Develop Reference

Permission issue while building Docker image with Jenkins Pipeline

While building the image in Jenkins gradle build fails with the error
ERROR: JAVA_HOME is set to an invalid directory: /opt/java/openjdk
Please set the JAVA_HOME variable in your environment to match the
location of your Java installation.
Following is the part of the Dockerfile. The RUN gradle build is what fails.
FROM gradle:7.4.2-jdk8 as builder
COPY --chown=gradle:gradle . /home/gradle/src
WORKDIR /home/gradle/src
RUN gradle build --no-daemon
What I have checked
That the path is correct /opt/java/openjdk
https://hub.docker.com/layers/gradle/library/gradle/jdk8-jammy/images/sha256-8fe6aa6c268162cbb00e0873e94e8c8a49aea1d3bdf7a3c7499751f227f5dfc6?context=explore
What fails is the following gradle check : https://github.com/marklogic-community/ml-gradle/blob/9816f8756e8a6c656cb2371a4d9f85405e39e6d8/gradlew#L73
if [ ! -x "$JAVACMD" ] ; then
die "ERROR: JAVA_HOME is set to an invalid directory: $JAVA_HOME
Please set the JAVA_HOME variable in your environment to match the
location of your Java installation."
fi
It builds perfectly fine locally when do I skaffold build with local profile. But fails in Jenkins.
So the path exists so I am not sure why the -x check fails and only in Jenkins. It is executable by the user and group -> gradle:1000:1000 - that comes with the image : gradle:7.4.2-jdk8
I would appreciate any insight to this issue. Thank you.

same issue with TeamCity agent. It runs docker-in-docker.
In container (DockerInDocker) test -x $JAVA_HOME/bin/java returns 1.
In agent test -x $JAVA_HOME/bin/java returns 0.
0777 mode, root owner as well.

Also seeing the same issue in Jenkins running on k8s. Using eclipse-temurin:11.0.15_10-jdk as the base image. Checking the Java executable before gradlew is called give me:
13:34:46 Step 9/23 : RUN ls -la /opt/java/openjdk/bin/java
13:34:46 ---> Running in d7a82558e4b2
13:34:47 -rwxr-xr-x 1 root root 12768 Apr 19 21:38 /opt/java/openjdk/bin/java
but when I test for executable perms I get:
13:24:57 Step 10/22 : RUN test -x $JAVA_HOME/bin/java
13:24:57 ---> Running in 20dd8d832464
13:24:57 The command '/bin/sh -c test -x $JAVA_HOME/bin/java' returned a non-zero code: 1
It looks like commands are being run as root as well:
13:19:06 Step 10/21 : RUN id -u -n
13:19:06 ---> Running in 1ea36050bc88
13:19:06 root
What makes it weirder is that I'm able to manually create the same Jenkins pod used for builds, exec in and clone the repo and build the Docker image successfully with no issues.

How to solve JFrog config read error when building docker image - [Error] open /root/.jfrog/jfrog-cli.conf: read-only file system

I'm building a docker image and getting the error:
=> ERROR [14/36] RUN --mount=type=secret,id=jfrog-cfg,target=/root/.jfrog/jfrog-cli.conf jfrog rt dl --flat artifact 0.7s
------
> [14/36] RUN --mount=type=secret,id=jfrog-cfg,target=/root/.jfrog/jfrog-cli.conf jfrog rt dl --flat artifact/artifact.tar.gz; set -eux; mkdir -p /usr/local/artifact; tar xzf artifact.tar.gz -C /usr/local/; ln -s /usr/local/artifact /usr/local/artifact;:
#22 0.524 [Error] open /root/.jfrog/jfrog-cli.conf: read-only file system
------
failed to solve with frontend dockerfile.v0: failed to solve with frontend gateway.v0: rpc error: code = Unknown desc = failed to build LLB: executor failed running [/bin/bash -eo pipefail -c jfrog rt dl --flat artifact/${ART_TAG}.tar.gz; set -eux; mkdir -p /usr/local/${ART_TAG}; tar xzf ${ART_TAG}.tar.gz -C /usr/local/; ln -s /usr/local/${ART_VERSION} /usr/local/artifact;]: runc did not terminate sucessfully
The command I use to build the docker image is
DOCKER_BUILDKIT=1 docker build -t imagename . --secret id=jfrog-cfg,src=${HOME}/.jfrog/jfrog-cli.conf (jfrog config exists at ${HOME}/.jfrog/jfrog-cli.conf)
JFrog is working and the artifact I'm downloading exists as I can manually download it outside of using docker.

