How to Allow Jenkins to Access The Files That Only Root or Some Specific Programs Have Access To

Is it possible to allow jenkins to access the files that only root or some specific programs have access to?

As bcolfer said, you should be able to just run your shell commands with "sudo" in front of it. You will want to be sure that the user that started the Jenkins slave is a sudoer.

As root, run "visudo", this will open the /etc/sudoers file. At the bottom add a line similar to this if it is not a current sudoer:

jenkins        ALL=(ALL)       NOPASSWD: ALL

"Jenkins" being the user that started the slave.

OR

You could try adding the user to the group that owns that directory. IF you run "ls -l" you should be able to see the permissions and then the user, and the group that owns the directory. Once you know the group, as root run:

usermod -a -G group Jenkins

"Jenkins" being the user that started the slave, and "group" being the actual group name.

Run shell command in jenkins as root user?

You need to modify the permission for jenkins user so that you can run the shell commands.
You can install the jenkins as as service (download the rpm package), You might need to change the ports because by default it runs http on 8080 and AJP on 8009 port.

Following process is for CentOS
1. Open up the this script (using VIM or other editor):

vim /etc/sysconfig/jenkins

2. Find this $JENKINS_USER and change to “root”:

$JENKINS_USER="root"

3. Then change the ownership of Jenkins home, webroot and logs:

chown -R root:root /var/lib/jenkins
chown -R root:root /var/cache/jenkins
chown -R root:root /var/log/jenkins

4) Restart Jenkins and check the user has been changed:

service jenkins restart
ps -ef | grep jenkins

Now you should be able to run the Jenkins jobs as the root user and all the shell command will be executed as root.

how to execute a command as root in jenkins

I assume that you already added Jenkins in sudo user group, if not then add this jenkins ALL=(ALL) NOPASSWD: ALL or

Is it possible to allow jenkins to access the files that only root or some specific programs have access to?

sudo su will not work because Jenkins run the command as a script, you have to option

• inline sudo user command
• create script and then run with sudo user

sudo su - root -c 'whoami'

or save your command to bash script, then run with sudo.

sudo /path_to_command.sh

How to run a script as root in Jenkins?

You must run the script using sudo:

sudo /path/to/script

But before you must allow jenkins to run the script in /etc/sudoers.

jenkins    ALL = NOPASSWD: /path/to/script

Jenkins sudo: no tty present and no askpass program specified with NOPASSWD

I've tested the solution described by @Jayan in the comments of the question. You must include the new line at the end of the file:

Solution: https://stackoverflow.com/a/24648413/54506

#
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults    env_reset
Defaults    mail_badpass
Defaults    secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"

# Host alias specification

# User alias specification

# Cmnd alias specification

# User privilege specification
root    ALL=(ALL:ALL) ALL

# Allow members of group sudo to execute any command
%sudo   ALL=(ALL:ALL) ALL
jenkins ALL=(ALL) NOPASSWD: ALL

Is there a way to prevent a project from not having access to another project files in Jenkins CI?

1) The slave account does not have to be root or administrator. It only needs full access to the folder you give in the "Remote FS root" field of the slave configuration.

2) Yes it does. Each project folder is owned by the user that is used to run the slave. You can access other project folders using relative paths: $WORKSPACE/../OTHER_PROJECT/. I'm not sure if there is a default way to prevent this. However, you have two options:

• Delete the workspace after your build (use plugin Workspace Cleanup Plugin)
• Create a separate slave/user combination for each project - the slave can be the same, but you'd have to create a separate user for each project.

3) Formatting a disk completely would require privileged access. You should not give your slave user those rights. I'm not sure whether your slave is Unix or Windows based, but either way, you should be able to prevent your user from being allowed to do any such task. Like stated in A1, the slave user only needs enough access to be able to read/write/execute in its "Remote FS root" folder.

Just out of curiosity - what OS are you running on your slave?

How to set specific workspace folder for jenkins multibranch pipeline projects

the ws instruction sets the workspace for the commands inside it. for declarative pipelines, it's like this:

ws("C:\jenkins") {
  echo "awesome commands here instead of echo"
}

You can also call a script to build the customWorkspace to use:

# if the current branch is master, this helpfully sets your workspace to /tmp/ma
partOfBranch = sh(returnStdout: true, script: 'echo $BRANCH_NAME | sed -e "s/ster//g"')
path = "/tmp/${partOfBranch}"
sh "mkdir ${path}"
ws(path) {
  sh "pwd"
}

you can also set it globally by using the agent block (generally at the top of the pipeline block), by applying it to a node at that level:

pipeline {
  agent {
    node {
      label 'my-defined-label'
      customWorkspace '/some/other/path'
    }
  }
  stages {
    stage('Example Build') {
      steps {
        sh 'mvn -B clean verify'
      }
    }
  }
}

Another node instruction later on might override it. Search for customWorkspace at https://jenkins.io/doc/book/pipeline/syntax/. You can also it use it with the docker and dockerfile instructions.

Docker: Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock

If using jenkins

The user jenkins needs to be added to the group docker:

sudo usermod -a -G docker jenkins

Then restart Jenkins.

Otherwise

If you arrive to this question of stack overflow because you receive this message from docker, but you don't use jenkins, most probably the error is the same: your unprivileged user does not belong to the docker group.

You can do:

sudo usermod -a -G docker [user]

Insert your user name where [user] is.

You can check it was successful by doing grep docker /etc/group and see something like this:

docker:x:998:[user]

in one of the lines.

Then change your users group ID to docker (to avoid having to log out and log in again):

newgrp docker

---

Related Topics