Joey Yi Zhao
Joey Yi Zhao

Reputation: 42684

How to set volume permission in docker container for non-root user

I am launch a jenkins docker container for CI work. And the host OS I am using is CoreOS. Inside the jenkins container, I also installed docker-cli in order to run build on docker containers in the host system. In order to do that, I use below configuration to mount /var/run on the jenkins container for mapper Docker socket:

volumes:
      - /jenkins/data:/var/jenkins_home
      - /var/run/docker.sock:/var/run/docker.sock:rw

when I launch the container and run docker command, I got below error:

Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get http://%2Fvar%2Frun%2Fdocker.sock/v1.29/containers/json: dial unix /var/run/docker.sock: connect: permission denied

The /var/run is root permission but my user is jenkins. How can I solve the permission issue to allow jenkins user to use docker command through mapper socket?

I have tried below command but the container doesn't allow me to run sudo:

$ sudo usermod -a -G docker jenkins

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

sudo: no tty present and no askpass program specified

Upvotes: 1

Views: 3595

Answers (1)

larsks
larsks

Reputation: 312868

There's nothing magical about permissions in Docker: they work just like permissions outside of Docker. That is, if you want a user to have access to a file (like /var/run/docker.sock), then either that file needs to be owned by the user, or they need to be a member of the appropriate group, or the permissions on the file need to permit access to anybody.

Exposing /var/run/docker.sock to a non-root user is a little tricky, because typical solutions (just chown/chmod things from inside the container) will potentially break things on your host.

I suspect the best solution may be:

  • Ensure that /var/run/docker.sock on your host is group-writable (e.g., create a docker group on your host and make sure that users in that group can use Docker).
  • Pass the numeric group id of your docker group into the container as an environment variable.
  • Have an ENTRYPOINT script in your container that runs as root that (a) creates a group with a matching numeric gid, and (b) modifies the Jenkins users to be a member of that group, and then (c) exec your docker CMD as the jenkins user.

So, your entrypoint script might look something like this (assuming that you have passed in a value for $DOCKER_GROUP_ID in your docker-compose.yml):

#!/bin/sh

groupadd -g $DOCKER_GROUP_ID docker
usermod -a -G docker jenkins

exec runuser -u jenkins "$@"

You would need to copy this into your image and add the appropriate ENTRYPOINT directive to your Dockerfile.

You may not have the runuser command. You can accomplish something similar using sudo or su or other similar commands.

Upvotes: 2

Related Questions