Running Docker containers as non root

Running containers as root is a bad practice, but many Docker images available in the Docker Hub have the user set to root by default, so what can we do about it?

TL;DR Use -u 65534 -w /tmp -e _JAVA_OPTIONS=-Duser.home=/tmp for a typical Java image, plus any tool specific environment variable needed

Option 1 (build time):

Create a new derived image that creates a new user and changes the default to that one


FROM openjdk:8-jdk
RUN useradd --create-home -s /bin/bash user
WORKDIR /home/user
USER user

This is simple, but forces us to republish all these derived images, creating a maintenance nightmare.

Option 2 (runtime):

Use docker run -u option to choose what user to run the container as

docker run -ti --rm -u 1000 openjdk:8-jdk

This may work, but we can hit some issues, let’s see

$docker run -ti --rm -u 1000 openjdk:8-jdk git clone https://github.com/jenkinsci/docker
fatal: could not create work tree dir 'docker'.: Permission denied

Well, we obviously don’t have permissions to write to the default workdir, let’s fix it using -w and a dir that is writable, for instance /tmp

$ docker run -ti --rm -u 1000 -w /tmp openjdk:8-jdk git clone https://github.com/jenkinsci/docker
Cloning into 'docker'...
remote: Counting objects: 1498, done.
remote: Total 1498 (delta 0), reused 0 (delta 0), pack-reused 1498
Receiving objects: 100% (1498/1498), 287.46 KiB | 0 bytes/s, done.
Resolving deltas: 100% (772/772), done.
Checking connectivity... done.
fatal: unable to look up current user in the passwd file: no such user

 

Git does not like being run as an user that does not exist, so we need to pick one of the existing users

$ docker run -ti --rm -u 1000 -w /tmp openjdk:8-jdk cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:103:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:104:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:105:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:106:systemd Bus Proxy,,,:/run/systemd:/bin/false
messagebus:x:104:108::/var/run/dbus:/bin/false

The user nobody:65534 could be a good candidate, and as it is present in the default debian and alpine Docker images it will be present also in most images in the hub.

$ docker run -ti --rm -u 65534 -w /tmp openjdk:8-jdk \
git clone https://github.com/jenkinsci/docker
Cloning into 'docker'...
remote: Counting objects: 1498, done.
remote: Total 1498 (delta 0), reused 0 (delta 0), pack-reused 1498
Receiving objects: 100% (1498/1498), 287.46 KiB | 0 bytes/s, done.
Resolving deltas: 100% (772/772), done.
Checking connectivity... done.

Ok, that worked! Now let’s try to run something else, like a maven build


$ docker run -ti --rm -u 65534 -w /tmp maven:3 \
bash -c "git clone https://github.com/jenkinsci/kubernetes-plugin.git && \
cd kubernetes-plugin && mvn package"
touch: cannot touch ‘/root/.m2/copy_reference_file.log’: Permission denied
Can not write to /root/.m2/copy_reference_file.log. Wrong volume permissions?

This means entering in the domain of each tool and checking how to configure it. The maven docker image instructs us to use MAVEN_CONFIG and pass -Duser.home otherwise we would get an error [ERROR] Could not create local repository at /nonexistent/.m2/repository -> [Help 1]

Here is the working solution


$ docker run -ti --rm -u 65534 -w /tmp -e MAVEN_CONFIG=/tmp maven:3 \
bash -c "git clone https://github.com/jenkinsci/kubernetes-plugin.git && \
cd kubernetes-plugin && mvn -Duser.home=/tmp package"

Can we generalize this a bit for other Java apps? yes! By using the env var _JAVA_OPTIONS we can pass the user.home property to any Java app.

