Is it possible to allow jenkins to access the files that only root or some specific programs have access to?
As bcolfer said, you should be able to just run your shell commands with "sudo" in front of it. You will want to be sure that the user that started the Jenkins slave is a sudoer.
As root, run "visudo", this will open the /etc/sudoers file. At the bottom add a line similar to this if it is not a current sudoer:
jenkins ALL=(ALL) NOPASSWD: ALL
"Jenkins" being the user that started the slave.
OR
You could try adding the user to the group that owns that directory. IF you run "ls -l" you should be able to see the permissions and then the user, and the group that owns the directory. Once you know the group, as root run:
usermod -a -G group Jenkins
"Jenkins" being the user that started the slave, and "group" being the actual group name.
Run shell command in jenkins as root user?
You need to modify the permission for jenkins
user so that you can run the shell commands.
You can install the jenkins as as service (download the rpm package), You might need to change the ports because by default it runs http on 8080 and AJP on 8009 port.
Following process is for CentOS
1. Open up the this script (using VIM or other editor):
vim /etc/sysconfig/jenkins
2. Find this $JENKINS_USER
and change to “root”:
$JENKINS_USER="root"
3. Then change the ownership of Jenkins home, webroot and logs:
chown -R root:root /var/lib/jenkins
chown -R root:root /var/cache/jenkins
chown -R root:root /var/log/jenkins
4) Restart Jenkins and check the user has been changed:
service jenkins restart
ps -ef | grep jenkins
Now you should be able to run the Jenkins jobs as the root user and all the shell command will be executed as root
.
how to execute a command as root in jenkins
I assume that you already added Jenkins in sudo
user group, if not then add this jenkins ALL=(ALL) NOPASSWD: ALL
or
Is it possible to allow jenkins to access the files that only root or some specific programs have access to?
sudo su
will not work because Jenkins run the command as a script, you have to option
- inline sudo user command
- create script and then run with
sudo user
sudo su - root -c 'whoami'
or save your command to bash script, then run with sudo
.
sudo /path_to_command.sh
How to run a script as root in Jenkins?
You must run the script using sudo
:
sudo /path/to/script
But before you must allow jenkins
to run the script in /etc/sudoers
.
jenkins ALL = NOPASSWD: /path/to/script
Jenkins sudo: no tty present and no askpass program specified with NOPASSWD
I've tested the solution described by @Jayan in the comments of the question. You must include the new line at the end of the file:
Solution: https://stackoverflow.com/a/24648413/54506
#
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults env_reset
Defaults mail_badpass
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
# Host alias specification
# User alias specification
# Cmnd alias specification
# User privilege specification
root ALL=(ALL:ALL) ALL
# Allow members of group sudo to execute any command
%sudo ALL=(ALL:ALL) ALL
jenkins ALL=(ALL) NOPASSWD: ALL
Is there a way to prevent a project from not having access to another project files in Jenkins CI?
1) The slave account does not have to be root or administrator. It only needs full access to the folder you give in the "Remote FS root" field of the slave configuration.
2) Yes it does. Each project folder is owned by the user that is used to run the slave. You can access other project folders using relative paths: $WORKSPACE/../OTHER_PROJECT/. I'm not sure if there is a default way to prevent this. However, you have two options:
- Delete the workspace after your build (use plugin Workspace Cleanup Plugin)
- Create a separate slave/user combination for each project - the slave can be the same, but you'd have to create a separate user for each project.
3) Formatting a disk completely would require privileged access. You should not give your slave user those rights. I'm not sure whether your slave is Unix or Windows based, but either way, you should be able to prevent your user from being allowed to do any such task. Like stated in A1, the slave user only needs enough access to be able to read/write/execute in its "Remote FS root" folder.
Just out of curiosity - what OS are you running on your slave?
How to set specific workspace folder for jenkins multibranch pipeline projects
the ws
instruction sets the workspace for the commands inside it. for declarative pipelines, it's like this:
ws("C:\jenkins") {
echo "awesome commands here instead of echo"
}
You can also call a script to build the customWorkspace to use:
# if the current branch is master, this helpfully sets your workspace to /tmp/ma
partOfBranch = sh(returnStdout: true, script: 'echo $BRANCH_NAME | sed -e "s/ster//g"')
path = "/tmp/${partOfBranch}"
sh "mkdir ${path}"
ws(path) {
sh "pwd"
}
you can also set it globally by using the agent
block (generally at the top of the pipeline
block), by applying it to a node
at that level:
pipeline {
agent {
node {
label 'my-defined-label'
customWorkspace '/some/other/path'
}
}
stages {
stage('Example Build') {
steps {
sh 'mvn -B clean verify'
}
}
}
}
Another node
instruction later on might override it. Search for customWorkspace
at https://jenkins.io/doc/book/pipeline/syntax/. You can also it use it with the docker
and dockerfile
instructions.
Docker: Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock
If using jenkins
The user jenkins
needs to be added to the group docker
:
sudo usermod -a -G docker jenkins
Then restart Jenkins.
Otherwise
If you arrive to this question of stack overflow because you receive this message from docker, but you don't use jenkins, most probably the error is the same: your unprivileged user does not belong to the docker group.
You can do:
sudo usermod -a -G docker [user]
Insert your user name where [user]
is.
You can check it was successful by doing grep docker /etc/group
and see something like this:
docker:x:998:[user]
in one of the lines.
Then change your users group ID to docker
(to avoid having to log out and log in again):
newgrp docker
Related Topics
Any Good Guides on Using Ptrace_Sysemu
Finding Threading Bottlenecks and Optimizing for Wall-Time with Perf
Is Swarm Required for Using Multi-Host Networking Feature Using Overlay in Docker
Eclipse Doesn't Use The Path Set in .Bashrc
Linux: Checking If a Socket/Pipe Is Broken Without Doing a Read()/Write()
Automatically Sync Two Amazon S3 Buckets, Besides S3Cmd
How to Send Esc/Pos Commands to Thermal Printer in Linux
Linux of Equivalent Cryptprotectmemory
Execute a Script After Every Git Push
Killing Process in Shell Script
How to Specify Which Version of Perl to Use on Centos
How Is a Memory Barrier in Linux Kernel Is Used
What Is The Linux Equivalent to Msvc++'s Option /D1Reportsingleclasslayout
How to Translate X11 Keycode Back to Scancode or Hid Usage Id Reliably
Busybox in Embedded Linux Shows "Applet Not Found"