Skip to content
/ openshift-jenkins-buildah-slave Public

A Jenkins CI/CD agent based on the Maven agent that contains buildah (plus other goodies)

License

Apache-2.0 license
13 stars 5 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

InformaticsMatters/openshift-jenkins-buildah-slave

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

20 Commits
.gitignore
.gitignore
 
 
Dockerfile-3_11
Dockerfile-3_11
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
docker-compose.yml
docker-compose.yml
 
 
slave.yaml
slave.yaml
 
 

Repository files navigation

An OpenShift Jenkins Slave Agent Image for "buildah"

This is a Jenkins slave image built on the OpenShift Jenkins Maven slave that adds buildah and other utilities to the image. It is suitable for OpenShift Origin v3.11 deployments.

A matching ImageStream template is also included for the latest image.

The modified agent provides the user with...

  • buildah (See Dockerfile/BUILDAH_VERSION for version)
  • podman (See Dockerfile/PODMAN_VERSION for version)
  • skopeo (See Dockerfile/SCOPEO_VERSION for version)

For background material you can refer to the OpenShift documentation for their Jenkins service and general information on builds and image streams.

Building the image

I use, and you might need...

  • Docker Engine 18.09.2
  • Docker Compose 1.23.2

Build and tag the image...

$ docker-compose build

Deploying the image

Here, we'll deploy to the Docker hub. We just need to push it using docker-compose.

$ docker login -u alanbchristie
[...]
$ docker-compose push

Using the image as an OpenShift Jenkins slave

To use the image as an OpenShift Jenkins slave you can use the accompanying slave.yaml template file to create a suitable ImageStream using the oc command-line. Assuming you're logged into the OpenShift server and the project into which you've installed Jenkins you can run the following command to add a suitable image stream: -

$ oc process -f slave.yaml | oc create -f -

This should result in a buildah-slave ImageStream that can be used as a source for a Jenkins slave. To employ the image as a slave you refer to it is as the agent in your Jenkins pipeline where you'd normally refer to an agent:

agent {
  label 'buildah-slave'
}

You may need to re-deploy Jenkins (bounce its Pod) because it only looks for slave-based image streams once, during initialisation. So, if you add a slave stream after jenkins was started it'll need to be restarted. When the image stream has been recognised you should find it on the Jenkins -> Manage Jenkins -> Configure System page as a new image (with your chosen Name) in the Kubernetes section.

Once done you will need to ensure that the slave-agent runs with root privileges (described in the following section).

Running the slave agent as root

buildah needs to run as root but the default security settings for OpenShift is not to allow containers to run as root. This can, of course, be modified. In order to successfully run the slave-agent with root privileges you need to do a number of things: -

  1. Enable Run in privileged mode in the appropriate Kubernetes Pod Template. If you've successfully used the slave.yml and bounced Jenkins you should find a buildah-slave named Kubernetes Pod Template in the Kubernetes section of Manage Jenkins -> Configure System page on Jenkins. The Run in privileged mode option is in the Advanced section of Containers.

  2. In OpenShift you should add privileged to the service account used to create the Jenkins application. This is normally the project/namespace name, which you can check via the DeploymentConfig's spec:template:spec:serviceAccount value; e.g. oc adm policy add-scc-to-user -z ${SERVICE_ACCOUNT} privileged. Do this while in the appropriate project/namespace.

So, what can I do?

With this agent you will be able to build container images in an OpenShift Jenkins agent using local storage without a Docker daemon. You use buildah to build and podman to login to an external image registry (like Docker) before finally using buildah to push your image to the new registry.

A typical workflow, using a she OpenShift built-in Docker registry and an existing Dockerfile, might be something like this: -

$ buildah bud -t me/myimage:latest .
$ podman login --username <me> --password <password> docker-registry.default:5000
$ buildah push --format=v2s2 me/myimage:latest docker://docker-registry.default:5000/<namespace>/myimage:latest
$ podman logout <registry>:5000

...where

  • namespace is the name of a pre-existing namespace (project)

Alternatively, you can define the image format (if you're using a Dockerfile) at the bud stage, negating the need for the --format option on the push command: -

$ buildah bud --format docker -f <Dockerfile> -t me/myimage:latest .

In order for the agent to push to the registry you will need to have a suitable OpenShift user account (i.e. jenkins) and related privileges including those for the namespace you'll be pushing to:-

$ oc adm policy add-role-to-user system:registry jenkins
$ oc adm policy add-role-to-user system:image-builder jenkins
$ oc adm policy add-role-to-user admin jenkins -n <namespace>
$ oc adm policy add-scc-to-user -z jenkins privileged

About

A Jenkins CI/CD agent based on the Maven agent that contains buildah (plus other goodies)

Topics

jenkins openshift jenkins-slave openshift-jenkins-slave

Resources

Readme

License

Apache-2.0 license
Activity
Custom properties

Stars

13 stars

Watchers

4 watching

Forks

5 forks
Report repository

Releases

No releases published

Packages

No packages published