4

I'm having trouble getting Jenkins to write to a directory, however I believe I have set the correct permissions. Jenkins is being run by a user named "jenkins", who belongs to a group called "jenkins-group". The directory in question looks something like this when I ll:

drwxrwxr-x 2 jenkins-group jenkins-group 68 Sep 3 13:01 test_save_data_jenkins_R

I followed the recommended approach as seen in the link below, by creating a group having "rwx" permissions and adding the user running Jenkins to this group. How do I properly allow user jenkins to write to a specific directory under user minecraft home directory?.

So I have given the group "jenkins-group" rwx permissions, which in turn should give the user "jenkins" those permissions as well, since it has this group as a secondary. When I log in to the user "jenkins" from a terminal I'm able to create a new file in this folder using touch test.txt. However when I run a build from Jenkins with the following commands in execute shell:

cd /apps/models/test_save_data_jenkins_R && whoami && touch test.txt

I get the following error:

+ cd /apps/models/test_save_data_jenkins_R
+ whoami
jenkins
+ touch test.txt
touch: cannot touch ‘test.txt’: Permission denied
Build step 'Execute shell' marked build as failure
Finished: FAILURE

Notice that the group "jenkins-group" also has rwx permissions to the folders "apps" and "models". I have tried giving the user "jenkins" direct permission using the following command:

$ setfacl -Rm user:jenkins:rwx /apps/models/test_save_data_jenkins_R/

which would result in the script running successfully. However this is really a workaround, and I would like to understand what I'm doing wrong in the previous approach.

Update #1

Running groups jenkins:

jenkins : jenkins jenkins-group

And running getfacl returns:

# file: test_save_data_jenkins_R/
# owner: jenkins-group
# group: jenkins-group
user::rwx
group::rwx
other::r-x

Update #2

Running /usr/bin/id in jenkins script gives:

+ /usr/bin/id 
uid=775(jenkins) gid=895(jenkins) groups=895(jenkins)

Running /usr/bin/id from terminal gives:

uid=775(jenkins) gid=895(jenkins) groups=895(jenkins),1012(jenkins-group)

Notice this happens as well after running safeRestart of jenkins service.

sarnikowski
  • 61
  • 1
  • 1
  • 5
  • Isn't test_save_data_jenkins_R owned by jenkins-group jenkins-group instead of jenkins jenkins-group? – Alex Baranowski Sep 03 '18 at 13:15
  • Ok - therefore huge question can you manually go into a path and create file whilst being that user? either you all set rules for folder - but without -R so rights only did stay on folder - not on files/subfolders, or script is running as someone else. – Michal Sep 03 '18 at 13:22
  • Yes i can manually add files and remove them as user "jenkins" in the directory. I am perplexed since when I run the script and ask "whoami" it says jenkins. – sarnikowski Sep 03 '18 at 13:26
  • Can you add an `/usr/bin/id` to your script? There is any difference between the `id` outputs when run interactively or in the script? – andcoz Sep 03 '18 at 13:53
  • @andcoz I get the following output: + /usr/bin/id uid=775(jenkins) gid=895(jenkins) groups=895(jenkins) --- However running this from the jenkins user gives: uid=775(jenkins) gid=895(jenkins) groups=895(jenkins),1012(jenkins-group) – sarnikowski Sep 03 '18 at 13:56
  • What if you add `chgrp jenkins-group` to the script? – slm Sep 03 '18 at 14:31
  • Please add this information to your question. It seems that when run by jenkins, your script is **not** member of `jenkins-group`. This explains why it cannot create the file. – andcoz Sep 03 '18 at 14:36
  • @andcoz - he added it, the user jenkins is in that group. – slm Sep 03 '18 at 14:45
  • `id` is clear: the user is in the group but the script, when run by jenkins program, is not in the `jenkins-group` group. Now, we have to look for an explanation of this. How do you start jenkins server? Systemd? – andcoz Sep 03 '18 at 15:00
  • Did you restarted jenkins server after you added jenkins user to the group? – andcoz Sep 03 '18 at 15:02
  • Yes i understand the issue as well now. I tried running a safeRestart of the jenkins service, however the outcome is unchanged. I updated the original post to reflect this @andcoz – sarnikowski Sep 04 '18 at 06:50

1 Answers1

2

The problem was that the user permissions were not reflected until i restarted the jenkins service. I did this on the red hat linux machine by typing:

sudo service jenkins restart
sarnikowski
  • 61
  • 1
  • 1
  • 5