commit eaf50a06fa2235362f386b7dffbd5720168c708f
parent c20e436c8196cd1169b1fb7bc73aacc422f809ca
Author: Andreas Gruhler <agruhl@gmx.ch>
Date: Sun, 3 Aug 2025 12:46:40 +0200
feat(jenkins-inbound-agent): add Dockerfile
Diffstat:
2 files changed, 156 insertions(+), 6 deletions(-)
diff --git a/docker/docker-jenkins-inbound-agent/Dockerfile b/docker/docker-jenkins-inbound-agent/Dockerfile
@@ -0,0 +1,156 @@
+# The MIT License
+#
+# Copyright (c) 2015-2020, CloudBees, Inc. and other Jenkins contributors
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to deal
+# in the Software without restriction, including without limitation the rights
+# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+# copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in
+# all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+# THE SOFTWARE.
+ARG ALPINE_TAG=3.20.0
+FROM alpine:"${ALPINE_TAG}" AS jre-build
+
+SHELL ["/bin/ash", "-eo", "pipefail", "-c"]
+
+# This Build ARG is populated by Docker
+# Ref. https://docs.docker.com/engine/reference/builder/#automatic-platform-args-in-the-global-scope
+ARG TARGETPLATFORM
+
+COPY adoptium-get-jdk-link.sh /usr/bin/local/adoptium-get-jdk-link.sh
+COPY adoptium-install-jdk.sh /usr/bin/local/adoptium-install-jdk.sh
+
+ARG JAVA_VERSION=17.0.11_9
+# hadolint ignore=DL3018
+RUN apk add --no-cache \
+ ca-certificates \
+ jq \
+ curl \
+ && /usr/bin/local/adoptium-install-jdk.sh alpine
+
+ENV PATH="/opt/jdk-${JAVA_VERSION}/bin:${PATH}"
+
+## Agent image target
+FROM alpine:"${ALPINE_TAG}" AS agent
+
+ARG user=jenkins
+ARG group=jenkins
+ARG uid=1000
+ARG gid=1000
+
+RUN addgroup -g "${gid}" "${group}" \
+ && adduser -h /home/"${user}" -u "${uid}" -G "${group}" -D "${user}" || echo "user ${user} already exists."
+
+ARG AGENT_WORKDIR=/home/"${user}"/agent
+
+ENV LANG='en_US.UTF-8' LANGUAGE='en_US:en' LC_ALL='en_US.UTF-8'
+ENV TZ=Etc/UTC
+
+## Always use the latest Alpine packages: no need for versions
+# hadolint ignore=DL3018
+RUN apk add --no-cache \
+ curl \
+ bash \
+ git \
+ git-lfs \
+ musl-locales \
+ openssh-client \
+ openssl \
+ procps \
+ tzdata \
+ tzdata-utils \
+ && rm -rf /tmp/*.apk /tmp/gcc /tmp/gcc-libs.tar* /tmp/libz /tmp/libz.tar.xz /var/cache/apk/*
+
+ARG VERSION=3248.v65ecb_254c298
+ADD --chown="${user}":"${group}" "https://repo.jenkins-ci.org/public/org/jenkins-ci/main/remoting/${VERSION}/remoting-${VERSION}.jar" /usr/share/jenkins/agent.jar
+RUN chmod 0644 /usr/share/jenkins/agent.jar \
+ && ln -sf /usr/share/jenkins/agent.jar /usr/share/jenkins/slave.jar
+
+
+ENV JAVA_HOME=/opt/java/openjdk
+COPY --from=jre-build /opt/jdk-21.0.3_9 "$JAVA_HOME"
+ENV PATH="${JAVA_HOME}/bin:${PATH}"
+
+USER "${user}"
+ENV AGENT_WORKDIR="${AGENT_WORKDIR}"
+RUN mkdir -p /home/"${user}"/.jenkins && mkdir -p "${AGENT_WORKDIR}"
+
+VOLUME /home/"${user}"/.jenkins
+VOLUME "${AGENT_WORKDIR}"
+WORKDIR /home/"${user}"
+ENV user=${user}
+LABEL \
+ org.opencontainers.image.vendor="Jenkins project" \
+ org.opencontainers.image.title="Official Jenkins Agent Base Docker image" \
+ org.opencontainers.image.description="This is a base image, which provides the Jenkins agent executable (agent.jar)" \
+ org.opencontainers.image.version="${VERSION}" \
+ org.opencontainers.image.url="https://www.jenkins.io/" \
+ org.opencontainers.image.source="https://github.com/jenkinsci/docker-agent" \
+ org.opencontainers.image.licenses="MIT"
+
+## Inbound Agent image target
+FROM agent AS inbound-agent
+
+ARG user=jenkins
+
+USER root
+COPY ../../jenkins-agent /usr/local/bin/jenkins-agent
+RUN chmod +x /usr/local/bin/jenkins-agent &&\
+ ln -s /usr/local/bin/jenkins-agent /usr/local/bin/jenkins-slave
+
