odavid / jenkins-jnlp-slave Goto Github PK

A JNLP Slave that enables docker build and fixes volume permissions on startup

License: MIT License

Shell 60.52% Dockerfile 28.23% Makefile 11.25%

jenkins jnlp docker

jenkins-jnlp-slave's Introduction

Jenkins JNLP Agent Docker image

This image is based on https://github.com/jenkinsci/docker-inbound-agent image and fixes permissions issues with volumes created by docker. The image also contains docker binary and able to mount /var/run/docker.sock to enable the slave to run docker commands on the slave. The default tag of the image is based on alpine and installs also glibc to enable Oracle JDK installations. (see gliderlabs/docker-alpine#11)

The immage support running docker commands in slave in 2 different modes:

By mounting the host's /var/run/docker.sock inside the slave.
- docker commands are running on the host's docker daemon.
- Containers and images built by the slave are not cleaned up.
- Cannot mount volumes from the slave's workspace - i.e hard to use docker-compose
By using Docker Inside Docker - requires privileged container and passing DIND=true variable.
- docker commands are running within the slave's docker daemon.
- Containers and images built by the slave are cleaned up directly after slave finishes the build.
- Ability to mount volumes from the slave's workspace - native usage of docker-compose

Environment Variables

Name	Description
`DIND`	If `true`, then the slave will run docker inside docker - Requires `privileged` container

For other environment variables, see https://github.com/jenkinsci/docker-inbound-agent

Releases

Docker Images are pushed to Docker Hub

Each release is a git tag v$UPSTREAM_VERSION-$INCREMENT where:

UPSRTEAM_VERSION is the docker-inbound-agent version
INCREMENT is a number representing that representing the release contents (i.e docker version, bugs, etc...)

For each git tag, there following tags will be created:

$UPSRTEAM_VERSION-$INCREMENT - one to one releationship with git tag
$UPSRTEAM_VERSION - latest release for that UPSRTEAM_VERSION version

The following distributions are supported:

alpine (also the default)
debian
jdk11
jdk17

jenkins-jnlp-slave's People

Contributors

Stargazers

Watchers

jenkins-jnlp-slave's Issues

It would be good to support kubectl

I tried to use this image and download kubectl by myself, however, I can't install kubectl. After I download the binary, I faced 'no permission' error when I want to move the downloaded binary to /usr/bin/ folder

Use Docker 19.03 to access GPUs

Hey there,

I already used your jenkins-jnlp-slave successfully within a docker swarm. That's awesome! But now i want to go a step forward and use it with a container requesting GPU resources.

Docker 19.03 offers a new argument for that
--gpus all
see access-an-nvidia-gpu

Therefore it would be nice upgrading to the latest docker version and if needed also install nvidia-docker

Thank you very much!

Greets Fabi

JDK 17 support

Is it possible to add JDK 17 support?

Maybe add this to Makefile:

build-jdk17:
	docker build --rm --force-rm -t odavid/jenkins-jnlp-slave:jdk17 $(DEFAULT_BUILD_ARGS) --build-arg=FROM_TAG=$(UPSTREAM_VERSION)-jdk17 .

And other changes for cicd and release/publish. Thanks.

"latest" tag is not versioned.

The last changes are only available as part of "latest" tag.
Could you, please, release a versioned tag for it?

