laughingman7743 · June 6, 2016 14:10
diff --git a/Dockerfile_alpine b/Dockerfile_alpine
 # The MIT License
 #
 #  Copyright (c) 2015, CloudBees, Inc.
 #
 #  Permission is hereby granted, free of charge, to any person obtaining a copy
 #  of this software and associated documentation files (the "Software"), to deal
 #  in the Software without restriction, including without limitation the rights
 #  to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 #  copies of the Software, and to permit persons to whom the Software is
 #  furnished to do so, subject to the following conditions:
 #
 #  The above copyright notice and this permission notice shall be included in
 #  all copies or substantial portions of the Software.
 #
 #  THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
 #  IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
 #  FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
 #  AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
 #  LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 #  OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
 #  THE SOFTWARE.

 FROM java:8-jdk-alpine

 ENV PATH=/usr/local/bin:/usr/bin:$PATH \
    HOME=/home/jenkins

 COPY ./wrapdocker /usr/local/bin/wrapdocker
 COPY ./jenkins-slave /usr/local/bin/jenkins-slave

 RUN apk --update add \
    sudo \
    bash \
    iptables \
    ca-certificates \
    e2fsprogs \
    docker \
    curl \
    && chmod +x /usr/local/bin/wrapdocker \
    && chmod +x /usr/local/bin/jenkins-slave \
    && curl --create-dirs -sSLo /usr/share/jenkins/slave.jar http://repo.jenkins-ci.org/public/org/jenkins-ci/main/remoting/2.52/remoting-2.52.jar \
    && chmod 755 /usr/share/jenkins \
    && chmod 644 /usr/share/jenkins/slave.jar \
    && rm -rf /var/cache/apk/* \
    && addgroup -g 1000 jenkins \
    && adduser -D -g jenkins -G docker -u 1000 -h $HOME jenkins \
    && echo "jenkins ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers

 VOLUME /var/lib/docker
 VOLUME /home/jenkins
 WORKDIR /home/jenkins
 USER jenkins

 ENTRYPOINT ["jenkins-slave"]
diff --git a/Dockerfile_ubuntu b/Dockerfile_ubuntu
 # The MIT License
 #
 #  Copyright (c) 2015, CloudBees, Inc.
 #
 #  Permission is hereby granted, free of charge, to any person obtaining a copy
 #  of this software and associated documentation files (the "Software"), to deal
 #  in the Software without restriction, including without limitation the rights
 #  to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 #  copies of the Software, and to permit persons to whom the Software is
 #  furnished to do so, subject to the following conditions:
 #
 #  The above copyright notice and this permission notice shall be included in
 #  all copies or substantial portions of the Software.
 #
 #  THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
 #  IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
 #  FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
 #  AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
 #  LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 #  OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
 #  THE SOFTWARE.

 FROM ubuntu:14.04

 ENV HOME=/home/jenkins \
    JAVA_HOME=/usr/lib/jvm/java-8-openjdk-amd64

 COPY ./wrapdocker /usr/local/bin/wrapdocker
 COPY ./jenkins-slave /usr/local/bin/jenkins-slave

 RUN apt-get update -qq && apt-get install -qqy \
    sudo \
    apt-transport-https \
    ca-certificates \
    curl \
    lxc \
    iptables \
    software-properties-common \
    python-software-properties \
    && add-apt-repository ppa:openjdk-r/ppa \
    && apt-get update -qq && apt-get install -qqy openjdk-8-jdk \
    && chmod +x /usr/local/bin/wrapdocker \
    && chmod +x /usr/local/bin/jenkins-slave \
    && curl -sSL https://get.docker.com/ | sh \
    && curl --create-dirs -sSLo /usr/share/jenkins/slave.jar http://repo.jenkins-ci.org/public/org/jenkins-ci/main/remoting/2.52/remoting-2.52.jar \
    && chmod 755 /usr/share/jenkins \
    && chmod 644 /usr/share/jenkins/slave.jar \
    && groupadd -g 1000 jenkins \
    && useradd -u 1000 -g jenkins -G docker -c "Jenkins user" -d $HOME -m jenkins \
    && echo "jenkins ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers \
    && rm -rf /var/lib/apt/lists/*

 VOLUME /var/lib/docker
 VOLUME /home/jenkins
 WORKDIR /home/jenkins
 USER jenkins

 ENTRYPOINT ["jenkins-slave"]
diff --git a/jenkins-slave b/jenkins-slave
 #!/bin/bash

 # The MIT License
 #
 #  Copyright (c) 2015, CloudBees, Inc.
 #
 #  Permission is hereby granted, free of charge, to any person obtaining a copy
 #  of this software and associated documentation files (the "Software"), to deal
 #  in the Software without restriction, including without limitation the rights
 #  to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 #  copies of the Software, and to permit persons to whom the Software is
 #  furnished to do so, subject to the following conditions:
 #
 #  The above copyright notice and this permission notice shall be included in
 #  all copies or substantial portions of the Software.
 #
 #  THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
 #  IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
 #  FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
 #  AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
 #  LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 #  OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
 #  THE SOFTWARE.

