gpt4 book ai didi

docker - 如何创建使用为 jenkins 用户提供的 ssh key 的 Jenkins Docker 镜像?

转载 作者:行者123 更新时间:2023-12-03 17:52:37 28 4
gpt4 key购买 nike

虽然我创建了一个基于官方 Jenkins Docker 的镜像并复制 .ssh目录到 jenkins用户的家 ( /var/jenkins_home ),/var/jenkins_home/.ssh 的所有者变成 root这阻止我使用 jenkins 打开 ssh session 用户。使用 RUN chown -R 1000:1000 /var/jenkins_home/.sshDockerfile不起作用。

此外,创建图像时复制的文件的权限变为644默认情况下。但是,为了能够打开ssh session ,权限为/var/jenkins_home/.ssh/id_rsa必须是 600 .

如何从官方 Jenkins Docker 镜像创建镜像,并为 jenkins 提供了 ssh key 用户?

最佳答案

官方 Jenkins Docker 镜像将 Jenkins 主目录( /var/jenkins_home )定义为 VOLUME这可以防止 RUN chown -R 1000:1000 /var/jenkins_home/...有效:

$ touch test.txt

$ vi Dockerfile
--- Dockerfile ---
FROM jenkins:2.32.3

COPY test.txt /tmp
COPY test.txt /var/jenkins_home/test.txt

USER root

RUN chown 1000:1000 /tmp/test.txt
RUN chown 1000:1000 /var/jenkins_home/test.txt

USER jenkins
--- Dockerfile ---

$ docker build -t myjenkins .
...

$ docker run -it myjenkins /bin/bash
jenkins@750f43b7e9ec:/$ ls -all /var/jenkins_home/test.txt
-rw-r--r-- 1 root root 0 Mar 24 06:54 /var/jenkins_home/test.txt
jenkins@750f43b7e9ec:/$ ls -all /tmp/test.txt
-rw-r--r-- 1 jenkins jenkins 0 Mar 24 06:54 /tmp/test.txt

官方 Jenkins Docker 有一个解决方案:将必须在 jenkins 用户家下的目录和文件复制到 /usr/share/jenkins/ref/ .当 jenkins 容器启动时,它会检查 /var/jenkins_home有此引用内容,并在需要时将它们复制到那里。 (参见 official Jenkins Docker documentationInstalling more tools )。
$ touch test.txt

$ vi Dockerfile
--- Dockerfile ---
FROM jenkins:2.32.3

COPY test.txt /usr/share/jenkins/ref/test.txt
--- Dockerfile ---

$ docker build -t myjenkins .
...

$ docker run -it myjenkins /bin/bash
jenkins@1e9520a92f8e:/$ ls -all /var/jenkins_home/test.txt
-rw-r--r-- 1 jenkins jenkins 0 Mar 24 08:21 /var/jenkins_home/test.txt

现在我们需要将文件的权限设置为 600 :
$ touch test.txt

$ vi Dockerfile
--- Dockerfile ---
FROM jenkins:2.32.3

COPY test.txt /usr/share/jenkins/ref/test.txt

USER root

RUN chmod 600 /usr/share/jenkins/ref/test.txt

USER jenkins
--- Dockerfile ---

$ docker build -t myjenkins .
...

$ docker run -it myjenkins /bin/bash
cp: cannot open ‘/usr/share/jenkins/ref/test.txt’ for reading: Permission denied

奇怪的!该错误是由 Jenkins 的初始化脚本抛出的: jenkins.sh .该脚本在 Jenkins 容器启动时运行。我们在这里可以做的是在容器启动时更改文件权限,而不是在 Dockerfile 中更改它。 .然后我们需要一个入口点脚本将文件复制到 /var/jenkins_home ,更改其权限,并作为最后一步调用 jenkins.sh .我创建了 entrypoint.sh基于 https://github.com/openfrontier/docker-jenkins/blob/master/entrypoint.sh .
$ touch test.txt

$ vi entrypoint.sh
--- enrypoint.sh ---
#! /bin/bash -e

cp /usr/share/jenkins/ref/test.txt /var/jenkins_home
chmod 600 /var/jenkins_home/test.txt

echo "start JENKINS"
# if 'docker run' first argument start with '--' the user is passing jenkins launcher arguments
if [[ $# -lt 1 ]] || [[ "$1" == "--"* ]]; then
exec /bin/tini -- /usr/local/bin/jenkins.sh "$@"
fi
exec "$@"
--- enrypoint.sh ---

$ vi Dockerfile
--- Dockerfile ---
FROM jenkins:2.32.3

COPY test.txt /usr/share/jenkins/ref/test.txt
COPY entrypoint.sh /entrypoint.sh

USER root

RUN chown 1000:1000 /entrypoint.sh \
&& chmod +x /entrypoint.sh

USER jenkins

ENTRYPOINT ["/entrypoint.sh"]
--- Dockerfile ---


$ docker build -t myjenkins .
...