docker build fail

Removing intermediate container 1ad07e89244c
---> 215c07096e75
Step 15/25 : RUN if [ -f /etc/alpine-release ] ; then cd /tmp && ALPINE_GLIBC_BASE_PACKAGE_FILENAME="glibc-$ALPINE_GLIBC_PACKAGE_VERSION.apk" && ALPINE_GLIBC_BIN_PACKAGE_FILENAME="glibc-bin-$ALPINE_GLIBC_PACKAGE_VERSION.apk" && ALPINE_GLIBC_I18N_PACKAGE_FILENAME="glibc-i18n-$ALPINE_GLIBC_PACKAGE_VERSION.apk" && apk add --no-cache --virtual=.build-dependencies wget curl ca-certificates binutils gnupg && echo "-----BEGIN PUBLIC KEY----- MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApZ2u1KJKUu/fW4A25y9m y70AGEa/J3Wi5ibNVGNn1gT1r0VfgeWd0pUybS4UmcHdiNzxJPgoWQhV2SSW1JYu tOqKZF5QSN6X937PTUpNBjUvLtTQ1ve1fp39uf/lEXPpFpOPL88LKnDBgbh7wkCp m2KzLVGChf83MS0ShL6G9EQIAUxLm99VpgRjwqTQ/KfzGtpke1wqws4au0Ab4qPY KXvMLSPLUp7cfulWvhmZSegr5AdhNw5KNizPqCJT8ZrGvgHypXyiFvvAH5YRtSsc Zvo9GI2e2MaZyo9/lvb+LbLEJZKEQckqRj4P26gmASrZEPStwc+yqy1ShHLA0j6m 1QIDAQAB -----END PUBLIC KEY-----" | sed 's/ /\n/g' > "/etc/apk/keys/sgerrand.rsa.pub" && wget -q "$ALPINE_GLIBC_BASE_URL/$ALPINE_GLIBC_PACKAGE_VERSION/$ALPINE_GLIBC_BASE_PACKAGE_FILENAME" "$ALPINE_GLIBC_BASE_URL/$ALPINE_GLIBC_PACKAGE_VERSION/$ALPINE_GLIBC_BIN_PACKAGE_FILENAME" "$ALPINE_GLIBC_BASE_URL/$ALPINE_GLIBC_PACKAGE_VERSION/$ALPINE_GLIBC_I18N_PACKAGE_FILENAME" && apk add --no-cache "$ALPINE_GLIBC_BASE_PACKAGE_FILENAME" "$ALPINE_GLIBC_BIN_PACKAGE_FILENAME" "$ALPINE_GLIBC_I18N_PACKAGE_FILENAME" && rm "/etc/apk/keys/sgerrand.rsa.pub" && wget -q ${GCC_LIBS_URL} ${GCC_LIBS_URL}.sig && mkdir /tmp/gcc && tar -xf "${GCC_LIBS}" -C /tmp/gcc && mv /tmp/gcc/usr/lib/libgcc /tmp/gcc/usr/lib/libstdc++* /usr/glibc-compat/lib && strip /usr/glibc-compat/lib/libgcc_s.so.* /usr/glibc-compat/lib/libstdc++.so* && mkdir /tmp/libz && wget -q "${ZLIB_URL}" "${ZLIB_URL}.sig" && tar -xf "${ZLIB}" -C /tmp/libz && mv /tmp/libz/usr/lib/libz.so* /usr/glibc-compat/lib && /usr/glibc-compat/bin/localedef -i en_US -f UTF-8 en_US.UTF-8 && echo "export LANG=en_US.UTF-8" > /etc/profile.d/locale.sh && apk del glibc-i18n && apk del .build-dependencies && rm "$ALPINE_GLIBC_BASE_PACKAGE_FILENAME" "$ALPINE_GLIBC_BIN_PACKAGE_FILENAME" "$ALPINE_GLIBC_I18N_PACKAGE_FILENAME" && rm -rf /tmp/${GLIBC_VER}.apk /tmp/gcc /tmp/${ZLIB} /tmp/libz /tmp/${GCC_LIBS} /var/cache/apk/* ; elif [ -f /etc/debian_version ] ; then echo "Debian, setting locales" && apt-get update && apt-get install -y --no-install-recommends locales && localedef -i en_US -f UTF-8 en_US.UTF-8 && rm -rf /var/lib/apt/lists/* ; fi
---> Running in bf09921bc4a5
fetch http://dl-cdn.alpinelinux.org/alpine/v3.9/main/x86_64/APKINDEX.tar.gz
fetch http://dl-cdn.alpinelinux.org/alpine/v3.9/community/x86_64/APKINDEX.tar.gz
(1/19) Installing wget (1.20.3-r0)
(2/19) Installing curl (7.64.0-r3)
(3/19) Installing binutils (2.31.1-r2)
(4/19) Installing libgpg-error (1.33-r0)
(5/19) Installing libassuan (2.5.1-r0)
(6/19) Installing libcap (2.26-r0)
(7/19) Installing pinentry (1.1.0-r0)
Executing pinentry-1.1.0-r0.post-install
(8/19) Installing libgcrypt (1.8.4-r1)
(9/19) Installing gmp (6.1.2-r1)
(10/19) Installing nettle (3.4.1-r0)
(11/19) Installing libunistring (0.9.10-r0)
(12/19) Installing gnutls (3.6.7-r0)
