Jenkins + Docker: How to control docker user when using Image.inside command

Question

Dear Stackoverflow Community,

I am trying to setup a Jenkins CI pipeline using docker images as containers for my build processes. I am defining a Jenkinsfile to have a build pipeline as code. I am doing something like this:

node {   docker.withRegistry('http://my.registry.com', 'docker-credentials') {            def buildimage = docker.image('buildimage:latest');       buildimage.pull();       buildimage.inside("")       {         stage('Checkout sources') {           git url: '...', credentialsId: '...'         }          stage('Run Build and Publish') {             sh "..."         }       }   } } 

Unfortunately I am stumbling upon a weird behavior of the Docker pipeline plugin. In the build output I can see that the Image.inside(...) command triggers the container with a

docker run -t -d -u 1000:1000 ... 

This makes my build fail, because the user defined in the Dockerfile does not have the UID 1000 ... another user is actually taken. I even tried specifying which user should be used within the Jenkinsfile

node {   docker.withRegistry('http://my.registry.com', 'docker-credentials') {            def buildimage = docker.image('buildimage:latest');       buildimage.pull();       buildimage.inside("-u otheruser:othergroup")       {         stage('Checkout sources') {           git url: '...', credentialsId: '...'         }          stage('Run Build and Publish') {             sh "..."         }       }   } } 

but this leads to a duplicate -u switch in the resulting docker run command

docker run -t -d -u 1000:1000 -u otheruser:othergroup ... 

and obviously only the first -u is applied because my build still fails. I also did debugging using whoami to validate my assumptions.

So my questions: how can I change this behavior? Is there a switch where I can turn the -u 1000:1000 off? Is this even a bug? I actually like to work with the Docker plugin because it simplifies the usage of an own docker registry with credentials maintained in Jenkins. However, is there another simple way to get to my goal if the Docker Plugin is not usable?

Thank you in advance for your time

Answer 1

I found you can actually change user by adding args like following. Although -u 1000:1000 will still be there in the docker run, you will an additional -u [your user] after 1000:1000. Docker will acutally use latest -u parameter

agent {   docker {     image 'your image'     args '-u root --privileged'   } } 

Answer 2

As you can see here or here is hardcoded the fact of append the uid and gid of the user that is running Jenkins (in your case, the Jenkins user created inside the oficial docker image).

You can change the user that runs the processes inside your Jenkins image passing the --user (or -u) argument to the docker run command. Maybe this can minimize your problems.

Edited

how can I change this behavior? Is there a switch where I can turn the -u 1000:1000 off?

You can't change this behaviour in the actual version because the whoami is hardcoded.

Is this even a bug?

In this pull request seems that they are working on it.

However, is there another simple way to get to my goal if the Docker Plugin is not usable?

The new pipeline plugin version that comes with Jenkins also use the docker-workflow-plugin to run the containers. I don't know another plugin to run that in a simple way. To workaround this, you can run your Jenkins as root but is a very ugly solution.