in a container as user "containeradministrator"(root) which is a
docker user.
What you would like seems to be running a Docker container as a non-root user. This is actually not related to Azure DevOps Service side, more related to Docker.
Kindly check if this helps Connect to docker container as user other than root & this blog.
I am trying to run a docker command as part of a jenkins job using shell. I get a standard error stating
"Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get http://%2Fvar%2Frun%2Fdocker.sock/v1.39/images/json: dial unix /var/run/docker.sock: connect: permission denied"
I will require some help on
1. how to find the path where docker is installed which can be added to JENKINS global configuration
2. workaround to fix this permission issue(running as a sudo user/any other specific user)
I have already experimented by adding the JENKINS users to admin group, staff group, made administrator. But, nothing has actually helped. I still get the standard error
Tried the below code on terminal too
sudo -u jenkins docker images
OUTPUT:
Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get http://%2Fvar%2Frun%2Fdocker.sock/v1.39/images/json: dial unix /var/run/docker.sock: connect: permission denied
I am expecting to run this code without the error. Only then my jenkins pipeline will be complete.
To find the path where docker is installed, simply run a which docker. Usually, it'll be installed somewhere in the standard PATH already, so probably Jenkins will already have access. As you get the permission denied error message, it looks like Jenkins is already using the correct docker executable.
Depending on the distribution or operating system you are using, you will most likely need to add the jenkins user to a docker group, e.g. sudo usermod -aG docker jenkins. To find out which group you need, run:
$ ls -l /var/run/docker.sock
srw-rw---- 1 root docker 0 Apr 30 16:20 /var/run/docker.sock
In the second line, you see the group that docker.sock is owned by. Add the jenkins user to that group.
I've cloned the repository on GitHub and I'm looking for installation instructions.
So far, I've done these steps (in Mac Terminal):
cd /opt
git clone https://github.com/cldmgr/cloud-manager.git
cd cloud-manager
Now what?
What you've done so far is perfect!
Before running the installer, add /opt/cloud-manager to your PATH variable. For Bash, you would add following like to the bottom the .bash_profile file in your home directory:
export PATH=${PATH}:/opt/cloud-manager
The next step is to run the installer, which will ask you a bunch of questions about your infrastructure in order to configure Cloud Manager (CM).
NOTE: you should be logged in as the user account you intend to run CM under prior to performing the installation - including the 'git clone' command.
Here's how to start the interview:
$ ./methods/cm-install
It'll look like this:
## Welcome to Cloud Manager (CM) Installer
This installer was launched because CM could not find a configuration file
and/or Ansible inventory file where expected. The following interview will
prompt you for all information needed to configure CM.
After the interview, you'll be prompted to save your answers to a response file. This is convenient in the event you want to re-configure CM without answering all the (annoying) questions again.
To do so, run "./methods/cm-init -r templates/<your_responseFile>"
## Configuring CM Core Server
Enter hostname/ip for the CM control node [localhost]:
--> accepted: localhost
Master Private Key (managed server access) [keys/master/cm-master]:
--> accepted: keys/master/cm-master
Master Public Key (managed server access) [keys/master/cm-master.pub]:
--> accepted: keys/master/cm-master.pub
Master User Account [cmadmin]:
--> accepted: cmadmin
Master Password - Cleartext [null-disallowed]:
--> accepted: ********
...
At the end of the interview it will ask you to save your response file. I recommend that you do, as it will save you time later -- in the event you want to reset everything back to defaults as you're learning to use CM.