(13/19) Installing libksba (1.3.5-r0)
(14/19) Installing db (5.3.28-r1)
(15/19) Installing libsasl (2.1.27-r1)
(16/19) Installing libldap (2.4.48-r0)
(17/19) Installing npth (1.6-r0)
(18/19) Installing gnupg (2.2.12-r0)
(19/19) Installing .build-dependencies (0)
Executing busybox-1.29.3-r10.trigger
OK: 165 MiB in 92 packages
fetch http://dl-cdn.alpinelinux.org/alpine/v3.9/main/x86_64/APKINDEX.tar.gz
fetch http://dl-cdn.alpinelinux.org/alpine/v3.9/community/x86_64/APKINDEX.tar.gz
(1/3) Installing glibc (2.29-r0)
(2/3) Installing glibc-bin (2.29-r0)
(3/3) Installing glibc-i18n (2.29-r0)
Executing glibc-bin-2.29-r0.trigger
OK: 197 MiB in 95 packages
The command '/bin/sh -c if [ -f /etc/alpine-release ] ; then cd /tmp && ALPINE_GLIBC_BASE_PACKAGE_FILENAME="glibc-$ALPINE_GLIBC_PACKAGE_VERSION.apk" && ALPINE_GLIBC_BIN_PACKAGE_FILENAME="glibc-bin-$ALPINE_GLIBC_PACKAGE_VERSION.apk" && ALPINE_GLIBC_I18N_PACKAGE_FILENAME="glibc-i18n-$ALPINE_GLIBC_PACKAGE_VERSION.apk" && apk add --no-cache --virtual=.build-dependencies wget curl ca-certificates binutils gnupg && echo "-----BEGIN PUBLIC KEY----- MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApZ2u1KJKUu/fW4A25y9m y70AGEa/J3Wi5ibNVGNn1gT1r0VfgeWd0pUybS4UmcHdiNzxJPgoWQhV2SSW1JYu tOqKZF5QSN6X937PTUpNBjUvLtTQ1ve1fp39uf/lEXPpFpOPL88LKnDBgbh7wkCp m2KzLVGChf83MS0ShL6G9EQIAUxLm99VpgRjwqTQ/KfzGtpke1wqws4au0Ab4qPY KXvMLSPLUp7cfulWvhmZSegr5AdhNw5KNizPqCJT8ZrGvgHypXyiFvvAH5YRtSsc Zvo9GI2e2MaZyo9/lvb+LbLEJZKEQckqRj4P26gmASrZEPStwc+yqy1ShHLA0j6m 1QIDAQAB -----END PUBLIC KEY-----" | sed 's/ /\n/g' > "/etc/apk/keys/sgerrand.rsa.pub" && wget -q "$ALPINE_GLIBC_BASE_URL/$ALPINE_GLIBC_PACKAGE_VERSION/$ALPINE_GLIBC_BASE_PACKAGE_FILENAME" "$ALPINE_GLIBC_BASE_URL/$ALPINE_GLIBC_PACKAGE_VERSION/$ALPINE_GLIBC_BIN_PACKAGE_FILENAME" "$ALPINE_GLIBC_BASE_URL/$ALPINE_GLIBC_PACKAGE_VERSION/$ALPINE_GLIBC_I18N_PACKAGE_FILENAME" && apk add --no-cache "$ALPINE_GLIBC_BASE_PACKAGE_FILENAME" "$ALPINE_GLIBC_BIN_PACKAGE_FILENAME" "$ALPINE_GLIBC_I18N_PACKAGE_FILENAME" && rm "/etc/apk/keys/sgerrand.rsa.pub" && wget -q ${GCC_LIBS_URL} ${GCC_LIBS_URL}.sig && mkdir /tmp/gcc && tar -xf "${GCC_LIBS}" -C /tmp/gcc && mv /tmp/gcc/usr/lib/libgcc /tmp/gcc/usr/lib/libstdc++* /usr/glibc-compat/lib && strip /usr/glibc-compat/lib/libgcc_s.so.* /usr/glibc-compat/lib/libstdc++.so* && mkdir /tmp/libz && wget -q "${ZLIB_URL}" "${ZLIB_URL}.sig" && tar -xf "${ZLIB}" -C /tmp/libz && mv /tmp/libz/usr/lib/libz.so* /usr/glibc-compat/lib && /usr/glibc-compat/bin/localedef -i en_US -f UTF-8 en_US.UTF-8 && echo "export LANG=en_US.UTF-8" > /etc/profile.d/locale.sh && apk del glibc-i18n && apk del .build-dependencies && rm "$ALPINE_GLIBC_BASE_PACKAGE_FILENAME" "$ALPINE_GLIBC_BIN_PACKAGE_FILENAME" "$ALPINE_GLIBC_I18N_PACKAGE_FILENAME" && rm -rf /tmp/${GLIBC_VER}.apk /tmp/gcc /tmp/${ZLIB} /tmp/libz /tmp/${GCC_LIBS} /var/cache/apk/* ; elif [ -f /etc/debian_version ] ; then echo "Debian, setting locales" && apt-get update && apt-get install -y --no-install-recommends locales && localedef -i en_US -f UTF-8 en_US.UTF-8 && rm -rf /var/lib/apt/lists/* ; fi' returned a non-zero code: 4
[root@crowd jenkins-jnlp-slave]#

