infra-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Joan Touzet (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (INFRA-14665) Jenkins+Docker fails to run correctly where apparmor is activated
Date Sun, 07 Oct 2018 02:53:00 GMT

    [ https://issues.apache.org/jira/browse/INFRA-14665?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16640956#comment-16640956
] 

Joan Touzet commented on INFRA-14665:
-------------------------------------

@pono I haven't seen this pop up in a long while. 

We indeed did move to using uid/gid 910 (see https://github.com/apache/couchdb-ci/blob/master/dockerfiles/debian-jessie#L31-L33
for example) and all of our permissions issues have cleared up as a result.

Feel free to close it; if it comes up again, we can re-open it.

> Jenkins+Docker fails to run correctly where apparmor is activated
> -----------------------------------------------------------------
>
>                 Key: INFRA-14665
>                 URL: https://issues.apache.org/jira/browse/INFRA-14665
>             Project: Infrastructure
>          Issue Type: Bug
>          Components: Jenkins
>            Reporter: Joan Touzet
>            Assignee: Chris Lambertus
>            Priority: Major
>
> Tonight, [~pono] and I did some debugging on our CouchDB Jenkins build process (which
uses Docker). I'm trying to remove the use of root in the build process.
> However we are finding that some of the hosts have apparmor profiles loaded for Docker,
and the machines that have the apparmor profiles loaded fail to allow the Docker container
to write to the mounted workspace volume at all with errors such as:
> sh: /home/jenkins/jenkins-slave/workspace/CouchDB_jenkins-autobuild-packages-2XT2WVDPBDMWA4OCV4QOF7OEZ3B3PI3YNWGUHX5UFB3JFM6766JQ@2@tmp/durable-400ea8b1/pid:
Permission denied
> On the affected hosts, the logs show:
> 11 processes are in enforce mode.
>    /sbin/dhclient (787)
>    /usr/sbin/ntpd (22987)
>    docker-default (20975)
>    docker-default (21076)
>    docker-default (21081)
>    docker-default (21083)
>    docker-default (21748)
>    docker-default (24429)
>    docker-default (24430)
>    docker-default (24501)
>    docker-default (24562)
> and in syslog:
> Jul 21 05:18:52 jenkins-ubuntu2 kernel: [13420878.931210] aufs au_opts_verify:1612:dockerd[1181]:
dirperm1 breaks the protection by the permission bits on the lower branch
> The profile appears to be enabled only on the hosts ubuntu-{us1,eu2}.
> Please disable the profile on these hosts, or provide another way to ensure that Dockerised
builds can run on 'ubuntu' labelled hosts without running afoul of the apparmor profile (and
without having to run as root.)



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message