infra-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Gavin (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (INFRA-14665) Jenkins+Docker fails to run correctly where apparmor is activated
Date Mon, 19 Feb 2018 05:59:00 GMT

    [ https://issues.apache.org/jira/browse/INFRA-14665?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16368812#comment-16368812
] 

Gavin commented on INFRA-14665:
-------------------------------

Any more progress on this.

> Jenkins+Docker fails to run correctly where apparmor is activated
> -----------------------------------------------------------------
>
>                 Key: INFRA-14665
>                 URL: https://issues.apache.org/jira/browse/INFRA-14665
>             Project: Infrastructure
>          Issue Type: Bug
>          Components: Jenkins
>            Reporter: Joan Touzet
>            Assignee: Daniel Takamori
>            Priority: Major
>
> Tonight, [~pono] and I did some debugging on our CouchDB Jenkins build process (which
uses Docker). I'm trying to remove the use of root in the build process.
> However we are finding that some of the hosts have apparmor profiles loaded for Docker,
and the machines that have the apparmor profiles loaded fail to allow the Docker container
to write to the mounted workspace volume at all with errors such as:
> sh: /home/jenkins/jenkins-slave/workspace/CouchDB_jenkins-autobuild-packages-2XT2WVDPBDMWA4OCV4QOF7OEZ3B3PI3YNWGUHX5UFB3JFM6766JQ@2@tmp/durable-400ea8b1/pid:
Permission denied
> On the affected hosts, the logs show:
> 11 processes are in enforce mode.
>    /sbin/dhclient (787)
>    /usr/sbin/ntpd (22987)
>    docker-default (20975)
>    docker-default (21076)
>    docker-default (21081)
>    docker-default (21083)
>    docker-default (21748)
>    docker-default (24429)
>    docker-default (24430)
>    docker-default (24501)
>    docker-default (24562)
> and in syslog:
> Jul 21 05:18:52 jenkins-ubuntu2 kernel: [13420878.931210] aufs au_opts_verify:1612:dockerd[1181]:
dirperm1 breaks the protection by the permission bits on the lower branch
> The profile appears to be enabled only on the hosts ubuntu-{us1,eu2}.
> Please disable the profile on these hosts, or provide another way to ensure that Dockerised
builds can run on 'ubuntu' labelled hosts without running afoul of the apparmor profile (and
without having to run as root.)



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message