 # Usage jenkins-slave.sh [options] -url http://jenkins SECRET SLAVE_NAME
 # Optional environment variables :
 # * JENKINS_TUNNEL : HOST:PORT for a tunnel to route TCP traffic to jenkins host, when jenkins can't be directly accessed over network
 # * JENKINS_URL : alternate jenkins URL

 sudo wrapdocker &

 if [[ $# -eq 1 ]]; then

    # if `docker run` only has one arguments, we assume user is running alternate command like `bash` to inspect the image
    exec "$@"

 else

    # if -tunnel is not provided try env vars
    if [[ "$@" != *"-tunnel "* ]]; then
        if [[ ! -z "$JENKINS_TUNNEL" ]]; then
            TUNNEL="-tunnel $JENKINS_TUNNEL"
        fi
    fi

    if [[ ! -z "$JENKINS_URL" ]]; then
        URL="-url $JENKINS_URL"
    fi

    exec java $JAVA_OPTS -cp /usr/share/jenkins/slave.jar hudson.remoting.jnlp.Main -headless $TUNNEL $URL "$@"
 fi
diff --git a/wrapdocker b/wrapdocker
 #!/bin/bash

 # Ensure that all nodes in /dev/mapper correspond to mapped devices currently loaded by the device-mapper kernel driver
 dmsetup mknodes

 # First, make sure that cgroups are mounted correctly.
 CGROUP=/sys/fs/cgroup
 : {LOG:=stdio}

 [ -d $CGROUP ] ||
 	mkdir $CGROUP

 mountpoint -q $CGROUP ||
 	mount -n -t tmpfs -o uid=0,gid=0,mode=0755 cgroup $CGROUP || {
 		echo "Could not make a tmpfs mount. Did you use --privileged?"
 		exit 1
 	}

 if [ -d /sys/kernel/security ] && ! mountpoint -q /sys/kernel/security
 then
    mount -t securityfs none /sys/kernel/security || {
        echo "Could not mount /sys/kernel/security."
        echo "AppArmor detection and --privileged mode might break."
    }
 fi

 # Mount the cgroup hierarchies exactly as they are in the parent system.
 for SUBSYS in $(cut -d: -f2 /proc/1/cgroup)
 do
        [ -d $CGROUP/$SUBSYS ] || mkdir $CGROUP/$SUBSYS
        mountpoint -q $CGROUP/$SUBSYS ||
                mount -n -t cgroup -o $SUBSYS cgroup $CGROUP/$SUBSYS

        # The two following sections address a bug which manifests itself
        # by a cryptic "lxc-start: no ns_cgroup option specified" when
        # trying to start containers withina container.
        # The bug seems to appear when the cgroup hierarchies are not
        # mounted on the exact same directories in the host, and in the
        # container.

        # Named, control-less cgroups are mounted with "-o name=foo"
        # (and appear as such under /proc/<pid>/cgroup) but are usually
        # mounted on a directory named "foo" (without the "name=" prefix).
        # Systemd and OpenRC (and possibly others) both create such a
        # cgroup. To avoid the aforementioned bug, we symlink "foo" to
        # "name=foo". This shouldn't have any adverse effect.
        echo $SUBSYS | grep -q ^name= && {
                NAME=$(echo $SUBSYS | sed s/^name=//)
                ln -s $SUBSYS $CGROUP/$NAME
        }

        # Likewise, on at least one system, it has been reported that
        # systemd would mount the CPU and CPU accounting controllers
        # (respectively "cpu" and "cpuacct") with "-o cpuacct,cpu"
        # but on a directory called "cpu,cpuacct" (note the inversion
        # in the order of the groups). This tries to work around it.
        [ $SUBSYS = cpuacct,cpu ] && ln -s $SUBSYS $CGROUP/cpu,cpuacct
 done

 # Note: as I write those lines, the LXC userland tools cannot setup
 # a "sub-container" properly if the "devices" cgroup is not in its
 # own hierarchy. Let's detect this and issue a warning.
 grep -q :devices: /proc/1/cgroup ||
 	echo "WARNING: the 'devices' cgroup should be in its own hierarchy."
 grep -qw devices /proc/1/cgroup ||
 	echo "WARNING: it looks like the 'devices' cgroup is not mounted."