On Linux, docker is run using the root user, so ${HOME} is /root and not /home/your-user-name or whatever your usual home folder is. Try using explicit full pathnames instead of the env var.

How to create a Docker image of a Scala Play application using jre-alpine base image

I'd like to take advantage of the jre-alpine Docker base image to shrink down the size of the docker image that I have to push to my Docker registry, but I constantly hit this error:
[info] Step 10/16 : RUN id -u demiourgos728 2> /dev/null || useradd --system --create-home --uid 1001 --gid 0 demiourgos728
[info] ---> Running in 696dcf40530a
[info] /bin/sh: useradd: not found
[info] Removing intermediate container 696dcf40530a
[error] The command '/bin/sh -c id -u demiourgos728 2> /dev/null || useradd --system --create-home --uid 1001 --gid 0 demiourgos728' returned a non-zero code: 127
[error] java.lang.RuntimeException: Nonzero exit value: 127
[error] at com.typesafe.sbt.packager.docker.DockerPlugin$.publishLocalDocker(DockerPlugin.scala:483)
[error] at com.typesafe.sbt.packager.docker.DockerPlugin$.$anonfun$projectSettings$33(DockerPlugin.scala:187)
[error] at com.typesafe.sbt.packager.docker.DockerPlugin$.$anonfun$projectSettings$33$adapted(DockerPlugin.scala:185)
[error] at scala.Function1.$anonfun$compose$1(Function1.scala:44)
[error] at sbt.internal.util.$tilde$greater.$anonfun$$u2219$1(TypeFunctions.scala:40)
[error] at sbt.std.Transform$$anon$4.work(System.scala:67)
[error] at sbt.Execute.$anonfun$submit$2(Execute.scala:269)
[error] at sbt.internal.util.ErrorHandling$.wideConvert(ErrorHandling.scala:16)
[error] at sbt.Execute.work(Execute.scala:278)
[error] at sbt.Execute.$anonfun$submit$1(Execute.scala:269)
[error] at sbt.ConcurrentRestrictions$$anon$4.$anonfun$submitValid$1(ConcurrentRestrictions.scala:178)
[error] at sbt.CompletionService$$anon$2.call(CompletionService.scala:37)
[error] at java.util.concurrent.FutureTask.run(FutureTask.java:266)
[error] at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
[error] at java.util.concurrent.FutureTask.run(FutureTask.java:266)
[error] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
[error] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
[error] at java.lang.Thread.run(Thread.java:748)
[error] (Docker / publishLocal) Nonzero exit value: 127
Versions involved:
Play 2.7.3
Scala 2.12.8
Docker 19.03.1
sbt 1.2.8
In my build.sbt I added:
enablePlugins(AshScriptPlugin)
dockerBaseImage := "openjdk:jre-alpine"
Following the instructions provided here: https://www.scala-sbt.org/sbt-native-packager/formats/docker.html#busybox-ash-support
The Docker commands that Play tries to execute:
show dockerCommands
[info] Wrote /Users/xxxxx/projects/together/togrx/target/scala-2.12/together-rx_2.12-0.7.0-a.pom
[info] * Cmd(FROM,WrappedArray(openjdk:8-jre-alpine, as, stage0))
[info] * Cmd(WORKDIR,WrappedArray(/opt/docker))
[info] * Cmd(COPY,WrappedArray(opt /opt))
[info] * Cmd(USER,WrappedArray(root))
[info] * ExecCmd(RUN,List(chmod, -R, u=rX,g=rX, /opt/docker))
[info] * ExecCmd(RUN,List(chmod, u+x,g+x, /opt/docker/bin/together-rx))
[info] * DockerStageBreak
[info] * Cmd(FROM,WrappedArray(openjdk:8-jre-alpine))
[info] * Cmd(USER,WrappedArray(root))
[info] * Cmd(RUN,List(id, -u, demiourgos728, 2>, /dev/null, ||, useradd, --system, --create-home, --uid, 1001, --gid, 0, demiourgos728))
[info] * Cmd(WORKDIR,WrappedArray(/opt/docker))
[info] * Cmd(COPY,WrappedArray(--from=stage0 --chown=demiourgos728:root /opt/docker /opt/docker))
[info] * Cmd(EXPOSE,WrappedArray(4300 4301))
[info] * Cmd(USER,WrappedArray(1001))
[info] * ExecCmd(ENTRYPOINT,List(/opt/docker/bin/together-rx))
[info] * ExecCmd(CMD,List())

There is no useradd command in alpine image, use adduser instead, see next:
$ docker run -it openjdk:jre-alpine /bin/sh
Unable to find image 'openjdk:jre-alpine' locally
jre-alpine: Pulling from library/openjdk
[DEPRECATION NOTICE] registry v2 schema1 support will be removed in an upcoming release. Please contact admins of the docker.io registry NOW to avoid future disruption.
8e3ba11ec2a2: Pull complete
311ad0da4533: Pull complete
391a6a6b3651: Pull complete
Digest: sha256:016a7989474f1e685da966631ba6403cb349548621ebb8e4a6205f7c5fa88320
Status: Downloaded newer image for openjdk:jre-alpine
/ # useradd
/bin/sh: useradd: not found
/ # echo $?
127
/ # adduser
BusyBox v1.28.4 (2018-05-30 10:45:57 UTC) multi-call binary.
Usage: adduser [OPTIONS] USER [GROUP]
Create new user, or add USER to GROUP
-h DIR Home directory
-g GECOS GECOS field
-s SHELL Login shell
-G GRP Group
-S Create a system user
-D Don't assign a password
-H Don't create home directory
-u UID User id
-k SKEL Skeleton directory (/etc/skel)
/ #
So, you need to modify build.sbt or something else to make sure use adduser not useradd.
UPDATE:
As you said, the useradd was generated by play framework, then what I suggest is you to customize your own image to add useradd, it's in shadow package, then it will be transparent to play framework, like next:
Dockerfile:
FROM openjdk:jre-alpine
RUN apk add shadow
Build the image in your local docker host machine:
docker build -t myimage .
Finally, in build.sbt:
dockerBaseImage := "myimage"

docker build is not creating an image

I have an sbt project i have written a dockerFile in its root directory here is the Dockerfile
FROM hseeberger/scala-sbt:11.0.2_2.12.8_1.2.8
MAINTAINER name <email#gmail.com>
RUN echo "==> run the project..." && \
echo "==> it will take some time!!!" && \
sbt run
WORKDIR /hazelcastscalaserver
# Define default command.
CMD ["sbt", "run"]
when i do docker build -t test/project .
instead of dcoker creating an image it started to run the command here is expected behviour should be it shpuld build the image then i will run the image through docker run test/project:latest and my project started to run but its not happening where i am mistaken ?
here is the result of docker build
Sending build context to Docker daemon 208.1MB
Step 1/5 : FROM hseeberger/scala-sbt:11.0.2_2.12.8_1.2.8
---> 349a7e4f4029
Step 2/5 : MAINTAINER name <name#gmail.com>
---> Using cache
---> e92083819853
Step 3/5 : RUN echo "==> run the project..." && echo "==> it will take some time!!!" && sbt run
---> Running in 226ce249a353
==> run the project...
==> it will take some time!!!
[info] Updated file /root/project/build.properties: set sbt.version to 1.2.8
[info] Loading project definition from /root/project
[info] Updating ProjectRef(uri("file:/root/project/"), "root-build")...
[info] Done updating.
[info] Set current project to root (in build file:/root/)
[info] Updating ...
[info] Done updating.
[info] Packaging /root/target/scala-2.12/root_2.12-0.1.0-SNAPSHOT.jar ...
[info] Done packaging.
[error] java.lang.RuntimeException: No main class detected.
[error] at scala.sys.package$.error(package.scala:26)
[error] (Compile / bgRun) No main class detected.
[error] Total time: 0 s, completed May 2, 2019, 12:37:43 PM
The command '/bin/sh -c echo "==> run the project..." && echo "==> it will take some time!!!" && sbt run' returned a non-zero code: 1

