Dockerfile failed to change user access - bash

I want to run jenkins on docker and change the user access so could read the SSH key and access git.
Here is sample of the dockerfile
FROM jenkins/jenkins:lts
USER root
COPY --chown=jenkins:jenkins id_rsa $JENKINS_HOME/.ssh/id_rsa
COPY --chown=jenkins:jenkins id_rsa.pub $JENKINS_HOME/.ssh/id_rsa.pub
RUN /bin/bash -c 'ls -la $JENKINS_HOME/.ssh; chmod 600 -R $JENKINS_HOME/.ssh; ls -la $JENKINS_HOME/.ssh'
The output upon build is a success, access has been changed!
Step 3/3 : RUN /bin/bash -c 'ls -la $JENKINS_HOME/.ssh; chmod 600 -R $JENKINS_HOME/.ssh; ls -la $JENKINS_HOME/.ssh'
---> Running in 137d1a4f9f6d
total 16
drwxr-xr-x 2 jenkins jenkins 4096 Jan 8 04:11 .
drwxr-xr-x 3 jenkins jenkins 4096 Jan 8 04:11 ..
-rwxr-xr-x 1 jenkins jenkins 1843 Jan 2 02:33 id_rsa
-rwxr-xr-x 1 jenkins jenkins 413 Jan 2 02:33 id_rsa.pub
total 16
drw------- 2 jenkins jenkins 4096 Jan 8 04:11 .
drwxr-xr-x 3 jenkins jenkins 4096 Jan 8 04:11 ..
-rw------- 1 jenkins jenkins 1843 Jan 2 02:33 id_rsa
-rw------- 1 jenkins jenkins 413 Jan 2 02:33 id_rsa.pub
Removing intermediate container 137d1a4f9f6d
---> 7d6334d2b044
However when I go inside the /bin/bash the access is set to default, the chmod was not working
jenkins#f49048ec8c88:/$ ls -al /var/jenkins_home/.ssh/
total 16
drwxr-xr-x 2 jenkins jenkins 4096 Jan 8 04:25 .
drwxr-xr-x 16 jenkins jenkins 4096 Jan 8 04:26 ..
-rwxr-xr-x 1 jenkins jenkins 1843 Jan 2 02:33 id_rsa
-rwxr-xr-x 1 jenkins jenkins 413 Jan 2 02:33 id_rsa.pub
any idea why the behavior is this way?

This happened because $JENKINS_HOME is defined as VOLUME in jenkins:lts base image. You can workaround this in any of the 3 ways
You can fix the permissions on host machine before building and it should work.
You can use multi stage build, change the permission and copy files from first stage
FROM jenkins/jenkins:lts as base
USER root
COPY --chown=jenkins:jenkins id_rsa /tmp/ssh_keys/
COPY --chown=jenkins:jenkins id_rsa.pub /tmp/ssh_keys/
RUN chmod 600 -R /tmp/ssh_keys
FROM jenkins/jenkins:lts
USER root
COPY --chown=jenkins:jenkins --from=base /tmp/ssh_keys $JENKINS_HOME/.ssh
You can copy and change permissions of the files in a temporary directory as part of build. As part of your startup script(entrypoint), you can copy them from the temporary directory to actual directory.

Because the command /bin/bash is just for that session. If you want it to be permanent, put it inside .profile.

Related

Setting permission for mounted folder - How to add write permission for group?

I mounted my windows device's folder to a ubuntu instance and cannot grant it group write permission:
drwxrwxr-x 2 user user 4096 Jul 15 10:25 new
drwxrwxr-x 4 user2 user2 4096 Jul 16 22:10 downloads
drwxr-xr-x 2 vidsuser vidsgroup 20480 Jul 17 08:31 archives
I tried a couple things eg:
sudo chgrp -R vidsgroup .archives
sudo chmod g+w ./archives
sudo chmod g+rwx ./archives/
the archives folder is the mount point and I cant change the permissions for this. What could I do?

