Run teamcity agent under buildagent user using gosu, fixes #16 #23
Conversation
|
@VladRassokhin, @redhandpl, @omar-a-toma would you mind to review please |
antonbormotov
force-pushed
the
run-agent-under-agent-user
branch
4 times, most recently
from
3849621 to
05f389b
Compare
antonbormotov
force-pushed
the
run-agent-under-agent-user
branch
from
05f389b to
e2034a8
Compare
antonbormotov
changed the title
| @@ -66,7 +66,7 @@ else | |||
| prepare_conf | |||
| fi | |||
|
|
|||
| ${AGENT_DIST}/bin/agent.sh start | |||
| gosu buildagent ${AGENT_DIST}/bin/agent.sh start | |||
There was a problem hiding this comment.
Consider chown for buildagent user during 'initialization' (in addition to the Dockerfile), either:
A) in this entrypoint
B) As an entry in /services/
chown -R buildagent:buildagent /opt/buildagent
Otherwise this may break for users of jetbrains/teamcity-agent which run "Docker from the host". The permissions need to be set at container 'runtime' since the checkout dir and temp dir are bind-mount VOLUMEs; as explained here: https://hub.docker.com/r/jetbrains/teamcity-agent/
Options -v /opt/buildagent/work:/opt/buildagent/work and -v /opt/buildagent/temp:/opt/buildagent/temp are required if you want to use Docker Wrapper on this build agent.
| @@ -14,6 +14,19 @@ COPY dist/buildagent /opt/buildagent | |||
| RUN useradd -m buildagent && \ | |||
There was a problem hiding this comment.
@stayclassychicago @yaegor user buildagent must be part of docker group in teamcity-docker-agent container in order to be able to run dockerized tasks.
Shall we run usermod -a -G docker buildagent there?
There was a problem hiding this comment.
Alternatively, we can create docker group in advance here, and add buildagent user to this group.
There was a problem hiding this comment.
I do not think either is necessary for this minimal agent image. The teamcity-docker-agent provisions both:
dockergroup is created in the step to install docker- later in the step the buildagent user is added to docker group
| && wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$(dpkg --print-architecture)" \ | ||
| && wget -O /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$(dpkg --print-architecture).asc" \ | ||
| && export GNUPGHOME="$(mktemp -d)" \ | ||
| && gpg --keyserver ha.pool.sks-keyservers.net --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4 \ |
There was a problem hiding this comment.
Does this step still work for you? This fails with keyserver communications error (below). Not sure if this is a regional issue (if so are there mirrors for this keyserver) or if you are able to validate this is still successful ?
gpg: keyserver communications error: keyserver unreachable
?: [fd 4]: read error: Connection reset by peer
gpgkeys: HTTP fetch error 7: couldn't connect: eof
gpg: keyserver communications error: public key not found
gpg: keyserver receive failed: public key not found
There was a problem hiding this comment.
Yes, it does for me, let me check if ubuntu apt key servers have this key.
There was a problem hiding this comment.
Cold you please check if following works for you:
gpg --keyserver keyserver.ubuntu.com --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4apt-key adv --keyserver keyserver.ubuntu.com --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4
It is weird, that it can't connect; keyserver.ubuntu.com is part of sks pool as well.
Are you able to resolve domain dig +short ha.pool.sks-keyservers.net?
|
@VladRassokhin could you please review this pr, if you have some free time, of course. |
|
Currently we're preparing TeamCity 2018.1 release so I don't have spare time to take a look. Probably a month later we would evaluate this PR. |
|
Hello, I've just pushed a fix for #16 which optionally runs agent under Please let me know if there are any issues with the fix. Thank you! |
antonbormotov
changed the title
No description provided.