Reputation: 42684
I am launch a jenkins docker container for CI work. And the host OS I am using is CoreOS. Inside the jenkins container, I also installed docker-cli in order to run build on docker containers in the host system. In order to do that, I use below configuration to mount /var/run
on the jenkins container for mapper Docker socket:
volumes:
- /jenkins/data:/var/jenkins_home
- /var/run/docker.sock:/var/run/docker.sock:rw
when I launch the container and run docker command, I got below error:
Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get http://%2Fvar%2Frun%2Fdocker.sock/v1.29/containers/json: dial unix /var/run/docker.sock: connect: permission denied
The /var/run
is root permission but my user is jenkins
. How can I solve the permission issue to allow jenkins user to use docker command through mapper socket?
I have tried below command but the container doesn't allow me to run sudo
:
$ sudo usermod -a -G docker jenkins
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
sudo: no tty present and no askpass program specified
Upvotes: 1
Views: 3595
Reputation: 312868
There's nothing magical about permissions in Docker: they work just like permissions outside of Docker. That is, if you want a user to have access to a file (like /var/run/docker.sock
), then either that file needs to be owned by the user, or they need to be a member of the appropriate group, or the permissions on the file need to permit access to anybody.
Exposing /var/run/docker.sock
to a non-root user is a little tricky, because typical solutions (just chown
/chmod
things from inside the container) will potentially break things on your host.
I suspect the best solution may be:
/var/run/docker.sock
on your host is group-writable (e.g., create a docker
group on your host and make sure that users in that group can use Docker).docker
group into the container as an environment variable.exec
your docker CMD
as the jenkins user.So, your entrypoint script might look something like this (assuming that you have passed in a value for $DOCKER_GROUP_ID
in your docker-compose.yml
):
#!/bin/sh
groupadd -g $DOCKER_GROUP_ID docker
usermod -a -G docker jenkins
exec runuser -u jenkins "$@"
You would need to copy this into your image and add the appropriate ENTRYPOINT
directive to your Dockerfile.
You may not have the runuser
command. You can accomplish something similar using sudo
or su
or other similar commands.
Upvotes: 2