I'm trying to set up our Jenkins instance to run docker containers rootless.
When jenkins starts the container, the -u is flag is passed with the id of the jenkins runner.
The runner is named "runner" and has UID 3217 and thus Jenkins executes:
docker run -u 3217:100 -v /opt/build/agent/job/:/opt/build/agent/job:rw,z image
The first thing jenkins does, from inside the container:
touch /opt/build/agent/job/jenkins.log however this results in a prompt Permission denied.
When I bash into the container and run id:
uid=3217 gid=100(users) groups=100(users)
is returned (which is expected). Additionally, when I run ls -la /opt/build/agent/job all files and directories are owned by root:
This is in contrast to when I exit out of the container and, as the runner user, run the ls -la against the mount point, where every file is owned by runner:users and thus can easily be manipulated from outside the container, by the same user.
I'm unable to remove the -u argument from Jenkins, and I'm at a loss at how to mitigate this issue.
Is there any way for docker to mount the directories with the same permissions specified with the -u argument?
No. Docker does not change any permissions.
The directory has the permissions that it has. If the directory does not exist, it will be created by dockerd process, which runs as root, so the directory will be owned by root.
If you want the directory to have different permissions, create the directory yourself, or
chmodit.If you do not want the directory to be autocreted as root, you can use
--mount type=bind,source=/opt/build/agent/job/,target=/opt/build/agent/job,bind-propagation=shared,rw, but I have no idea about selinux then.