To re-run the installer using the response file, run:
$ ./methods/cm-init -c -r templates/your-response-file.resp
Now that CM is configured, just type 'cm' to see the usage statement:
$ cm
Usage: cm [<options>] <method> [args]
[methods]
Configuration:
group <add|remove|addAttr|removeAttr|addRule|removeRule> [args]
ipam <subnet|range|checkout|checkin> [args]
Infrastructure:
create [-s][-f] <hostname> <group> [args]
createN [-s|-r] <clusterName> <N> <hostnameBase> <group> [args]
configure [-s] <hostname> [args]
deploy [-s] <hostname> <playbookName> [args]
power [-s] <on|off|cycle> [args]
decommission [-s] [-h <hostname>|all]
[-g <groupName>]
[-c <clusterName>]
reprovision [-s] <hostname>
Continuous Integration:
dso [-s] <name> <ansible|chef|puppet|cm> [args]
pipeline <add|remove|addAttr|removeAttr> [args]
System:
show <server|group|job|subnet|subnetMap|cluster> [args]
connect <hostname> [args]
system <vboxCli|encrypt> [args]
runScript <scriptName>
runCmd <hostname> <command>
[options]
-s : show standard output from ansible playbook
-x : show extended help
I'm using a EC2 server instance. Used the following to install Jenkins:
wget -q -O - http://pkg.jenkins-ci.org/debian/jenkins-ci.org.key | sudo apt-key add -
sudo sh -c 'echo deb http://pkg.jenkins-ci.org/debian binary/ > /etc/apt/sources.list.d/jenkins.list'
sudo apt-get update
sudo apt-get install jenkins
but I need to install software on the Jenkins server so in my EC2 instance I did
sudo –s –H –u jenkins
to get into the jenkins server.
Then I tried to do
sudo cabal install quickcheck
but it prompted me for jenkins password.
I've been searching around the internet for 4hrs now and nothing is helping me get administrative privilege in the jenkins server.
So I'm building my project using the following command in shell:
sudo cabal clean
sudo cabal configure
sudo cabal build
sudo cabal install
This is the error I'm getting:
Started by timer
Building in workspace /var/lib/jenkins/jobs/Finance/workspace
Checkout:workspace / /var/lib/jenkins/jobs/Finance/workspace - hudson.remoting.LocalChannel#eea6dc
Using strategy: Default
Last Built Revision: Revision b638e2182dece0ef1a40232b1d75fa3ae5c01a5d (origin/master)
Fetching changes from 1 remote Git repository
Fetching upstream changes from origin
Commencing build of Revision b638e2182dece0ef1a40232b1d75fa3ae5c01a5d (origin/master)
Checking out Revision b638e2182dece0ef1a40232b1d75fa3ae5c01a5d (origin/master)
[workspace] $ /bin/sh -xe /tmp/hudson3500373817395137440.sh
+ sudo cabal clean
sudo: no tty present and no askpass program specified
Sorry, try again.
sudo: no tty present and no askpass program specified
Sorry, try again.
sudo: no tty present and no askpass program specified
Sorry, try again.
sudo: 3 incorrect password attempts
Build step 'Execute shell' marked build as failure
Sending e-mails to: ***#gmail.com
ERROR: Could not connect to SMTP host: localhost, port: 25
javax.mail.MessagingException: Could not connect to SMTP host: localhost, port: 25;
nested exception is:
java.net.ConnectException: Connection refused
at com.sun.mail.smtp.SMTPTransport.openServer(SMTPTransport.java:1934)
at com.sun.mail.smtp.SMTPTransport.protocolConnect(SMTPTransport.java:638)
at javax.mail.Service.connect(Service.java:295)
at javax.mail.Service.connect(Service.java:176)
at javax.mail.Service.connect(Service.java:125)
at javax.mail.Transport.send0(Transport.java:194)
at javax.mail.Transport.send(Transport.java:124)
at hudson.tasks.MailSender.execute(MailSender.java:116)
at hudson.tasks.Mailer.perform(Mailer.java:117)
at hudson.tasks.BuildStepMonitor$1.perform(BuildStepMonitor.java:19)
at hudson.model.AbstractBuild$AbstractBuildExecution.perform(AbstractBuild.java:814)
at hudson.model.AbstractBuild$AbstractBuildExecution.performAllBuildSteps(AbstractBuild.java:786)
at hudson.model.Build$BuildExecution.post2(Build.java:183)
at hudson.model.AbstractBuild$AbstractBuildExecution.post(AbstractBuild.java:733)
at hudson.model.Run.execute(Run.java:1592)