File not found in Gitlab-CI

I've already seen this question/answer here, but the solution isn't working for a Flutter project I'm working on.
Here's my yaml file:
image: cirrusci/flutter
variables:
before_script:
- flutter channel beta
- flutter upgrade
stages:
# - build
- test
#build:
# stage: build
# script:
# - flutter build apk
unitTests:
stage: test
script:
# - ls -la /opt/application/
# - ls -la ~/
- bash -c "echo \"$APP_VARS\" > ./cfg/env.json"
- flutter test test/widget_test.dart
Which yielded a cannot access <filename/directory>: File or Directory Not Found error with both ls -la /opt/application/ and bash -c "echo \"$APP_VARS\" > ./cfg/env.json"
Her's the output from ls -la ~/:
$ ls -la ~/
total 72
drwxr-xr-x. 1 cirrus cirrus 4096 Jul 9 19:16 .
drwxr-xr-x. 1 root root 4096 Mar 7 2018 ..
drwxr-xr-x. 1 cirrus cirrus 4096 Jul 9 19:17 .android
-rw-r--r--. 1 cirrus cirrus 220 May 15 2017 .bash_logout
-rw-r--r--. 1 cirrus cirrus 3526 May 15 2017 .bashrc
-rw-r--r--. 1 cirrus cirrus 24 Jul 9 19:16 .flutter
-rw-r--r--. 1 cirrus cirrus 675 May 15 2017 .profile
drwxr-xr-x. 1 cirrus cirrus 4096 Jul 9 19:16 .pub-cache
drwxr-xr-x. 1 cirrus cirrus 4096 Jul 9 19:16 sdks
My intent is to inject environment variables via the CI for use during testing (and hopefully deployment, although I haven't gotten that far yet).
The solution is two-part:
First, the /builds/**/cfg/ directory actually didn't exist. To fix this, you have two options-- do a mkdir or commit/push a file in the repo. I added an empty .gitignore to my cfg directory.
Then, that yielded a Permission Denied error. To solve this, I first tried to sudo my commands (which let me perform the mkdir mentioned above). When that didn't work, I did a chmod -R 777 /builds/, and that fixed my issue.
Going forward, I plan to use chmod [-R] 644 or chmod [-R] 755 instead and do a chmod +x on any files I need to run via a shell script.
I also moved my environment configuration script to the before_script: section in the gitlab YAML, but I don't believe that was necessary.
See for info on chmod.

How can I ensure an application is correctly found on the path with Ubuntu SSH

Context
I have a shell script which is called from Jenkins remotely via SSH. If I SSH to the user account manually and then run the script it works. However, when Jenkins does this (same user account but executes command as an argument to the SSH command) it fails to find an application on the path.
Environment
lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 16.04.5 LTS
Release: 16.04
Codename: xenial
uname-a Linux 4.4.0-1066-aws #76-Ubuntu SMP Thu Aug 16 16:21:21 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
Contents of Home Directory
ls -la
total 76
drwxr-xr-x 7 app app 4096 Sep 3 07:49 .
drwxr-xr-x 4 root root 4096 Aug 19 14:31 ..
-rw------- 1 app app 12235 Sep 3 07:52 .bash_history
drwx------ 3 app app 4096 Aug 28 17:06 .cache
drwx------ 2 app app 4096 Aug 22 16:07 .docker
-rw-rw-r-- 1 app app 6064 Sep 1 15:19 docker-compose.yml
drwx------ 4 app app 4096 Aug 22 14:37 .local
drwxrwxr-x 2 app app 4096 Aug 28 17:15 .nano
-rw-rw-r-- 1 app app 97 Aug 22 16:00 .profile
-rwxrw-r-- 1 app app 177 Aug 28 07:45 run-all-apps.sh
-rwxrw-r-- 1 app app 476 Aug 28 07:45 run-apps.sh
-rw-rw-r-- 1 app app 66 Aug 28 17:15 .selected_editor
drwx------ 2 app app 4096 Sep 3 07:49 .ssh
-rw------- 1 app app 10496 Sep 3 07:49 .viminfo
Contents of .profile:
cat .profile
# set PATH so it includes user's private bin directories
PATH="$HOME/bin:$HOME/.local/bin:$PATH"
Contents Of Failing Script
cat ./run-apps.sh
#!/bin/bash
set -euo pipefail
IFS=$'\n\t'
# Authenticate for ECR
eval $(aws ecr get-login --region eu-west-1 --no-include-email)
How The Script Is Run
In a Jenkinsfile we have this:
sshagent(credentials: ['server-ssh']) {
sh "ssh -o StrictHostKeyChecking=no -p 22 -l app ${ENVIRONMENT_HOST_NAME} './run-apps.sh'"
}
Observed Result Of Running The Script
./run-apps.sh: line 12: aws: command not found
Other Information
If I SSH to the server using the same user that Jenkins uses I can run the AWS CLI:
whoami
app
and
which aws
/home/app/.local/bin/aws
finally:
aws --version
aws-cli/1.15.83 Python/2.7.12 Linux/4.4.0-1066-aws botocore/1.10.82
Is this perhaps something to do with the use of eval and the environment not being propagated or something, e.g. the .profile isn't run and therefore the application isn't on the path.

