#Jenkins Integration and CentOS 8

Hey, I was looking at migrating our tests over to Dagger, and I ran into an issue that I wasn't sure how to solve. We run our tests on a local Jenkins server running in Docker. We've manually installed Python3.10, and mounted docker and docker socket into the contianer. We then try to run our Dagger based CI using the following Jenkin's pipeline

pipeline {
    agent any

    stages {
        stage('build image') {
            steps {
                git branch: 'master', url: 'https://github.com/robertu94/libpressio'

                sh '''#!/bin/bash
                python3.10 -m venv workenv;
                . ./workenv/bin/activate;
                pip3.10 install "dagger-io";
                python3.10 ./ci/test.py
                '''
            }
        }
    }
}

However, I get a permissions error on /.cache/dagger. Is there some setup step that I missed?

Here is the backtrace.

@tough hornet On my machine, that .cache/dagger directory is under the user's homedir. Here's mine under my homedir ~:

~ ➤ ls ~/.cache/dagger
dagger-engine-session-9ad18aca71b1b1ba

So it looks like maybe your shell user has homedir set to / aka root of the filesystem, but they don't have permission to write there: /.cache/dagger

Is there a way to put this in a specified directory (e.g. WORKSPACE/.cache or /tmp)

dagger tries to use the $XDG_CACHE_HOME env variable to find / download the CLI. If that variable is not set, it falls back to $HOME for that.

@tough hornet you can set any of those variables to make dagger use a different dir

Even just in your Jenkinsfile in the shell invocation, perhaps:

sh '''#!/bin/bash
python3.10 -m venv workenv;
. ./workenv/bin/activate;
pip3.10 install "dagger-io";
export XDG_CACHE_HOME=${env.WORKSPACE}
python3.10 ./ci/test.py
'''

https://www.jenkins.io/doc/book/pipeline/jenkinsfile/#:~:text=or Pipeline project.-,Using environment variables,-Jenkins Pipeline exposes

I think that worked!

Ok this got me past my permissions issues, but now I have a different one.

The dagger engine is in an infinite crash loop. I am binding both docker and the docker socket into the container running Jenkins, but I get the same error if I try to run the docker engine using the same command on the host. I've also confirmed that I get the same error running outside of the container.

I've confirmed that fuse-overlayfs is installed in both places as well as modprobe

I'm running on a CentOS 8 host with SELinux in permissive mode.

I get the same error on the host running the same pipeline.

I've uninstalled podman and am using actual Docker 23.0.1

@slate rampart, does it look like something related to the network changes for the services API?

Jenkins Integration and CentOS 8

can you run iptables -t nat -S --wait on the host? Additionally, can you run lsmod | grep tables and share the result please?. cc @tough hornet

This looks normal to me.

@rocky vector

@tough hornet can you add --security-opt seccomp=unconfined to your docker run and check if that helps?

@rocky vector same exact error as before. (modulo the timestamps).

ok, one last try. How about disabling apparmor? --security-opt apparmor=unconfined

No apparmor on CentOS.

And just to confirm, I get the same error message.

👍 can you try running this on the host and giving it another shot pleasea?

sudo modprobe iptable_filter
sudo modprobe iptable_nat

That seems to have fixed it. I'm currious as to why these kernel modules didn't load on-demand.

Let me try in the container next.

As a work around, I can add a directive on the host to load these modules on boot.,

yeah... CentOS has some strange behaviors about this. I recall having related issues in the past

Is there somewhere in the Docs, I could submit a PR on what we've found here?

I looked in the docs, but I didn't find anything/anywhere that seemed appropriate.

docker docs, you mean?

dagger.

Docker works fine for other containers.

Even networking things like nginx/plex.

that's because nginx doesn't use iptables. If you try to run anything that uses iptables inside the containers you'll get the same issue

this is not a dagger issue

openvpn would be an example for instance: https://github.com/kylemanna/docker-openvpn/issues/650#issuecomment-963003051

Got it.

Could we perhaps then document for dagger what kernel modules it requires?

Then the user could at least investigate if they were loaded?

sure, we can add this in the services checklist doc. cc @slate rampart

Ok. I ran into a few more permissions issues in the container. I needed to create /.docker and give the jenkins user access to it, but my CI is getting way farther than it has previously running in Jenkins. It takes about 1/2 an hour to bootstrap this so I 'll know then.

RE: Docs improvements. I have opened a GitHub issue to track improvements to the Jenkins integration docs. Please add comments and I'll keep it up-to-date. https://github.com/dagger/dagger/issues/4718

Ok. Everything seems to be working now including weekly cache invalidation. thanks everyone!