Docker: how to grant root privileges to the jenkins user - shell

I have a "docker-jenkins" container with some configured tasks that in the post-build have to run a shell script that move the builded data to a new folder inside the container and then commit to SVN repo.
My problem is that the SH script is executed by "jenkins" user that has not root privileges so my script fails with "permission denied" error.
How can I grant more privileges to jenkins user? Or how can I run the SH script with root privileges?
I'm using Jenkins CI inside a docker container so I suppose that I have to run some docker commands to grant more privileges to jenkins user...
Any ideas?

Related

Permission Denied in Jenkins "Execute shell" step

I'm getting:
[[1;31mERROR[m] Failed to execute goal [32morg.apache.maven.plugins:maven-compiler-plugin:3.1:compile[m [1m(default-compile)[m on project [36mtest[m: [1;31mError while storing the mojo status[m: /var/lib/jenkins/workspace/e2e-tests/target/maven-status/maven-compiler-plugin/compile/default-compile/inputFiles.lst (Permission denied) -> [1m[Help 1][m
in an "Execute Shell" script (mvn test) in a Jenkins job.
I see that the /var/lib/jenkins/workspace folder has "drwxr-x--- 3 jenkins jenkins" permission. If I get it right, only jenkins user can write in this folder. However if I put "who" in the shell script, I see that the job is executed as root (even though in /etc/default/jenkins I see JENKINS_USER=jenkins).
To resolve the 'permission denied' problem I did:
chmod -R 777 /var/lib/jenkins/workspace
Is this the proper solution? Is it normal for the job to be run as root and not jenkins?
Thanks,
Dinko
I reverted the permissions on the /var/lib/jenkins/workspace back to drwxr-x---, rebooted the Jenkins host and restarted the job. No "Permission Denied" error was logged anymore.
Rebooting the host did solve the issue.

Can't su to jenkins even though login shell is /bin/bash

I can't seem to su to jenkins user even though the login shell is already set to /bin/bash. When I attempt to run sudo su - jenkins -s /bin/bash, the user does not switch and I see the same prompt.
I've rebooted the machine and restarted the service using sudo systemctl restart jenkins.
I made sure that the jenkins login shell is not /bin/false like this question points out. My /etc/passwd shows this for jenkins:
jenkins:x:121:129:Jenkins,,,:/var/lib/jenkins:/bin/bash
Jenkins does run when I reboot the machine, but the service fails to start when I try to restart it.
Any idea why I can't su into jenkins?
Thanks
Edit: the below solution is not what fixed it for me. I'm still not sure what the root cause was, it may have been related to the Jenkins user not having read permission to some files, but I resolved it by reinstalling Jenkins.
It turns out that my /etc/sudoers file had:
jenkins ALL=(ALL:ALL) ALL
I changed it to:
jenkins ALL= NOPASSWD: ALL
and now I can switch to the jenkins user.

Unable To Execute AWS CLI Inside Bash Script via Jenkinsfile

I'm unable to execute AWS CLI via Bash shell script called from a Jenkinsfile.
If the shell script is executed directly inside the Jenkins Docker, the scripts executes without issue, which suggests the assumed IAM role for the Jenkins Docker has the correct permissions.
Any ideas?
I found the issue - in the Jenkinsfile it authorises the script to run via binding authorisation credentials to a certain IAM role, the IAM user assigned to the shell script was was not for the environment in which it was running!
withCredentials([[$class: 'AmazonWebServicesCredentialsBinding',
credentialsId: 'jenkins-ci-aws-iam-user']]) {

How to execute a shell script in Jenkins

I have few shell commands that needs to be executed when a build is getting ready. In Jenkins, I have created a Freestyle project with execute shell options as:
#!/bin/sh
cd /path to kafka folder
bin/zookeeper-server-start.sh config/zookeeper.properties &
bin/kafka-server-start.sh config/server.properties &
cd /path to elasticsearch
bin/elasticsearch
I am able to execute this shell commands from a local file but not through Jenkins.
Here is the Console output I am seeing in Jenkins:
/Users/Shared/Jenkins/tmp/hudson2342342342342357656.sh: line 2: cd: /path to kafka folder: Not a directory
Build step 'Execute shell' marked build as failure
Finished: FAILURE
Any help on how I can fix this? Thanks.
It is a permission issue. Please check your Jenkins user has enough permission to run this shell commands
The best way to find out what's wrong (e.g. permissions issue; folder doesn't exist; etc), do this:
Log into the slave node that is executing this job (if there is none defined, it's probably the Jenkins server itself ("master")
If on "master": become the user that Jenkins runs as (most likely 'jenkins'): sudo su - jenkins (if you have sudo/root access), or su - jenkins (if you know jenkins's password)
If the job runs on another slave, find out as which user the Jenkins server connects. Become that user on the slave node.
cd /path/to/workspace (you can find the job's workspace by looking at the console of a job run)
Now run your commands from a shell as they are in the build step - it may become more apparent on why they fail.

Hudson post build step security issue

Hudson jobs can be configured to have a post build step which can execute shell commands as an option, accidently or intentionally someone can wipe out the hudson home directory
just by running rm command is there a specific set of permission of home directory
which will prevent such scenario
On Linux, you will likely be running the Hudson process as the "hudson" user. Using a combination of chown and chmod, you can set the permissions on the hudson application server directory such that the hudson user only has read-access of the Hudson application server directory.
Hudson stores all of its file storage in /var/lib/jenkins by default (if you're using the .deb package).
so basically, make sure that the hudson user has recursive write access of that directory, allow hudson read-only access of the other Hudson installation files, and no access over any other file.

Resources