at hudson.model.FreeStyleBuild.run(FreeStyleBuild.java:46)
at hudson.model.ResourceController.execute(ResourceController.java:88)
at hudson.model.Executor.run(Executor.java:237)
Caused by: java.net.ConnectException: Connection refused
at java.net.PlainSocketImpl.socketConnect(Native Method)
at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:339)
at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:200)
at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:182)
at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:391)
at java.net.Socket.connect(Socket.java:579)
at com.sun.mail.util.SocketFetcher.createSocket(SocketFetcher.java:286)
at com.sun.mail.util.SocketFetcher.getSocket(SocketFetcher.java:231)
at com.sun.mail.smtp.SMTPTransport.openServer(SMTPTransport.java:1900)
... 17 more
Finished: FAILURE
Here is how you can fix it:
Stop Jenkins
Go go edit /var/lib/jenkins/config.xml
Change <useSecurity>true</useSecurity> to false
Restart Jenkins: sudo service jenkins restart
Navigate to the Jenkins dashboard to the "Configure Security" option you likely used before. This time, setup security the same as before, BUT set it to allow anyone to do anything, and allow user signup.
Go to www.yoursite.com/securityRealm/addUser and create a user
Then go change allow anyone to do anything to whatever you actually want users to be able to do. In my case, it is allow logged in users to do anything.
If you installed using apt-get in ubuntu 14.04, you will found the default password in /var/lib/jenkins/secrets/initialAdminPassword location.
Before installing jenkins, create a user named jenkins and set password there. Then after installing jenkins you can use the password you created.
With the default Jenkins installation using Homebrew on macOS this will output the initial password for the admin user:
sudo cat /Users/Shared/Jenkins/Home/secrets/initialAdminPassword
jenkins default administrator password is logged in log file in ubuntu
log file is situated in /var/log/jenkins/jenkins.log folder
password will be placed after this,
Jenkins initial setup is required. An admin user has been created and a password generated.
Please use the following password to proceed to installation:
After Jenkins is installed just run sudo cat /var/lib/jenkins/secrets/initialAdminPassword.
In the Jenkins login page:
User: admin
Password: the output from the above command
On ubuntu 19.04, the default password are stored in the home directory:
cat ~/.jenkins/secrets/initialAdminPassword
The password is present in the log generated by docker run image as shown in the example below.
Jenkins Docker run log
Additionally you can check the directory /var/jenkins_home/secrets/
Its in the file name initialAdminPassword
You can use
cat /var/jenkins_home/secrets/initialAdminPassword
In my case I was using Jenkins Docker Image and I found the initial admin password using this command:
cat ~/secrets/initialAdminPassword
You can always disable security, then go in and re-enable it with the settings you want.
By default, Jenkins account is created without password and with the login shell as /bin/false.
jenkins:x:496:493:Jenkins Continuous Integration Server:/var/lib/jenkins:/bin/false
Change the shell to /bin/bash and you should be able to login without password by sudo su - jenkins.
Command to change the shell is:
chsh -s /bin/bash jenkin
When you install jenkins on your local machine, the default username is admin and password it gets automatically filled.
I was running Jenkins executing java -jar jenkins.war.
In my case Jenkins wrote webroot in an stdout: webroot: $user.home/.jenkins. So admin secret key was placed in a ~/.jenkins/secrets/initialAdminPassword.
I don't believe that the Jenkins user that is installed via apt has a password. If it does, I have never seen documentation. Based on the commands you entered, I am guessing you are using a Debian distro?
Is there any particular reason you must use the jenkins user to do the install instead of the user which was set up when you created your instance?