using fabric8 docker-maven-plugin in a Jenkins docker container

I am using fabric8's docker-maven-plugin to build and push my docker image. I do something like:
mvn docker:build
in both my dev environment and Jenkins. But here is my problem.
I have Jenkins running in a docker Swarm.
docker service create --name jenkins -p 8080:8080 -p 50000:50000 --replicas=1 --mount type=volume,src=jenkins_home,dst=/var/jenkins_home --mount type=bind,source=/var/run/docker.sock,destination=/var/run/docker.sock jenkins/jenkins
Notice that I have a bind mount from the host's /var/run/docker.sock to the container's /var/run/docker.sock.
I then install the Docker binaries inside the container by running:
apt-get update && apt-get -y install apt-transport-https ca-certificates \
curl gnupg2 software-properties-common && \
curl -fsSL https://download.docker.com/linux/$(. /etc/os-release; echo "$ID")/gpg > /tmp/dkey; apt-key add /tmp/dkey && \
add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/$(. /etc/os-release; echo "$ID") $(lsb_release -cs) stable" && \
apt-get update && \ apt-get -y install docker-ce=18.06.1~ce~3-0~debian
lastly I add the jenkins user to the docker group
useradd -G {docker} jenkins
In reality I will build my own docker image using the jenkins/jenkins image as my root using the above mentioned commands.
I then login to Jenkins, crate my pipeline as follows
node {
def mvnHome
stage('Preparation') { // for display purposes
git branch: 'branch', credentialsId: 'id', url: 'https://url'
mvnHome = tool 'm3'
env.JAVA_HOME="${tool 'java8'}"
env.DOCKER_HOST="unix://var/run/docker.sock"
env.PATH="${env.JAVA_HOME}/bin:${env.PATH}"
}
stage('Build Docker Image') {
dir('rms-donation-manager') {
sh "'${mvnHome}/bin/mvn' clean install docker:build"
}
}
}
When I run the pipeline i get the following error:
+ /var/jenkins_home/tools/hudson.tasks.Maven_MavenInstallation/m3/bin/mvn clean install docker:build
[INFO] Scanning for projects...
[INFO]
[INFO] ------------------------------------------------------------------------
[INFO] Building donation-manager 1.0.3-SNAPSHOT
[INFO] ------------------------------------------------------------------------
[INFO]
[INFO] --- docker-maven-plugin:0.28.0:build (default-cli) # donation-manager ---
Apr 07, 2019 3:21:24 AM org.apache.http.impl.execchain.RetryExec execute
INFO: I/O exception (java.io.IOException) caught when processing request to {}->unix://127.0.0.1:1: Permission denied
Apr 07, 2019 3:21:24 AM org.apache.http.impl.execchain.RetryExec execute
INFO: Retrying request to {}->unix://127.0.0.1:1
Apr 07, 2019 3:21:24 AM org.apache.http.impl.execchain.RetryExec execute
INFO: I/O exception (java.io.IOException) caught when processing request to {}->unix://127.0.0.1:1: Permission denied
Apr 07, 2019 3:21:24 AM org.apache.http.impl.execchain.RetryExec execute
INFO: Retrying request to {}->unix://127.0.0.1:1
Apr 07, 2019 3:21:24 AM org.apache.http.impl.execchain.RetryExec execute
INFO: I/O exception (java.io.IOException) caught when processing request to {}->unix://127.0.0.1:1: Permission denied
Apr 07, 2019 3:21:24 AM org.apache.http.impl.execchain.RetryExec execute
INFO: Retrying request to {}->unix://127.0.0.1:1
[ERROR] DOCKER> Cannot create docker access object [Permission denied]
[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 4.554 s
[INFO] Finished at: 2019-04-07T03:21:24Z
[INFO] Final Memory: 17M/175M
[INFO] ------------------------------------------------------------------------
[ERROR] Failed to execute goal io.fabric8:docker-maven-plugin:0.28.0:build (default-cli) on project donation-manager: Cannot create docker access object: Permission denied -> [Help 1]
Notice the command that was run by Jenkins
/var/jenkins_home/tools/hudson.tasks.Maven_MavenInstallation/m3/bin/mvn clean install docker:build
Its using the the maven tool 'm3' which i am using in the Jenkins pipeline and running the maven command mvn clean install docker:build and its complaining about permissions
Here is the kicker. I go into the jenkins container
docker exec -it ec4be3dffa62 /bin/bash
Notice that I am not going in as the root user, I am actually the jenkins user. I then go in to my project where the pom.xml file is located and run
/var/jenkins_home/tools/hudson.tasks.Maven_MavenInstallation/m3/bin/mvn clean install docker:build
And it works!!!! The image is built. Why does it work when i am inside the container, and not when I am running it from the jenkins ui. Is the jenkins UI using a different user?

In above mention sequence first you started Jenkins and then you have added jenkins user in docker group. if this is the case, changes is not reflected for the Jenkins server. but when you are executing manually, at that time jenkins added to docker group. To test - create a test job and execute script "id -a". this will show groups for user Jenkins at that point of time. same cmd execute from inside of container. if there is difference, i would suggest you to create a dockerfile with all above installation and useradd and then start Jenkins.