 # Now, close extraneous file descriptors.
 pushd /proc/self/fd >/dev/null
 for FD in *
 do
 	case "$FD" in
 	# Keep stdin/stdout/stderr
 	[012])
 		;;
 	# Nuke everything else
 	*)
 		eval exec "$FD>&-"
 		;;
 	esac
 done
 popd >/dev/null


 # If a pidfile is still around (for example after a container restart),
 # delete it so that docker can start.
 rm -rf /var/run/docker.pid

 # If we were given a PORT environment variable, start as a simple daemon;
 # otherwise, spawn a shell as well
 if [ "$PORT" ]
 then
 	exec docker daemon -H 0.0.0.0:$PORT -H unix:///var/run/docker.sock \
 		$DOCKER_DAEMON_ARGS
 else
 	if [ "$LOG" == "file" ]
 	then
 		docker daemon $DOCKER_DAEMON_ARGS &>/var/log/docker.log &
 	else
 		docker daemon $DOCKER_DAEMON_ARGS &
 	fi
 	(( timeout = 60 + SECONDS ))
 	until docker info >/dev/null 2>&1
 	do
 		if (( SECONDS >= timeout )); then
 			echo 'Timed out trying to connect to internal docker host.' >&2
 			break
 		fi
 		sleep 1
 	done
 	[[ $1 ]] && exec "$@"
 	exec bash --login
 fi
	# The MIT License
	#
	# Copyright (c) 2015, CloudBees, Inc.
	#
	# Permission is hereby granted, free of charge, to any person obtaining a copy
	# of this software and associated documentation files (the "Software"), to deal
	# in the Software without restriction, including without limitation the rights
	# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
	# copies of the Software, and to permit persons to whom the Software is
	# furnished to do so, subject to the following conditions:
	#
	# The above copyright notice and this permission notice shall be included in
	# all copies or substantial portions of the Software.
	#
	# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
	# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
	# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
	# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
	# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
	# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
	# THE SOFTWARE.

	FROM java:8-jdk-alpine

	ENV PATH=/usr/local/bin:/usr/bin:$PATH \
	HOME=/home/jenkins

	COPY ./wrapdocker /usr/local/bin/wrapdocker
	COPY ./jenkins-slave /usr/local/bin/jenkins-slave

	RUN apk --update add \
	sudo \
	bash \
	iptables \
	ca-certificates \
	e2fsprogs \
	docker \
	curl \
	&& chmod +x /usr/local/bin/wrapdocker \
	&& chmod +x /usr/local/bin/jenkins-slave \
	&& curl --create-dirs -sSLo /usr/share/jenkins/slave.jar http://repo.jenkins-ci.org/public/org/jenkins-ci/main/remoting/2.52/remoting-2.52.jar \
	&& chmod 755 /usr/share/jenkins \
	&& chmod 644 /usr/share/jenkins/slave.jar \
	&& rm -rf /var/cache/apk/* \
	&& addgroup -g 1000 jenkins \
	&& adduser -D -g jenkins -G docker -u 1000 -h $HOME jenkins \
	&& echo "jenkins ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers

	VOLUME /var/lib/docker
	VOLUME /home/jenkins
	WORKDIR /home/jenkins
	USER jenkins

	ENTRYPOINT ["jenkins-slave"]
	#!/bin/bash

	# The MIT License
	#
	# Copyright (c) 2015, CloudBees, Inc.
	#
	# Permission is hereby granted, free of charge, to any person obtaining a copy
	# of this software and associated documentation files (the "Software"), to deal
	# in the Software without restriction, including without limitation the rights
	# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
	# copies of the Software, and to permit persons to whom the Software is
	# furnished to do so, subject to the following conditions:
	#
	# The above copyright notice and this permission notice shall be included in
	# all copies or substantial portions of the Software.
	#
	# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
	# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
	# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
	# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
	# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
	# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
	# THE SOFTWARE.

	# Usage jenkins-slave.sh [options] -url http://jenkins SECRET SLAVE_NAME
	# Optional environment variables :
	# * JENKINS_TUNNEL : HOST:PORT for a tunnel to route TCP traffic to jenkins host, when jenkins can't be directly accessed over network
	# * JENKINS_URL : alternate jenkins URL

	sudo wrapdocker &

	if [[ $# -eq 1 ]]; then

	# if `docker run` only has one arguments, we assume user is running alternate command like `bash` to inspect the image
	exec "$@"

	else

	# if -tunnel is not provided try env vars
	if [[ "$@" != "-tunnel " ]]; then
	if [[ ! -z "$JENKINS_TUNNEL" ]]; then
	TUNNEL="-tunnel $JENKINS_TUNNEL"
	fi
	fi

	if [[ ! -z "$JENKINS_URL" ]]; then
	URL="-url $JENKINS_URL"
	fi

	exec java $JAVA_OPTS -cp /usr/share/jenkins/slave.jar hudson.remoting.jnlp.Main -headless $TUNNEL $URL "$@"
	fi
	#!/bin/bash

