当我创建基于官方詹金斯泊坞窗的图像,并复制.ssh目录jenkins用户家中(/var/jenkins_home),该/var/jenkins_home/.ssh的所有者会成为root防止我与jenkins用户打开SSH会话。在Dockerfile中使用RUN chown -R 1000:1000 /var/jenkins_home/.ssh不起作用。我如何创建一个Jenkins Docker镜像,使用jenkins用户提供的ssh密钥?
另外,默认情况下,创建映像时复制的文件的权限变为644。但是,为了能够打开ssh会话,/var/jenkins_home/.ssh/id_rsa的权限必须是600。
如何从官方Jenkins Docker图像为jenkins用户提供ssh密钥创建图像?
官方詹金斯泊坞窗图像定义詹金斯主目录(/var/jenkins_home)为VOLUME防止RUN chown -R 1000:1000 /var/jenkins_home/...是有效的:
$ touch test.txt
$ vi Dockerfile
--- Dockerfile ---
FROM jenkins:2.32.3
COPY test.txt /tmp
COPY test.txt /var/jenkins_home/test.txt
USER root
RUN chown 1000:1000 /tmp/test.txt
RUN chown 1000:1000 /var/jenkins_home/test.txt
USER jenkins
--- Dockerfile ---
$ docker build -t myjenkins .
...
$ docker run -it myjenkins /bin/bash
[email protected]:/$ ls -all /var/jenkins_home/test.txt
-rw-r--r-- 1 root root 0 Mar 24 06:54 /var/jenkins_home/test.txt
[email protected]:/$ ls -all /tmp/test.txt
-rw-r--r-- 1 jenkins jenkins 0 Mar 24 06:54 /tmp/test.txt
官方詹金斯码头工人都是有解决办法:复制目录和文件的必须是根据詹金斯用户回到/usr/share/jenkins/ref/。当jenkins容器启动时,它将检查/var/jenkins_home是否有此参考内容,并在需要时复制它们。 (见Installing more tools的official Jenkins Docker documentation)。
$ touch test.txt
$ vi Dockerfile
--- Dockerfile ---
FROM jenkins:2.32.3
COPY test.txt /usr/share/jenkins/ref/test.txt
--- Dockerfile ---
$ docker build -t myjenkins .
...
$ docker run -it myjenkins /bin/bash
[email protected]:/$ ls -all /var/jenkins_home/test.txt
-rw-r--r-- 1 jenkins jenkins 0 Mar 24 08:21 /var/jenkins_home/test.txt
现在我们需要文件的权限设置为600:
$ touch test.txt
$ vi Dockerfile
--- Dockerfile ---
FROM jenkins:2.32.3
COPY test.txt /usr/share/jenkins/ref/test.txt
USER root
RUN chmod 600 /usr/share/jenkins/ref/test.txt
USER jenkins
--- Dockerfile ---
$ docker build -t myjenkins .
...
$ docker run -it myjenkins /bin/bash
cp: cannot open ‘/usr/share/jenkins/ref/test.txt’ for reading: Permission denied
奇怪! Jenkins的初始化脚本引发错误:jenkins.sh。 Jenkins容器启动时脚本运行。我们可以在这里做的是在容器启动时更改文件权限,而不是在Dockerfile中更改它。然后,我们需要一个入口点脚本,将文件复制到/var/jenkins_home,更改它的权限,并且最后一步请拨打jenkins.sh。我根据https://github.com/openfrontier/docker-jenkins/blob/master/entrypoint.sh创建了entrypoint.sh。
$ touch test.txt
$ vi entrypoint.sh
--- enrypoint.sh ---
#! /bin/bash -e
cp /usr/share/jenkins/ref/test.txt /var/jenkins_home
chmod 600 /var/jenkins_home/test.txt
echo "start JENKINS"
# if 'docker run' first argument start with '--' the user is passing jenkins launcher arguments
if [[ $# -lt 1 ]] || [[ "$1" == "--"* ]]; then
exec /bin/tini -- /usr/local/bin/jenkins.sh "[email protected]"
fi
exec "[email protected]"
--- enrypoint.sh ---
$ vi Dockerfile
--- Dockerfile ---
FROM jenkins:2.32.3
COPY test.txt /usr/share/jenkins/ref/test.txt
COPY entrypoint.sh /entrypoint.sh
USER root
RUN chown 1000:1000 /entrypoint.sh \
&& chmod +x /entrypoint.sh
USER jenkins
ENTRYPOINT ["/entrypoint.sh"]
--- Dockerfile ---
$ docker build -t myjenkins .
