Could you please let me know how to run a gradle image (pulled from docker repository), with jib plugin and running as non-root user in Kubernetes pod?
I have build a gradle image using Gradle 4.6.
I’m using this image in my Kubernetes pod.
When I run the image as user - root, the gradle build is successful.
When I run the image as non-root user (because of pod RBAC enablement), the build fails as gradle is unable to create /.gradle directory and there are no sufficient privileges and getting the below error.
Failed to load native library 'libnative-platform.so' for Linux amd64.
Is there any way to grant the non-root user passed via securityContext to perform the build successfully using the gradle image?
Is there a better way to resolve the issue without changing the directory permission to 777 .
Thanks in advance!!
Check if /.gradle directory is already created by root
E.g. using stat command. You might see that current user doesn't have enough permissions to work with it:
$ stat ~/.gradle | grep Uid
> Access: (0755/drwxr-xr-x) Uid: ( 0/ root) Gid: ( 0/ root)
If so, change owner of the directory:
$ sudo chown -R $USER ~/.gradle
Where
sudo chown -R does recursive owner update
$USER contains current username
I believe you are talking about the official Gradle image on Docker Hub.
The gradle:4.6 image is designed and meant to be run as user gradle (UID 1000).
$ docker inspect gradle:4.6 --format '{{.Config.User}}'
gradle
$ docker run --rm --entrypoint id gradle:4.6
uid=1000(gradle) gid=1000(gradle) groups=1000(gradle)
Therefore, it only works when running the image as user root (UID 0) or gradle (UID 1000).
# These all work.
$ docker run --rm --user 0 gradle:4.6
$ docker run --rm --user root gradle:4.6
$ docker run --rm --user 1000 gradle:4.6
$ docker run --rm --user gradle gradle:4.6
# However, this doesn't work.
$ docker run --rm --user 1234 gradle:4.6
FAILURE: Build failed with an exception.
* What went wrong:
Failed to load native library 'libnative-platform.so' for Linux amd64.
* Try:
Run with --stacktrace option to get the stack trace. Run with --info or --debug option to get more log output. Run with --scan to get full insights.
* Get more help at https://help.gradle.org
Therefore, you just need to make sure that you run the container as user 1000 or gradle (on whatever container runtime environment you use). And because the image gradle:4.6 is configured to run as 1000, when you build a new image based on gradle:4.6, it should run OK on almost all container runtime platforms (unless you override the configured user at the platform level).
(Now, the following assumes that you are using Jib to build another Gradle-like image based on gradle:4.6 and that you are using this new Gradle-like image on Kubernetes. That is, the following doesn't apply if you are using Jib to containerize a normal application image inside gradle:4.6.)
However, there is a bug in Jib that does not inherit the configured user from the base image. The bug will be fixed in the next 2.3.0 release. In the meantime, you can explicitly tell Jib to configure the user in the built image. In build.gradle, set
jib.container.user = 'gradle:gradle'
or if you prefer numeric UID and GID,
jib.container.user = '1000:1000'
. Or you can set the system property on the command-line:
./gradlew -Djib.container.user='gradle:gradle' ... jib
Another option is to set the correct user on the Kubernetes side. For example, within securityContext, you can set runAsUser: 1000 and runAsGroup: 1000.
Finally, although gradle:4.6 is built to run as user gradle (UID 1000), I see that recently they have reverted this decision. Now gradle:latest is configured to run as root.
$ docker run --rm --entrypoint id gradle
uid=0(root) gid=0(root) groups=0(root)
Related
I'm looking for a docker image to build my gradle project which also need a docker engine to execute gradle bootBuildImage command. Any recommandation ?
Thanks,
Dan
If you use the Gradle wrapper scripts (which you should), you can use any image you like as long as it has Java on it. OpenJDK is a good match.
If you don't use the wrapper scripts, you need to have an image with Gradle installed. The official Gradle image should do.
But I think what you are really asking is how to build a docker image inside a container. The bootBuildImage task doesn't need the local Docker cli tools, and only needs to connect to a daemon. That daemon could be running on a remote host, but you can also make it connect to your local host outside the container. To do this, mount the local docker socket.
Here is an example that mounts the current directory inside a container and builds a Docker image in it through the Spring Boot plugin for Gradle:
docker run --rm \
-v gradle-cache:/home/gradle/.gradle \
-v /var/run/docker.sock:/var/run/docker.sock \
-v "$PWD":/home/gradle/project \
-w /home/gradle/project \
gradle:6.7.0-jdk11 \
gradle --no-daemon bootBuildImage
Note that it persists the Gradle home directory in a volume, which means you can't run this command concurrently. Delete the volume when no longer needed with docker volume rm gradle-cache.