	# Ensure that all nodes in /dev/mapper correspond to mapped devices currently loaded by the device-mapper kernel driver
	dmsetup mknodes

	# First, make sure that cgroups are mounted correctly.
	CGROUP=/sys/fs/cgroup
	: {LOG:=stdio}

	[ -d $CGROUP ] \|\|
	mkdir $CGROUP

	mountpoint -q $CGROUP \|\|
	mount -n -t tmpfs -o uid=0,gid=0,mode=0755 cgroup $CGROUP \|\| {
	echo "Could not make a tmpfs mount. Did you use --privileged?"
	exit 1
	}

	if [ -d /sys/kernel/security ] && ! mountpoint -q /sys/kernel/security
	then
	mount -t securityfs none /sys/kernel/security \|\| {
	echo "Could not mount /sys/kernel/security."
	echo "AppArmor detection and --privileged mode might break."
	}
	fi

	# Mount the cgroup hierarchies exactly as they are in the parent system.
	for SUBSYS in $(cut -d: -f2 /proc/1/cgroup)
	do
	[ -d $CGROUP/$SUBSYS ] \|\| mkdir $CGROUP/$SUBSYS
	mountpoint -q $CGROUP/$SUBSYS \|\|
	mount -n -t cgroup -o $SUBSYS cgroup $CGROUP/$SUBSYS

	# The two following sections address a bug which manifests itself
	# by a cryptic "lxc-start: no ns_cgroup option specified" when
	# trying to start containers withina container.
	# The bug seems to appear when the cgroup hierarchies are not
	# mounted on the exact same directories in the host, and in the
	# container.

	# Named, control-less cgroups are mounted with "-o name=foo"
	# (and appear as such under /proc/<pid>/cgroup) but are usually
	# mounted on a directory named "foo" (without the "name=" prefix).
	# Systemd and OpenRC (and possibly others) both create such a
	# cgroup. To avoid the aforementioned bug, we symlink "foo" to
	# "name=foo". This shouldn't have any adverse effect.
	echo $SUBSYS \| grep -q ^name= && {
	NAME=$(echo $SUBSYS \| sed s/^name=//)
	ln -s $SUBSYS $CGROUP/$NAME
	}

	# Likewise, on at least one system, it has been reported that
	# systemd would mount the CPU and CPU accounting controllers
	# (respectively "cpu" and "cpuacct") with "-o cpuacct,cpu"
	# but on a directory called "cpu,cpuacct" (note the inversion
	# in the order of the groups). This tries to work around it.
	[ $SUBSYS = cpuacct,cpu ] && ln -s $SUBSYS $CGROUP/cpu,cpuacct
	done

	# Note: as I write those lines, the LXC userland tools cannot setup
	# a "sub-container" properly if the "devices" cgroup is not in its
	# own hierarchy. Let's detect this and issue a warning.
	grep -q :devices: /proc/1/cgroup \|\|
	echo "WARNING: the 'devices' cgroup should be in its own hierarchy."
	grep -qw devices /proc/1/cgroup \|\|
	echo "WARNING: it looks like the 'devices' cgroup is not mounted."

	# Now, close extraneous file descriptors.
	pushd /proc/self/fd >/dev/null
	for FD in *
	do
	case "$FD" in
	# Keep stdin/stdout/stderr
	[012])
	;;
	# Nuke everything else
	*)
	eval exec "$FD>&-"
	;;
	esac
	done
	popd >/dev/null


	# If a pidfile is still around (for example after a container restart),
	# delete it so that docker can start.
	rm -rf /var/run/docker.pid

	# If we were given a PORT environment variable, start as a simple daemon;
	# otherwise, spawn a shell as well
	if [ "$PORT" ]
	then
	exec docker daemon -H 0.0.0.0:$PORT -H unix:///var/run/docker.sock \
	$DOCKER_DAEMON_ARGS
	else
	if [ "$LOG" == "file" ]
	then
	docker daemon $DOCKER_DAEMON_ARGS &>/var/log/docker.log &
	else
	docker daemon $DOCKER_DAEMON_ARGS &
	fi
	(( timeout = 60 + SECONDS ))
	until docker info >/dev/null 2>&1
	do
	if (( SECONDS >= timeout )); then
	echo 'Timed out trying to connect to internal docker host.' >&2
	break
	fi
	sleep 1
	done
	[[ $1 ]] && exec "$@"
	exec bash --login
	fi