about k8s

Hope to increase support for Kubectl related tools

[container failure]: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Hi,

I am getting this certificate error in the container while using the image in the Jenkins Docker Plugin and trying to spin up dynamic agents on my docker host:
------snippet from container log----
Feb 01, 2021 12:53:36 PM hudson.remoting.jnlp.Main createEngine
INFO: Setting up agent: docker-231ef6b300bc71
Feb 01, 2021 12:53:36 PM hudson.remoting.jnlp.Main$CuiListener
INFO: Jenkins agent is running in headless mode.
Feb 01, 2021 12:53:36 PM hudson.remoting.Engine startEngine
INFO: Using Remoting version: 4.6
Feb 01, 2021 12:53:36 PM hudson.remoting.Engine startEngine
WARNING: No Working Directory. Using the legacy JAR Cache location: /home/jenkins/.jenkins/cache/jars
Feb 01, 2021 12:53:36 PM hudson.remoting.jnlp.Main$CuiListener status
INFO: Locating server among [https://<--name-deleted-->.com/]
Feb 01, 2021 12:53:36 PM hudson.remoting.jnlp.Main$CuiListener error
SEVERE: Failed to connect to https://<--name-deleted-->.com/tcpSlaveAgentListener/: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
java.io.IOException: Failed to connect to https://<--name-deleted-->.com/tcpSlaveAgentListener/: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at org.jenkinsci.remoting.engine.JnlpAgentEndpointResolver.resolve(JnlpAgentEndpointResolver.java:214)
at hudson.remoting.Engine.innerRun(Engine.java:689)
at hudson.remoting.Engine.run(Engine.java:514)
Caused by: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:350)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:293)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:288)
at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:654)
at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:473)
at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:369)
at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392)
at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:444)
at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:422)
at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:183)
at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:171)
at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1408)
at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1314)
at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:440)
at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:411)
at java.base/sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:567)
at java.base/sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
at java.base/sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:168)
at org.jenkinsci.remoting.engine.JnlpAgentEndpointResolver.resolve(JnlpAgentEndpointResolver.java:211)
... 2 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:439)
at java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:306)
at java.base/sun.security.validator.Validator.validate(Validator.java:264)
at java.base/sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:313)
at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:222)
at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:129)
at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:638)
... 17 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
at java.base/java.security.cert.CertPathBuilder.build(CertPathBuilder.java:297)
at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:434)
... 23 more
--------end of container log ---------