Also note that it executes the build as root.
My Spring Boot project contains the Spring Boot Maven Plugin which I use for building a Docker image by running mvn spring-boot:build-image.
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
<executions>
<execution>
<phase>package</phase>
<goals>
<goal>build-image</goal>
</goals>
</execution>
</executions>
</plugin>
When deploying this image to a Docker stack I need to run a healthcheck using the curl command but unfortunately curl is not installed by the default buildpack.
Is it possible to further tweak the image building process so that curl gets installed into the iamge? I couldn't find the necessary information
TLDR;
Install curl into the build image with:
docker run --user="root" --entrypoint launcher my-app:0.0.1-SNAPSHOT "apt-get update && apt-get install curl -y"
Crab container id of the stopped container with docker ps -a:
$ docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
2ff7db32825f my-app:0.0.1-SNAPSHOT "launcher 'apt-get u…" 44 minutes ago Exited (0) 44 minutes ago reverent_swanson
Create a new container image based on the one we installed curl into with:
docker commit 2ff7db32825f my-app-with-curl
Fire up a new container defining the correct ENTRYPOINT to start Spring Boot app:
docker run --rm -p 8080:8080 --user="cnb" --entrypoint /cnb/process/web my-app-with-curl
Now curl should be ready inside your container.
Details of the solution:
The reasoning behind Cloud Native Buildpacks (CNBs) & Paketo.io, which are basically abstracted away by the spring-boot-maven-plugins build-image goal, is to free us from the need to write/maintain our own Dockerfiles. So the inversion of this is: It's easy to configure the build process, but it is not easy to change things like installed packages.
The reason is, that those packages are maintained in a so called stack, that manages the used build-time and run-time images. And if the stack doesn't define a Mixin for your OS-level dependency, then you can't simply add another package. It would also not suffice to create your own simple buildpack (I tried this approach). And creating your own stacks, buildpacks and/or builders would also negate the huge benefits that Cloud Native Buildpacks provide! Amongst other things we would be also forced to keep the images updated ourselves...
But there's another solution. As we don't want to create our own stacks/buildpacks, we can tweak the container image which has been created by CNBs/spring-boot-maven-plugin. Because the official docs show us how to hook into the startup process of the produced containers and run shell scripts for example. Let's assume our mvn spring-boot:build-image command produced a container image called my-app:0.0.1-SNAPSHOT.
Then first we install curl into the image with:
docker run --user="root" --entrypoint launcher my-app:0.0.1-SNAPSHOT "apt-get update && apt-get install curl -y"
We need to use --user="root" here in order that the command apt-get update && apt-get install curl -y will run successfully (otherwise we would run into errors like List directory /var/lib/apt/lists/partial is missing. - Acquire (13: Permission denied)). This will install curl, but we shouldn't use the resulting container in production. Because our Spring Boot app would run using the root user, which would introduce a variety of security problems. Also we've overwritten the ENTRYPOINT of our container, so it wouldn't be able to start our app.
Therefore we simply start this stopped container with a new command, entrypoint & user! Simply crab the container id of the stopped container with docker ps -a:
$ docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
2ff7db32825f my-app:0.0.1-SNAPSHOT "launcher 'apt-get u…" 44 minutes ago Exited (0) 44 minutes ago reverent_swanson
And create a new container image based on the one we installed curl into with:
docker commit 2ff7db32825f my-app-with-curl
Finally fire up a new container based on this new image, defining the correct ENTRYPOINT to start our Spring Boot app and also using the cnb user again (as defined in the Cloud Native Buildpacks):
docker run --rm -p 8080:8080 --user="cnb" --entrypoint /cnb/process/web my-app-with-curl
Off topic but relevant:
There are ongoing discussions if it is desired to install curl in a production container. See this post for example.
I ended up using a mounted volume (/utils for instance) with a static compiled curl (https://github.com/moparisthebest/static-curl) and configured health checker like
/utils/curl http://localhost:8080/actuator/health
I was following this post - the reference code is on GitHub. I have cloned the repository on my local.
The project has got a react app inside it. I'm trying to run it on my local following step 7 on the same post:
docker run -p 8080:80 shakyshane/cra-docker
This returns:
Unable to find image 'shakyshane/cra-docker:latest' locally
docker: Error response from daemon: pull access denied for shakyshane/cra-docker, repository does not exist or may require 'docker login'.
See 'docker run --help'.