$ docker run -ti --rm -u 65534 -w /tmp -e _JAVA_OPTIONS=-Duser.home=/tmp \
-e MAVEN_CONFIG=/tmp maven:3 \
bash -c "git clone https://github.com/jenkinsci/kubernetes-plugin.git && \
cd kubernetes-plugin && mvn package"

 

Jenkins Kubernetes Plugin 0.10 Released

The 0.10 release is mostly a bugfix release

Changelog for 0.10:

  • Fixing checkbox serialization by jelly views #110
  • Do not throw exceptions in the test configuration page #107
  • Upgrade to the latest kubernetes-client version. #106
  • feat: make pipeline support instanceCap field #102
  • Instantiating Kubernetes Client with proper config in Container Steps #104
  • Fix NPE when slaves are read from disk #103
  • [JENKINS-39867] Upgrade fabric8 to 1.4.26 #101
  • The pod watcher now checks readiness of the right pod. #97
  • Fix logic for waitUntilContainerIsReady #95
  • instanceCap is not used in pipeline #92
  • Allow nesting of templates for inheritance. #94
  • Wait until all containers are in ready state before starting the slave #93
  • Adding basic retention for idle slaves, using the idleTimeout setting properly #91
  • Improve the inheritFrom functionality to better cover containers and volumes. #84
  • Fix null pointer exceptions. #89
  • fix PvcVolume jelly templates path #90
  • Added tool installations to the pod template. #85
  • fix configmap volume name #87
  • set the serviceAccount when creating new pods #86
  • Read and connect timeout are now correctly used to configure the client. #82
  • Fix nodeSelector in podTemplate #83
  • Use the client’s namespace when deleting a pod (fixes a regression preventing pods to delete). #81

Next Week: DevOps Pro, Moscow and ApacheCON Europe, Seville

Next week is a busy one, will be speaking at DevOps Pro in Moscow then ApacheCON Europe in Seville. If you are around give me a shout!

And if you are organizing an event next year and are interested in me giving a talk, let me know.

From Monolith to Docker Distributed Applications

Docker is revolutionizing the way people think about applications and deployments. It provides a simple way to run and distribute Linux containers for a variety of use cases, from lightweight virtual machines to complex distributed micro-services architectures.

Containers allow to run services in isolation with a minimum performance penalty, increased speed, easier configuration and less complexity, making it ideal for continuous integration and continuous delivery based workloads. But migrating an existing application to a distributed micro-services architecture is no easy task, requiring a shift in the software development, networking and storage to accommodate the new architecture.

We will provide insight on our experience creating a Jenkins platform based on distributed Docker containers running on Apache Mesos and comparing other solutions as Kubernetes or Docker Swarm, applicable for all types of applications, but specially Java and JVM based nones.

CI and CD at Scale: Scaling Jenkins with Docker and Apache Mesos

As Continuous Integration and Continuous Delivery usage grows, the underlying infrastructure needs to grow too, scaling horizontally across multiple hosts and dynamically provisioned as needed.

Docker is revolutionizing the way people think about applications and deployments. Apache Mesos enables fault-tolerant distributed systems and allows managing a cluster of Linux servers as a single system, running Docker containers across multiple hosts, offering elasticity and machine abstractions.

By using Apache Mesos and Marathon, an Apache Mesos framework for long-running applications, the Jenkins Continuous Integration environment can be run at scale, dynamically.

Jenkins masters can be run on Docker containers distributed on Marathon, while the Jenkins Mesos and Docker plugins allow slaves and jobs to run in containers distributed across the multiple hosts, and isolating job execution.

 

Jenkins Kubernetes Plugin 0.9 Released

New features released in 0.9 include pipeline support and multiple containers per pod.

So now it is possible to define all the containers used in a job in your Jenkinsfile, for instance building a Maven project and a golang project in the same node without having to create any specific Docker image \o/

podTemplate(label: 'mypod', containers: [
    containerTemplate(name: 'maven', image: 'maven:3.3.9-jdk-8-alpine', ttyEnabled: true, command: 'cat'),
    containerTemplate(name: 'golang', image: 'golang:1.6.3-alpine', ttyEnabled: true, command: 'cat')
  ],
  volumes: [secretVolume(secretName: 'shared-secrets', mountPath: '/etc/shared-secrets')]) {

  node ('mypod') {
    stage 'Get a Maven project'
    git 'https://github.com/jenkinsci/kubernetes-plugin.git'
    container('maven') {
      stage 'Build a Maven project'
      sh 'mvn clean install'
    }

    stage 'Get a Golang project'
    git url: 'https://github.com/hashicorp/terraform.git'
    container('golang') {
      stage 'Build a Go project'
      sh """
      mkdir -p /go/src/github.com/hashicorp
      ln -s `pwd` /go/src/github.com/hashicorp/terraform
      cd /go/src/github.com/hashicorp/terraform && make core-dev
      """
    }

