我怎样才能创build一个jenkins泊坞窗图像使用jenkins用户提供的SSH密钥?

虽然我创build了一个基于官方Jenkins Docker的图像,并将.ssh目录复制到jenkins用户的家( /var/jenkins_home ),但是/var/jenkins_home/.ssh所有者变成了root ,这使得我无法使用jenkins用户打开ssh会话。 在Dockerfile中使用RUN chown -R 1000:1000 /var/jenkins_home/.ssh不起作用。

而且,在创build图像时复制的文件的权限默认为644 。 但是,要打开ssh会话,/ /var/jenkins_home/.ssh/id_rsa权限必须是600

我如何从jenkins用户提供的ssh密钥官方Jenkins Docker镜像创build镜像?

我发现了一点点复杂但更通用的方法来实现这一点。 新解决scheme需要;

  • ssh-agentcredentialsssh-credentials插件
  • 创buildDocker镜像时的插件安装( 安装更多工具 – 预安装插件 )
  • 通过执行后期初始化脚本在启动时configurationJenkins。

这里的主要思想是将ssh密钥复制到JENKINS_HOME以外的目录中,通过使用后期初始化脚本并使用ssh-agent插件将它们添加到Jenkins的凭证中。

我已经将必要的设置和说明上传到GitHub: https : //github.com/kumlali/stackoverflow_answers/tree/master/docker_jenkins_ssh_keys/answer2

官方Jenkins Docker镜像定义Jenkins主目录( /var/jenkins_home )为VOLUME ,它可以防止RUN chown -R 1000:1000 /var/jenkins_home/...生效:

 $ touch test.txt $ vi Dockerfile --- Dockerfile --- FROM jenkins:2.32.3 COPY test.txt /tmp COPY test.txt /var/jenkins_home/test.txt USER root RUN chown 1000:1000 /tmp/test.txt RUN chown 1000:1000 /var/jenkins_home/test.txt USER jenkins --- Dockerfile --- $ docker build -t myjenkins . ... $ docker run -it myjenkins /bin/bash jenkins@750f43b7e9ec:/$ ls -all /var/jenkins_home/test.txt -rw-r--r-- 1 root root 0 Mar 24 06:54 /var/jenkins_home/test.txt jenkins@750f43b7e9ec:/$ ls -all /tmp/test.txt -rw-r--r-- 1 jenkins jenkins 0 Mar 24 06:54 /tmp/test.txt 

官方Jenkins Docker有一个解决scheme:将目录和文件复制到jenkins用户的家中/usr/share/jenkins/ref/ 。 当jenkins容器启动时,它会检查/var/jenkins_home是否有这个参考内容,并在需要的时候复制它们。 (请参阅Installing more tools 官方Jenkins Docker文档的 Installing more tools )。

 $ touch test.txt $ vi Dockerfile --- Dockerfile --- FROM jenkins:2.32.3 COPY test.txt /usr/share/jenkins/ref/test.txt --- Dockerfile --- $ docker build -t myjenkins . ... $ docker run -it myjenkins /bin/bash jenkins@1e9520a92f8e:/$ ls -all /var/jenkins_home/test.txt -rw-r--r-- 1 jenkins jenkins 0 Mar 24 08:21 /var/jenkins_home/test.txt 

现在我们需要将文件的权限设置为600

 $ touch test.txt $ vi Dockerfile --- Dockerfile --- FROM jenkins:2.32.3 COPY test.txt /usr/share/jenkins/ref/test.txt USER root RUN chmod 600 /usr/share/jenkins/ref/test.txt USER jenkins --- Dockerfile --- $ docker build -t myjenkins . ... $ docker run -it myjenkins /bin/bash cp: cannot open '/usr/share/jenkins/ref/test.txt' for reading: Permission denied 

奇怪! Jenkins的初始化脚本jenkins.sh引发了这个错误。 Jenkins容器启动时脚本运行。 我们在这里可以做的是在容器启动时更改文件权限,而不是在Dockerfile中更改它。 然后,我们需要一个入口脚本,将文件复制到/var/jenkins_home ,更改权限,最后一步调用jenkins.sh 。 我创build了基于https://github.com/openfrontier/docker-jenkins/blob/master/entrypoint.sh的 entrypoint.sh