I tried login to docker again but looks like since it belongs to #shakyShane I cannot access it.
I idiotically tried npm start too but it's not a simple react app running on node - it's in the container and containers are not controlled by npm
Looks like docker pull shakyshane/cra-docker:latest throws this:
Error response from daemon: pull access denied for shakyshane/cra-docker, repository does not exist or may require 'docker login'
So the question is how do I run this docker image on my local mac machine?
Well this is illogical but still sharing so future people like me don't get stuck.
The problem was that I was trying to run a docker image which doesn't exist.
I needed to build the image:
docker build . -t xameeramir/cra-docker
And then run it:
docker run -p 8080:80 xameeramir/cra-docker
In my case, my image had TAG specified with it and I was not using it.
REPOSITORY TAG IMAGE ID CREATED SIZE
testimage testtag 189b7354c60a 13 hours ago 88.3MB
Unable to find image 'testimage:latest' locally for this command docker run testimage
So specifying tag like this - docker run testimage:testtag worked for me
Posting my solution since non of the above worked.
Working on macbook M1 pro.
The issue I had is that the image was built as arm/64. And I was running the command:
docker run --platform=linux/amd64 ...
So I had to build the image for amd/64 platform in order to run it.
Command below:
docker buildx build --platform=linux/amd64 ...
In conclusion your docker image platform and docker run platform needs to be the same from what I experienced.
In my case, the docker image did exist on the system and still I couldn't run the container locally, so I used the exact image ID instead of image name and tag, like this:
docker run myContainer c29150c8588e
I received this error message when I typed the name/character wrong. That is, "name1\name2" instead of "name1/name2" (wrong slash).
In my case, I saw this error when I had logged in to the dockerhub in my docker desktop. The repo I was pulling was local to my enterprise. Once i logged out of dockerhub, the pull worked.
This just happened to me because my local docker vm on macos ran out of disk space.
I just deleted some old images using docker image prune and it started working correctly again.
shakyshane/cra-docker Does not exist in that user's repo https://hub.docker.com/u/shakyshane/
The problem is you are trying to run an imagen that does not exists. If you are executing a Dockerfile, the image was not created until Dockerfile pass with no errors; so when Dockerfile tries to run the image, it can't find it. Be sure you have no errors in the execution of your scripts.
The simplest answer can be the correct one!.. make sure you have permissions to execute the command, use:
sudo docker run -p 8080:80 shakyshane/cra-docker
In my case, I didn't realise there was a difference between docker run and docker start, and I kept using the run command when I should've been using the start command.
FYI, run is for building and creating the docker container, start is to just start a stopped container
Use -d
sudo docker run -d -p 8000:8000 rasa/duckling
learn about -d here
sudo docker run --help
At first, i build image on mac-m1-pro with this command docker build -t hello_k8s_world:0.0.1 ., when is run this image the issue appear.
After read Master Yi's answer, i realize the crux of the matter and rebuild my images like this docker build --platform=arm64 -t hello_k8s_world:0.0.1 .
Finally,it worked.
I already searched the related questions like here;
How do I get initial admin password for jenkins on Mac?
and here;
How to recover Jenkins password
However, I cannot find a solution for my problem.
I am following the instructions to install jenkins on this link;
https://jenkins.io/doc/book/installing/
and I have run the following commands to install and tried to make it run on my local machine (mac os);
docker run \
-u root \
--rm \
-d \
-p 8080:8080 \
-p 50000:50000 \
-v jenkins-data:/var/jenkins_home \
-v /var/run/docker.sock:/var/run/docker.sock \
jenkinsci/blueocean
It installs it properly but when I get to the login screen it asks for the initial admin password. Because the installation runs in (-d mode) backend, I cannot see the initial password after the installation completes. When I remove -d for the installation, then the installation does not work.
I also checked the shared folder (User/Shared/Jenkins/Home) directory and there was no secrets folder in it. So I created one manually and followed the instructions (in the answers) on this link again;
How do I get initial admin password for jenkins on Mac?
Afterwards, I removed the related docker process and restarted all the installation process from the beginning but I got the same result.
In this case, how can I find this initial admin password or how can I generate it again?
BTW: I am also checking the logs (where in /var/log/jenkins) but it seems that it stopped writing there after my first install attempt and I also couldn't find the initial password there).
docker exec <container_name> cat /var/jenkins_home/secrets/initialAdminPassword
I tried looking into the container's filesystem, but there's no secrets folder in it. But I found the solution in the jenkins documentation here
Docker outputs the initial secret to the console
To view the console use the command
docker logs <container id of jenkins>
output is somemthing like this:
If you are using Mac and Docker installation for Jenkins follow bellow steps to get initial administer password to start authentication in Jenkins Console. Type below command in Terminal.