  }
}

Changelog:

  • Make it possible to define more than one container inside a pod.
  • Add new pod template step which allows defining / overriding a pod template from a pipeline script.
  • Introduce pipeline step that allows choosing one of the containers of the pod and have all ‘sh’ steps executed there.
  • allow setting dynamic pod volumes in pipelines
  • Add support for persistent volume claims
  • Add support for containerEnvVar’s in pipelines
  • [JENKINS-37087] Handle multiple labels per pod correctly
  • [JENKINS-37087] Iterate over all matching templates
  • Fix slave description and labels
  • [JENKINS-38829] Add help text for Kubernetes server certificate
  • #59: Allow blank namespace and reuse whatever is discovered by the client.
  • Ensure instanceCap defaults to unlimited
  • Add Jenkins computer name to the container env vars
  • Split arguments having quotes into account
  • Allow the user to enable pseudo-TTY on container level.
  • Use provided arguments without forcing jnlpmac and name into them. Provide placeholders for jnlpmac and name for the user to use. Fallback container uses as default arguments jnlpmac and name.
  • Split volume classes into their own package (#77)

 

Scaling Jenkins with Docker and Apache Mesos @ O’Reilly Media

I will be delivering this online course for O’Reilly media, October 18, 2016 7:00pm CEST

Scaling Jenkins with Docker and Apache Mesos

Continuous integration and continuous delivery at scale

Join Carlos Sanchez for a study in running Jenkins at scale. He’ll share his experience using Docker and Apache Mesos to create one of the biggest Jenkins clusters to date. You’ll drill down into the details with Carlos to get a better understanding of how Apache Mesos works. Together you’ll explore the challenges of running containerized and distributed applications (particularly JVM ones) through a real-world use case. By the end of this course, you’ll have a solid grounding in using these popular open source technologies for continuous integration and continuous delivery at scale.

What you’ll learn—and how you can apply it

By the end of this live, online course, you’ll understand:

  • How Apache Mesos works and how Docker containers are executed in a Mesos cluster
  • How Jenkins can use a Mesos cluster as a provider to provision build agents on demand
  • How Java applications behave inside a Docker container

And you’ll be able to:

  • Create a Apache Mesos cluster for local development using Docker Compose
  • Create Jenkins jobs that are executed dynamically based on demand
  • Use Jenkins Pipelines to execute jobs in one or more Docker containers

This course is for you because…

  • You’re a build/release engineer or are interested in deploying Docker at scale
  • You work with Jenkins or other Java applications
  • You want to become a Docker expert!

JavaOne: From Monolith to Docker Distributed Applications

I’ll be speaking again this year at JavaOne: From Monolith to Docker Distributed Applications, sharing our experience running the Jenkins platform on Docker containers using Apache Mesos.

You can also find me in the CloudBees booth in the exhibitors area.

Docker is revolutionizing the way people think about applications and deployments. It provides a simple way to run and distribute Linux containers for a variety of use cases, from lightweight virtual machines to complex distributed microservice architectures.

But migrating an existing Java application to a distributed microservice architecture is no easy task, requiring a shift in the software development, networking, and storage to accommodate the new architecture.

This presentation provides insights into the experience of the speaker and his colleagues in creating a Jenkins platform based on distributed Docker containers running on Apache Mesos and Marathon and applicable to all types of applications, especially Java- and JVM-based ones.

Jenkins World 2016

Jenkins World will take place again this year (September 13-15) in Santa Clara, CA, and I will be speaking again about my experience with Jenkins and Docker in my session Scaling Jenkins with Docker: Swarm, Kubernetes or Mesos?

To register, go to https://www.jenkinsworld.com and enter in code JWCSANCHEZ for a 20% discount.

This year in Jenkins World:

  • 50+ sessions from organizations such as: Electronic Arts, FINRA, GerritForge, Google, NPR, Riot Games, Shutterfly, Splunk and Verizon.
  • Keynotes from Kohsuke Kawaguchi, Sacha Labourey and Gary Gruver.
  • Free Jenkins and CloudBees Jenkins Platform certification exams.
  • Networking with the LARGEST gathering of Jenkins users in the world.