How do I use chmod to change permissions?

I want to enable Remote Connections to MySQL on 1&1
i followed their explanation
https://help.1and1.com/servers-c37684/dedicated-server-linux-c37687/administration-c37694/enable-remote-connections-to-mysql-a781586.html
but the file system is Read-only.
with ls -l ==>
drwxr-xr-x 3 root root 4096 Nov 8 16:43 mysql
inside this folder mysql i have this file
-rw-r--r-- 105 root root 3533 Oct 22 2015 my.cnf
with ls -alt
***drwxr-xr-x 88 root root 4096 Nov 8 16:52 ..
drwxr-xr-x 3 root root 4096 Nov 8 16:43 .
-rw-r--r-- 105 root root 3533 Oct 22 2015 my.cnf***
I want to modify this file with chmod
but i have this error
chmod: changing permissions of 'my.cnf': Read-only file system
How to make a my.cnf writable? and after modification make it readable
Thanks
If a filesystem has been mounted read-only, chmod will not work since it's a write operation too.
sudo mount -o remount,rw '/mnt/yourmounthere'
If the device has a write lock on it (like SD memory cards), you need to turn it off. Hardware locks cannot be disabled by software. Note that the write lock on SD memory cards is located from the sight you see the letters near the up left corner and it looks like a very small switch.
"sudo chmod 777 my.cnf" for change like root user

BitBucket error when trying to push on OSX

Problem:
silver#calypso:~/Projects/scool% hg push -v
pushing to ssh://sssilver#bitbucket.org/sssilver/scool
running ssh sssilver#bitbucket.org 'hg -R sssilver/scool serve --stdio'
remote: Permission denied (publickey).
abort: no suitable response from remote hg!
I do have my public key uploaded into my BitBucket account.
Permissions on my keys seem to be fine:
silver#calypso:~/Projects/scool% ls -al ~/.ssh
total 40
drwx------ 6 silver staff 204 Mar 10 12:10 .
drwxr-xr-x+ 59 silver staff 2006 Apr 6 03:30 ..
-rw------- 1 silver staff 1766 Feb 9 18:10 id_rsa
-rw-r--r-- 1 silver staff 400 Feb 9 18:10 id_rsa.pub
-rw-r--r-- 1 silver staff 3560 Apr 6 03:15 known_hosts
The identity appears to be properly loaded:
silver#calypso:~/Projects/scool% ssh-add -l
2048 20:3b:9b:9f:b0:72:8f:a0:cd:40:6f:44:f9:28:86:5b /Users/silver/.ssh/id_rsa (RSA)
I seem to be able to even properly log into the bitbucket.org SSH server:
silver#calypso:~/Projects/scool% ssh -T hg#bitbucket.org
logged in as sssilver.
You can use git or hg to connect to Bitbucket. Shell access is disabled.
And my ssh-agent indeed seems to be running:
silver#calypso:~/Projects/scool% ps -e |grep ssh-agent
2866 ?? 0:00.10 /usr/bin/ssh-agent -l
2919 ?? 0:00.04 ssh-agent
2962 ttys000 0:00.00 grep ssh-agent
Note that my system is OSX Maverick, however I haven't tried doing this on other systems/devices.
What could be causing this strange behavior?

Resources