I have the jenkins master(separate server) cert already imported on the Docker Host where this jenkins jnlp container is been spun up.

Also, please see the configuration of Docker Plugin in Jenkins:

Please let me know how can I fix the certificate issue as the docker jnlp container are failing to work with this configuration.

Any help in this matter is greatly appreciated, Thanks in advance!

Adding Helm into slave

Hello David,

im already running your Bloody Jenkins on an AWS EKS, which was set up with Ansible & Helm. Until now i have only Maven running on the slave, and im trying to add Helm into it, so i can use Helm in my Jenkinsfile. This is how it looks like:

After i added the helm part ive got

/durable-c2e6cd71/script.sh: line 1: helm: not found

Maybe you can help me.

Greetings,

Alexej

resource limits for slave

Hi David,

I would like to limit the resources for the slave pods. Tried out several configurations, but could configure limits only for additional containers on the slave pod (helm&maven)

clouds:
    aws-eks-kubernetes-cloud:
      type: kubernetes
      namespace: jenkins
      templates:
        - name: jenkins-slave-generic
          image: odavid/jenkins-jnlp-slave:3.35-4-18
          resources:
            requests:
              cpu: 500m
              memory: 500Mi
            limits:
              cpu: 1000m
              memory: 1000Mi
          labels:
            - generic
          remoteFs: /home/jenkins
          jvmArgs: -Xmx2g
          nodeUsageMode: EXCLUSIVE
          privileged: true
          environment:
            DIND: "true"
          yaml: |-
            spec:
              containers:
                - name: maven
                  image: maven:3.6-jdk-8
                  command: ['cat']
                  tty: true
                  resources:
                    requests:
                      cpu: 500m
                      memory: 500Mi
                    limits:
                      cpu: 1000m
                      memory: 1000Mi                  
                - name: helm
                  image: 353316148132.dkr.ecr.eu-central-1.amazonaws.com/ibeo/ci-cd-helper:latest
                  command: ['cat']
                  tty: true
                  resources:
                    requests:
                      cpu: 50m
                      memory: 250Mi
                    limits:
                      cpu: 100m
                      memory: 500Mi

Greetings,
Alexej

readme update to prevent docker.sock permission error

From the readme.md, I understood that adding a volume for the docker socket file to the container as below would allow docker to start within the container. I keep getting permission denied errors accessing the docker.sock.

Is there a step that could be clarified on the readme?

I've tried with both the command line mount and with a Dockerfile.

Jenkins user is in the docker group

bash-5.1$ egrep docker /etc/group
docker:x:0:jenkins

% docker run -it -v /var/run/docker.sock:/var/run/docker.sock  odavid-jnlp-slave bash
bash-5.1$ docker run hello-world
docker: Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Post "http://%2Fvar%2Frun%2Fdocker.sock/v1.24/containers/create": dial unix /var/run/docker.sock: connect: permission denied.

Dockerfile

FROM odavid/jenkins-jnlp-slave
VOLUME [ "/var/run/docker.sock" ]

run dockerfile

% docker run -it odavid-jnlp-slave bash

socket permission error

bash-5.1$ docker run hello-world
docker: Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Post "http://%2Fvar%2Frun%2Fdocker.sock/v1.24/containers/create": dial unix /var/run/docker.sock: connect: permission denied.