 $ touch test.txt $ vi entrypoint.sh --- enrypoint.sh --- #! /bin/bash -e cp /usr/share/jenkins/ref/test.txt /var/jenkins_home chmod 600 /var/jenkins_home/test.txt echo "start JENKINS" # if 'docker run' first argument start with '--' the user is passing jenkins launcher arguments if [[ $# -lt 1 ]] || [[ "$1" == "--"* ]]; then exec /bin/tini -- /usr/local/bin/jenkins.sh "$@" fi exec "$@" --- enrypoint.sh --- $ vi Dockerfile --- Dockerfile --- FROM jenkins:2.32.3 COPY test.txt /usr/share/jenkins/ref/test.txt COPY entrypoint.sh /entrypoint.sh USER root RUN chown 1000:1000 /entrypoint.sh \ && chmod +x /entrypoint.sh USER jenkins ENTRYPOINT ["/entrypoint.sh"] --- Dockerfile --- $ docker build -t myjenkins . ... $ docker run -it myjenkins /bin/bash start JENKINS jenkins@770ba9099cb4:/$ ls -all /var/jenkins_home/test.txt -rw------- 1 jenkins jenkins 0 Mar 24 10:36 /var/jenkins_home/test.txt 

让我们为ssh目录有id_rsaid_rsa.pub文件。 请注意,作为目录名称,我使用ssh而不是.ssh 。 否则, .ssh内容将直接复制到/var/jenkins_home 。 这就是Docker对于名称以点开头的目录(例如.m2)的行为。

这是所有必要的步骤。 你可以看到,我可以成功地从容器中打开一个SSH会话:

 $ ls -all total 8 drwxr-xr-x 3 myuser mygroup 54 Mar 24 13:41 . drwxr-xr-x 6 myuser mygroup 70 Mar 24 09:54 .. -rw-r--r-- 1 myuser mygroup 242 Mar 24 13:35 Dockerfile -rw-r--r-- 1 myuser mygroup 338 Mar 24 13:33 entrypoint.sh drwx------ 2 myuser mygroup 36 Mar 24 11:24 ssh $ ls -all ssh/ total 8 drwx------ 2 myuser mygroup 36 Mar 24 11:24 . drwxr-xr-x 3 myuser mygroup 54 Mar 24 13:41 .. -rw------- 1 myuser mygroup 1679 Mar 24 11:23 id_rsa -rw-r--r-- 1 myuser mygroup 391 Mar 24 11:23 id_rsa.pub $ vi entrypoint.sh --- enrypoint.sh --- #! /bin/bash -e mkdir -p /var/jenkins_home/.ssh mv /usr/share/jenkins/ref/.ssh/id_rsa /var/jenkins_home/.ssh chmod 600 /var/jenkins_home/.ssh/id_rsa echo "start JENKINS" # if 'docker run' first argument start with '--' the user is passing jenkins launcher arguments if [[ $# -lt 1 ]] || [[ "$1" == "--"* ]]; then exec /bin/tini -- /usr/local/bin/jenkins.sh "$@" fi exec "$@" --- enrypoint.sh --- $ vi Dockerfile --- Dockerfile --- FROM jenkins:2.32.3 # Copy ssh as .ssh COPY ssh/ /usr/share/jenkins/ref/.ssh COPY entrypoint.sh /entrypoint.sh USER root # Change owner of .ssh directory and files under it to # jenkins user's owner (1000:1000) and make sure # permisson of id_rsa is not 600. RUN chown -R 1000:1000 /usr/share/jenkins/ref/.ssh \ && chmod 644 /usr/share/jenkins/ref/.ssh/id_rsa RUN chown 1000:1000 /entrypoint.sh \ && chmod +x /entrypoint.sh USER jenkins ENTRYPOINT ["/entrypoint.sh"] --- Dockerfile --- $ docker build -t myjenkins . ... $ docker run -it myjenkins /bin/bash jenkins@3090dda362d6:/$ ls -all /var/jenkins_home/.ssh/id_rsa -rw------- 1 jenkins jenkins 1679 Mar 24 08:23 /var/jenkins_home/.ssh/id_rsa jenkins@3090dda362d6:/$ ssh rose1 The authenticity of host 'rose1 (XX.XX.XX.XX)' can't be established. ECDSA key fingerprint is XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'rose1,XX.XX.XX.XX' (ECDSA) to the list of known hosts. Last login: Thu Mar 23 15:55:41 2017 from 10.74.200.56 [jenkins@rose1 ~]$ 

更新1

我已经把给定的file upload到GitHub: https : //github.com/kumlali/stackoverflow_answers/tree/master/docker_jenkins_ssh_keys/answer1