(Note: This is working, if you have follow default steps in Jenkins documentation to install Jenkins in Docker environment)
Find the running containers
: docker ps
Copy the running containerID
: docker exec -it <containerID> bash
: cd /var/jenkins_home/secrets
: cat initialAdminPassword
Use secret password showing in terminal and used as initial password for Jenkins Console.
If you have installed Jenkins via docker, then the following command can give you the initial admin password. Assuming your container name/docker image name is jenkins
docker exec `docker ps | grep jenkins | awk '{ print $1}' ` cat /var/jenkins_home/secrets/initialAdminPassword
docker exec $(docker ps -q) cat /var/jenkins_home/secrets/initialAdminPassword
For me username was: admin
and you can find password by:
docker exec jenkins cat /var/jenkins_home/secrets/initialAdminPassword
my container name is jenkins
Can you install docker-compose and docker toolbox on your Mac?
https://docs.docker.com/compose/install/
Try to execute this docker-compose.yml file:
version: '3.1'
services:
blue-ocean:
image: jenkinsci/blueocean:latest
container_name: blue-ocean
restart: always
environment:
TZ: America/Mexico_City
ports:
- 8080:8080
- 50000:50000
tty: true
volumes:
- ./jenkins-data:/var/jenkins_home
- ./sock:/var/run/docker.sock
Only you need to create a folder with a docker-compose.yml file inside and execute the docker-compose up -d command in terminal, then the folders jenkins-data and sock will be created and inside of jenkins-data appear the directory ./jenkins-data/secrets/initialAdminPassword, open this file and copy the content and paste on the input of web view that requires it.
I'm using the current Jenkins Maven Project tutorial using Docker:
https://jenkins.io/doc/tutorials/build-a-java-app-with-maven/
I keep getting this error at the Build stage:
[simple-java-maven-app] Running shell script
sh: can't create
/var/jenkins_home/workspace/simple-java-maven-app#tmp/durable-bae402a9/jenkins-log.txt:
nonexistent directory
sh: can't create
/var/jenkins_home/workspace/simple-java-maven-app#tmp/durable-bae402a9/jenkins-result.txt:
nonexistent directory
I've tried setting least restrictive permissions with chmod -R 777, chown -R nobody and chown -R 1000 on the listed directories, but nothing seems to work.
This is happening with the jenkins image on Docker version 17.12.0-ce, build c97c6d6 on Windows 10 Professional.
As this is happening with the Maven project tutorial on the Jenkins site, I'm wondering how many others have run into this issue.
I had also the same problem on MacOSX.
After few hours of research, I have finally find the solution.
To solve the problem, it's important to understand that Jenkins is inside a container and when the docker agent inside this container talk to your docker engine, it give path to mount volume matching inner the container. But your docker engine is outer. So to allow to work correctly path inner the container must match the same path outer the container in your host.
To allow working correctly, you need to change 2 things.
docker run arguments
Jenkinsfile docker agent arguments
For my own usage, I used this
docker run -d \
--env "JENKINS_HOME=$HOME/Library/Jenkins" \
--restart always \
--name jenkins \
-u root \
-p 8080:8080 \
-v /var/run/docker.sock:/var/run/docker.sock \
-v $HOME/Library/Jenkins:$HOME/Library/Jenkins \
-v "$HOME":/home \
jenkinsci/blueocean
In the Jenkinsfile
Replace the agent part
agent {
docker {
image 'maven:3-alpine'
args '-v /root/.m2:/root/.m2'
}
by
agent {
docker {
image 'maven:3-alpine'
args '-v <host_home_path>/.m2:/root/.m2'
}
It's quite likely that this issue resulted from a recent change in Docker behaviour, which was no longer being handled correctly by the Docker Pipeline plugin in Jenkins.
Without going into too much detail, the issue was causing Jenkins to no longer be able to identify the container it was running in, which results in the errors (above) that you encountered with these tutorials.
A new version (1.15) of the Docker Pipeline plugin was released yesterday (https://plugins.jenkins.io/docker-workflow).
If you upgrade this plugin on your Jenkins (in Docker) instance (via Manage Jenkins > Manage Plugins), you'll find that these tutorials should start working again (as documented).
The error message means that the directory durable-bae402a9 was not created.
Walk back through the tutorial to find the step that should have created that directory, and make whatever changes are needed to make sure it succeeds.