Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Run teamcity agent under buildagent user using gosu, fixes #16 #23

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Run teamcity agent under buildagent user using gosu, fixes #16 #23

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
e2034a8
Add gosu and run agent under dedicated user
antonbormotov May 3, 2018
bbd3366
Chown agent working directory
antonbormotov May 10, 2018
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion run-agent.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -66,7 +66,7 @@ else
prepare_conf
fi

${AGENT_DIST}/bin/agent.sh start
gosu buildagent ${AGENT_DIST}/bin/agent.sh start
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Consider chown for buildagent user during 'initialization' (in addition to the Dockerfile), either:
A) in this entrypoint
B) As an entry in /services/

    chown -R buildagent:buildagent /opt/buildagent

Otherwise this may break for users of jetbrains/teamcity-agent which run "Docker from the host". The permissions need to be set at container 'runtime' since the checkout dir and temp dir are bind-mount VOLUMEs; as explained here: https://hub.docker.com/r/jetbrains/teamcity-agent/

Options -v /opt/buildagent/work:/opt/buildagent/work and -v /opt/buildagent/temp:/opt/buildagent/temp are required if you want to use Docker Wrapper on this build agent.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@stayclassychicago done


while [ ! -f ${LOG_DIR}/teamcity-agent.log ];
do
Expand Down
13 changes: 13 additions & 0 deletions ubuntu/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,19 @@ COPY dist/buildagent /opt/buildagent
RUN useradd -m buildagent && \
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@stayclassychicago @yaegor user buildagent must be part of docker group in teamcity-docker-agent container in order to be able to run dockerized tasks.
Shall we run usermod -a -G docker buildagent there?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Alternatively, we can create docker group in advance here, and add buildagent user to this group.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I do not think either is necessary for this minimal agent image. The teamcity-docker-agent provisions both:

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agree, I missed that

chmod +x /run-agent.sh /run-services.sh && sync

ENV GOSU_VERSION 1.10
RUN set -x \
&& wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$(dpkg --print-architecture)" \
&& wget -O /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$(dpkg --print-architecture).asc" \
&& export GNUPGHOME="$(mktemp -d)" \
&& gpg --keyserver ha.pool.sks-keyservers.net --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4 \
Copy link

@stayclassychicago stayclassychicago May 10, 2018
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does this step still work for you? This fails with keyserver communications error (below). Not sure if this is a regional issue (if so are there mirrors for this keyserver) or if you are able to validate this is still successful ?

gpg: keyserver communications error: keyserver unreachable
?: [fd 4]: read error: Connection reset by peer
gpgkeys: HTTP fetch error 7: couldn't connect: eof
gpg: keyserver communications error: public key not found
gpg: keyserver receive failed: public key not found

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, it does for me, let me check if ubuntu apt key servers have this key.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cold you please check if following works for you:

  1. gpg --keyserver keyserver.ubuntu.com --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4
  2. apt-key adv --keyserver keyserver.ubuntu.com --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4

It is weird, that it can't connect; keyserver.ubuntu.com is part of sks pool as well.
Are you able to resolve domain dig +short ha.pool.sks-keyservers.net?

&& gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu \
&& rm -r "$GNUPGHOME" /usr/local/bin/gosu.asc \
&& chmod +x /usr/local/bin/gosu \
&& gosu nobody true

RUN chown -R buildagent:buildagent /opt/buildagent

CMD ["/run-services.sh"]

EXPOSE 9090