...
$ docker run -it myjenkins /bin/bash
start JENKINS
[email protected]:/$ ls -all /var/jenkins_home/test.txt
-rw------- 1 jenkins jenkins 0 Mar 24 10:36 /var/jenkins_home/test.txt
让我们把它有id_rsa和id_rsa.pub文件ssh目录。请注意,作为目录名称,我使用ssh而不是.ssh。否则.ssh的内容将直接复制到/var/jenkins_home。这就是Docker对于名称以点开头的目录(例如.m2)的行为。
这里是所有必要的步骤。你可以看到,我能成功地从容器内打开一个SSH会话:
$ ls -all
total 8
drwxr-xr-x 3 myuser mygroup 54 Mar 24 13:41 .
drwxr-xr-x 6 myuser mygroup 70 Mar 24 09:54 ..
-rw-r--r-- 1 myuser mygroup 242 Mar 24 13:35 Dockerfile
-rw-r--r-- 1 myuser mygroup 338 Mar 24 13:33 entrypoint.sh
drwx------ 2 myuser mygroup 36 Mar 24 11:24 ssh
$ ls -all ssh/
total 8
drwx------ 2 myuser mygroup 36 Mar 24 11:24 .
drwxr-xr-x 3 myuser mygroup 54 Mar 24 13:41 ..
-rw------- 1 myuser mygroup 1679 Mar 24 11:23 id_rsa
-rw-r--r-- 1 myuser mygroup 391 Mar 24 11:23 id_rsa.pub
$ vi entrypoint.sh
--- enrypoint.sh ---
#! /bin/bash -e
mkdir -p /var/jenkins_home/.ssh
mv /usr/share/jenkins/ref/.ssh/id_rsa /var/jenkins_home/.ssh
chmod 600 /var/jenkins_home/.ssh/id_rsa
echo "start JENKINS"
# if 'docker run' first argument start with '--' the user is passing jenkins launcher arguments
if [[ $# -lt 1 ]] || [[ "$1" == "--"* ]]; then
exec /bin/tini -- /usr/local/bin/jenkins.sh "[email protected]"
fi
exec "[email protected]"
--- enrypoint.sh ---
$ vi Dockerfile
--- Dockerfile ---
FROM jenkins:2.32.3
# Copy ssh as .ssh
COPY ssh/ /usr/share/jenkins/ref/.ssh
COPY entrypoint.sh /entrypoint.sh
USER root
# Change owner of .ssh directory and files under it to
# jenkins user's owner (1000:1000) and make sure
# permisson of id_rsa is not 600.
RUN chown -R 1000:1000 /usr/share/jenkins/ref/.ssh \
&& chmod 644 /usr/share/jenkins/ref/.ssh/id_rsa
RUN chown 1000:1000 /entrypoint.sh \
&& chmod +x /entrypoint.sh
USER jenkins
ENTRYPOINT ["/entrypoint.sh"]
--- Dockerfile ---
$ docker build -t myjenkins .
...
$ docker run -it myjenkins /bin/bash
[email protected]:/$ ls -all /var/jenkins_home/.ssh/id_rsa
-rw------- 1 jenkins jenkins 1679 Mar 24 08:23 /var/jenkins_home/.ssh/id_rsa
[email protected]:/$ ssh rose1
The authenticity of host 'rose1 (XX.XX.XX.XX)' can't be established.
ECDSA key fingerprint is XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'rose1,XX.XX.XX.XX' (ECDSA) to the list of known hosts.
Last login: Thu Mar 23 15:55:41 2017 from 10.74.200.56
[[email protected] ~]$
更新1
我已经上传指定文件到GitHub上:https://github.com/kumlali/stackoverflow_answers/tree/master/docker_jenkins_ssh_keys/answer1
我发现有点复杂但更通用的方式来实现这一点。新解决方案需要;
ssh-agent,credentials和ssh-credentials插件而通过执行post-initialization script在启动时创建泊坞图像(Installing more tools - Preinstalling plugins)这里的主要想法是SSH密钥复制到比JENKINS_HOME的目录中,通过使用初始化后的脚本,并使用ssh-agent插件,SSH把它们添加到詹金斯的凭据。
我已将必要的设置和说明上传到GitHub:https://github.com/kumlali/stackoverflow_answers/tree/master/docker_jenkins_ssh_keys/answer2