+# Install Docker client
+ARG DOCKER_VERSION=26.0.2
+ARG DOCKER_COMPOSE_VERSION=v2.27.0
+RUN curl -fsSL https://download.docker.com/linux/static/stable/armhf/docker-$DOCKER_VERSION.tgz | tar --strip-components=1 -xz -C /usr/local/bin docker/docker
+RUN curl -fsSL https://github.com/docker/compose/releases/download/$DOCKER_COMPOSE_VERSION/docker-compose-linux-armv7 > /usr/local/bin/docker-compose && chmod +x /usr/local/bin/docker-compose
+
+# Install Podman and Buildah, configure fuse-overlayfs as mount_program
+#
+# In rootless mode, without the CAP_SYS_ADMIN capability, many kernels prevent
+# mounting of overlay file systems, requiring you to specify a mount_program. The
+# mount_program option is also required on systems where the underlying storage
+# is btrfs, aufs, zfs, overlay, or ecryptfs based file systems. mount_program =
+# "/usr/bin/fuse-overlayfs"
+# - https://github.com/containers/buildah/issues/3666#issuecomment-1349687679
+# - https://github.com/containers/storage/blob/main/docs/containers-storage.conf.5.md
+#
+# netavark is a required dependency to run `buildah bud`.
+RUN apk add --no-cache buildah netavark fuse-overlayfs fuse
+# Set up environment variables to note that this is not starting with user
+# namespace and default to isolate the filesystem with chroot.
+# https://developers.redhat.com/blog/2019/08/14/best-practices-for-running-buildah-in-a-container
+ENV _BUILDAH_STARTED_IN_USERNS="" BUILDAH_ISOLATION=chroot
+# https://docs.podman.io/en/latest/markdown/podman.1.html#note-unsupported-file-systems-in-rootless-mode
+RUN sed -i 's/#mount_program/mount_program/' /etc/containers/storage.conf
+# fuse: device not found, try 'modprobe fuse' first
+# https://github.com/containers/podman/blob/main/troubleshooting.md#24-podman-container-images-fail-with-fuse-device-not-found-when-run
+RUN mkdir -p /etc/modules.load.d
+RUN echo fuse > /etc/modules.load.d/fuse.conf
+# Configure missing subuid/subgids for rootless podman builds
+# https://docs.podman.io/en/latest/markdown/podman.1.html#rootless-mode
+RUN echo jenkins:10000:65536 >> /etc/subuid
+RUN echo jenkins:10000:65536 >> /etc/subgid
+
+USER ${user}
+
+LABEL \
+ org.opencontainers.image.vendor="Jenkins project" \
+ org.opencontainers.image.title="Official Jenkins Agent Base Docker image" \
+ org.opencontainers.image.description="This is an image for Jenkins agents using TCP or WebSockets to establish inbound connection to the Jenkins controller" \
+ org.opencontainers.image.version="${VERSION}" \
+ org.opencontainers.image.url="https://www.jenkins.io/" \
+ org.opencontainers.image.source="https://github.com/jenkinsci/docker-agent" \
+ org.opencontainers.image.licenses="MIT"
+
+ENTRYPOINT ["/usr/local/bin/jenkins-agent"]
diff --git a/docker/docker-jenkins-inbound-agent/README b/docker/docker-jenkins-inbound-agent/README
@@ -8,9 +8,6 @@ Change the uid/gid to be unique. Create a unique user jenkins on the Nomad
agents and assign this user a unique uid/gid that is only used for Jenkins
Docker builds.
-Example (based on the jenkinsci/docker-inbound-agents example above):
-* https://github.com/jenkinsci/docker-agent/compare/master...in0rdr:docker-agent:debug/podman_x86_64
-
== Jenkins requirements ==
docker-workflow plugin:
@@ -221,9 +218,6 @@ rebuild a Jenkins agent image with that particular UID/GID.
To build the Jenkins agent docker container for the purposes of using it in
Nomad:
- git clone https://github.com/jenkinsci/docker-agent.git docker-agent.git
- cd docker-agent.git
-
# change the uid/gid
buildah bud --no-cache --arch arm64/v8 --build-arg=JAVA_VERSION=21.0.3_9 \
--build-arg=uid=1312 --build-arg=gid=1312 -f alpine/Dockerfile \
