Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-51646

Pipeline does not resolve credentials symlinks

    XMLWordPrintable

    Details

    • Similar Issues:

      Description

      Given these two Jenkinsfile, the one with the cp of the credentials file will be read when trying to do a docker push of a signed image using the private key,

      however, if we were to symlink to the file credentials it would not be found when trying to push a signed image. 

      node('master') {
       stage('Push to private registry') {
       withCredentials([
       string(credentialsId: 'repo_passphrase', variable: 'SIGNED_PASSPHRASE'),
       file(credentialsId: 'docker_pw', variable: 'DOCKER_PW'),
       file(credentialsId: 'trust_key', variable: 'TRUST_KEY')]) {
       withEnv([
       'DOCKER_CONTENT_TRUST=1',
       'DOCKER_CONTENT_TRUST_SERVER=https://privateregistry:4443',
       "DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE=${NEMOUI_SIGNED_PASSPHRASE}"]) {
       sh "mkdir -p ${HOME}/.docker/trust/private"
       sh "ln -s ${TRUST_KEY} ${env.HOME}/.docker/trust/private/`basename ${TRUST_KEY}`"
       sh 'cat ${DOCKER_PW} | docker login privateregistry.com --username jenkins --password-stdin'
       sh "docker push privateregistry.com/library/image:${env.BUILD_ID}"
       sh 'docker logout privateregistry.com'
       sh "rm ${HOME}/.docker/trust/private/`basename ${TRUST_KEY}`"
       }
       }
       }
      }

       

       

      node('master') {
       stage('Push to private registry') {
       withCredentials([
       string(credentialsId: 'repo_passphrase', variable: 'SIGNED_PASSPHRASE'),
       file(credentialsId: 'docker_pw', variable: 'DOCKER_PW'),
       file(credentialsId: 'trust_key', variable: 'TRUST_KEY')]) {
       withEnv([
       'DOCKER_CONTENT_TRUST=1',
       'DOCKER_CONTENT_TRUST_SERVER=https://privateregistry:4443',
       "DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE=${SIGNED_PASSPHRASE}"]) {
       sh "if [[ -d ${HOME}/.docker ]]; then rm -rf ${HOME}/.docker; fi"
       sh "mkdir -p ${HOME}/.docker/trust/private"
       sh "cp ${TRUST_KEY} ${HOME}/.docker/trust/private/`basename ${TRUST_KEY}`"
       sh 'ls -lah ${HOME}/.docker/trust/private/'
       sh 'cat ${DOCKER_PW} | docker login privateregistry.com --username jenkins --password-stdin'
       sh "docker push privateregistry.com/library/image:${BUILD_ID}"
       sh 'docker logout privateregistry.com'
       sh "rm ${HOME}/.docker/trust/private/`basename ${TRUST_KEY}`"
       }
       }
       }
      }

        Attachments

          Activity

          Hide
          zackq Zhi Qiang Chin added a comment -

          This has to do with the way Docker CLI interprets symlinks, there are some security issues when Docker CLI tries to resolve symlinks, as such this has nothing to do with Jenkins.

          Closing issue.

          Show
          zackq Zhi Qiang Chin added a comment - This has to do with the way Docker CLI interprets symlinks, there are some security issues when Docker CLI tries to resolve symlinks, as such this has nothing to do with Jenkins. Closing issue.

            People

            • Assignee:
              ndeloof Nicolas De Loof
              Reporter:
              zackq Zhi Qiang Chin
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: