docker wrapper and rootless docker

Avatar
Fopina+ppb
Created

Build steps with a container image specified (docker wrapper) have an hidden last step: Fix directory ownership.

This can be seen only with VERBOSE messages.

While this is good for standard docker installation (but not required if people extend docker options with --uid $UID), it BREAKS if docker is running rootless.

Because the step uses busybox to chown the directory, assuming docker is rootful.

Is there any possible configuration to skip this step? It's not required in rootless

Votes

0

Share

6 comments
Avatar
Anton Vakhtel
Created
Hi,

Could you share the full build log for the build where this step failed? You can upload it to https://uploads.jetbrains.com/ and share the upload ID.

Best regards,
Anton
0
Avatar
Fopina+ppb
Created

Apologies for taking so long but eventually gave up on using rootless+teamcity.

I'll update now with some extra notes:

* Teamcity uses a helper container and not configurable - this forces either proxy to be setup or “default registry” to have a busybox:latest image - it would be nice for this to be configurable

    Unable to find image 'busybox:latest' locally

* After making the image available locally:

Docker wrapper: setting permissions for '/opt/teamcity-agents/agent-005/temp/buildTmp' and '/opt/teamcity-agents/agent-005/work/6d00f1fc154cba00' to 755
16:26:45 java.io.IOException: Problem running 'change directory permissions'. Exit code: 1

chmod: changing permissions of '/opt/teamcity-agents/agent-005/temp/buildTmp': Operation not permitted
chmod: changing permissions of '/opt/teamcity-agents/agent-005/work/6d00f1fc154cba00': Operation not permitted
 at org.jetbrains.teamcity.docker.DockerUtil.checkForError(DockerUtil.kt:240)

Full logs in Upload id: 2024_11_06_h42jTqNj8VnD5U3ZUVqmTd 

* The previous build did NOT fail, just complains about those permissions. But following builds will all fail for the lack of permissions in the same directories

17:31:27 Starting the build on the agent "..."
17:31:27 Failed to register agent parameters for: class jetbrains.buildServer.agent.impl.buildFiles.ChangedFilesListFileWriter. Error: Can't create file: /opt/teamcity-agents/agent-005/temp/buildTmp/teamcity.changedFiles.txt
17:31:27 Failed to register agent parameters for: class jetbrains.buildServer.agent.impl.buildFiles.RunnerParametersFileWriter. Error: Can't create file: /opt/teamcity-agents/agent-005/temp/buildTmp/teamcity.runner.parameters
17:31:27 Failed to register agent parameters for: class jetbrains.buildServer.agent.impl.buildFiles.BuildParametersFileWriter. Error: Can't create file: /opt/teamcity-agents/agent-005/temp/buildTmp/teamcity.build.parameters
...

The files that it complains have a different UID/GID as owner because of the way rootless docker maps uid. But it's expected and access those locations from the shell works without any permission error, only teamcity complains

I hope this helps.

Issue is very easy to reproduce as well:

* Run docker in rootless mode

* Run a build with a command line runner step but with “runs on” docker image specified

The error should pop up

 

To note: the error does not fail the build, but it does paint the log with some red lines.

0
Avatar
Anton Vakhtel
Created

Fopina+ppb Hi,

Thank you for the details!

If you decided on a different approach, does this mean that this issue is no longer relevant? Or do you still need assistance with it?

Best regards,
Anton

0
Avatar
Fopina+ppb
Created

Hi Anton Vakhtel , yes I'd still like to resolve it.

Not currently using rootless and testing the Kubernetes agent integration, but it's likely there will be cases that cannot use that and need the old agents.

It would be great if those could have rootless docker, meaning this had been resolved.

Thanks

0
Avatar
Anton Vakhtel
Created
Hi,

It looks like the workaround for it is described in the documentation: https://www.jetbrains.com/help/teamcity/container-wrapper.html#Restoring+File+Ownership+on+Linux. Please let me know if it works.

Best regards,
Anton
0
Avatar
Fopina+ppb
Created

Anton, this worked perfectly! Thank you!

0

Please sign in to leave a comment.