$ docker run -it myjenkins /bin/bash
start JENKINS
jenkins@770ba9099cb4:/$ ls -all /var/jenkins_home/test.txt
-rw------- 1 jenkins jenkins 0 Mar 24 10:36 /var/jenkins_home/test.txt

让我们为 ssh目录有 id_rsaid_rsa.pub文件。请注意,我使用的目录名称是 ssh而不是 .ssh .否则 .ssh 的内容会直接复制到 /var/jenkins_home .这就是 Docker 对名称以点开头的目录(例如 .m2)的行为方式。

这是所有必要的步骤。您可以看到我可以从容器内成功打开一个 ssh session :
$ ls -all
total 8
drwxr-xr-x 3 myuser mygroup 54 Mar 24 13:41 .
drwxr-xr-x 6 myuser mygroup 70 Mar 24 09:54 ..
-rw-r--r-- 1 myuser mygroup 242 Mar 24 13:35 Dockerfile
-rw-r--r-- 1 myuser mygroup 338 Mar 24 13:33 entrypoint.sh
drwx------ 2 myuser mygroup 36 Mar 24 11:24 ssh

$ ls -all ssh/
total 8
drwx------ 2 myuser mygroup 36 Mar 24 11:24 .
drwxr-xr-x 3 myuser mygroup 54 Mar 24 13:41 ..
-rw------- 1 myuser mygroup 1679 Mar 24 11:23 id_rsa
-rw-r--r-- 1 myuser mygroup 391 Mar 24 11:23 id_rsa.pub

$ vi entrypoint.sh
--- enrypoint.sh ---
#! /bin/bash -e

mkdir -p /var/jenkins_home/.ssh
mv /usr/share/jenkins/ref/.ssh/id_rsa /var/jenkins_home/.ssh
chmod 600 /var/jenkins_home/.ssh/id_rsa

echo "start JENKINS"
# if 'docker run' first argument start with '--' the user is passing jenkins launcher arguments
if [[ $# -lt 1 ]] || [[ "$1" == "--"* ]]; then
exec /bin/tini -- /usr/local/bin/jenkins.sh "$@"
fi
exec "$@"
--- enrypoint.sh ---

$ vi Dockerfile
--- Dockerfile ---
FROM jenkins:2.32.3

# Copy ssh as .ssh
COPY ssh/ /usr/share/jenkins/ref/.ssh
COPY entrypoint.sh /entrypoint.sh

USER root

# Change owner of .ssh directory and files under it to
# jenkins user's owner (1000:1000) and make sure
# permisson of id_rsa is not 600.
RUN chown -R 1000:1000 /usr/share/jenkins/ref/.ssh \
&& chmod 644 /usr/share/jenkins/ref/.ssh/id_rsa

RUN chown 1000:1000 /entrypoint.sh \
&& chmod +x /entrypoint.sh

USER jenkins

ENTRYPOINT ["/entrypoint.sh"]
--- Dockerfile ---


$ docker build -t myjenkins .
...

$ docker run -it myjenkins /bin/bash
jenkins@3090dda362d6:/$ ls -all /var/jenkins_home/.ssh/id_rsa
-rw------- 1 jenkins jenkins 1679 Mar 24 08:23 /var/jenkins_home/.ssh/id_rsa

jenkins@3090dda362d6:/$ ssh rose1
The authenticity of host 'rose1 (XX.XX.XX.XX)' can't be established.
ECDSA key fingerprint is XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'rose1,XX.XX.XX.XX' (ECDSA) to the list of known hosts.
Last login: Thu Mar 23 15:55:41 2017 from 10.74.200.56
[jenkins@rose1 ~]$

更新 1

我已将给定的文件上传到 GitHub: https://github.com/kumlali/stackoverflow_answers/tree/master/docker_jenkins_ssh_keys/answer1

关于docker - 如何创建使用为 jenkins 用户提供的 ssh key 的 Jenkins Docker 镜像?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/42999023/

28 4 0
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com