When installing Jenkins from AWS Marketplace . . .
"A default user "admin"with the instance-id as password is created to secure the Jenkins instance."
On the AWS Console for EC2, with the instance selected, choose the "Usage Instructions" tab:
"AWS Marketplace Usage Instructions
Latest Versions: 2.19.4.2
A default user "admin"with the instance-id as password is created to secure the Jenkins instance. Once the instance is started, copy the public DNS hostname of the server in the AWS Management Console and enter it in your web browser. The welcome screen allows you to request a trial license, start and evaluation, enter a license key, or connect to your instance to Operations Center. Once the license step is done, your instance is fully functional. We recommend enabling security and backups. You can connect with SSH to the server using the "ubuntu"linux user. The JENKINS_HOME is located under "/var/lib/jenkins". Jenkins listens on the following ports: * HTTP 80: through HAProxy, can be configured to use HTTPS:443 instead * Jenkins SSH 2222: primarily for the CloudBees Git Validated Merge Plugin * Jenkins JNLP 10000: communication from Jenkins agents or Jenkins CLI configured to use JNLP protocol. Not exposed by default on security groups."
Similar to the Ubuntu answer above, the Windows admin default password is stored in {jenkins install dir}\secrets\initialAdminPassword file (default install location would it in C:\Program Files (x86)\Jenkins\secrets\initialAdminPassword )
If you don't create a new user when you installed jenkins, then:
user: admin
pass: go to C:\Program Files (x86)\Jenkins\secrets and open the file initialAdminPassword
I am a Mac OS user & following credential pair worked for me:
Username: admin
Password: admin
For me the best method of retrieving admin pass is by executing cat command inside the running container.
docker exec YOUR_JENKINS_CONTAINER cat /var/jenkins_home/secrets/initialAdminPassword
On Windows it can be found in the file "C:\Windows\System32\config\systemprofile\AppData\Local\Jenkins\.jenkins\secrets\initialAdminPassword"
(I know OP specified EC2 server, but this is now the first result on google when searching Jenkins Password)
Jenkins Default username and password
username: admin
And
password available in the root directory .jenkins\secrets\initialAdminPassword just open the file and copy text and paste into password textbox.
Well,
Even I tried to log in with the admin/password which was failed.
So I created my own user like this.
Go to Jenkins home folder (C:\User.jenkins or you can find this in Jenkins server startup logs)
Go to Config file config.xml
set disableSignup to false false
if at all you want to disable login security
4.set ser security to false. true
For mac users: Just run this command
cat ~/.jenkins/secrets/initialAdminPassword
Initial Password of Jenkins is stored in the following directory
cat /var/lib/jenkins/secrets/initialAdminPassword
There are few steps to follow:
Go to the folder: C:\Users\Manjeet\.jenkins .(here in your case, there can be your system name or your name instead of mine)
Open config.xml file using any text editor.(recommended Notepad++)
Go to Line number seven which is like <useSecurity>true</useSecurity>.
So make it change this from true to false.
Save this file and close the window.
Open Command Prompt and start your Jenkins .
(java -jar jenkins.war --httpPort=8085).
Open browser and search for your localhost at your given port number.
(localhost:8085)
You will see it doesn't ask for username and password anymore. Now you have to delete
that existed user and Add new user for setting new username and password.
Steps to make new Admin:
1.Go to people option which present at second number at left hand side below Dashboard
Click on admin option present in a row and than click on delete.
Go to Dashboard, Click on Manage Jenkins, Click on Configure Global Security.
Check the box of Enable security option.
Check the box of Jenkins own user database option and Uncheck Allow user to sign up present just below of it.
6 . Check Logged-in user can do anything option and Uncheck Allow anonymous read access present just below of it.
Make it Save and it will give you a new form for creating new first user. Fill the details correctly and click on Create First Admin User .(it will automatically made a change on that config.xml file just save it. )