Jenkins dial unix /var/run/docker.sock: connect: permission denied MacOS

Question

I'm running Jenkins locally and have docker installed on my machine as well.

I have a Jenkins job that uses a Jenkins file to

1. Build a maven project
2. Build a docker image
3. Deploy to docker hub.

I have all the docker plugins installed in Jenkins but when the Build step is executed I get...

Got permission denied while trying to connect to the Docker daemon 
socket at unix:///var/run/docker.sock: Post 
http://%2Fvar%2Frun%2Fdocker.sock/v1.39/build?
buildargs=%7B%7D&cachefrom=%5B%5D&cgroupparent=&cpuperiod=0&cpuquota=0&cpusetcpus=&cpusetmems=&cpushares=0&dockerfile=Dockerfile&labels=%7B%7D&memory=0&memswap=0&networkmode=default&rm=1&session=w6ypm3t1b0qefyxh9omfvntru&shmsize=0&t=app-web&target=&ulimits=null&version=1: dial unix /var/run/docker.sock: connect: permission denied

I cant seem to change permissions on

lrwxr-xr-x   1 macuser          staff              72 Jun 30 20:36 docker.sock -> /Users/john/Library/Containers/com.docker.docker/Data/docker.sock

Any help greatly appreciated

Answer 1

With Docker for Mac, inside the container you'll find the docker socket is owned by root (this is part of the embedded LinuxKit VM). I use the following entrypoint inside of my Jenkins container, and run the entrypoint as root, to automatically reconfigure the docker group inside the container to match the group id of the socket file, and then drop from root to the jenkins user before running the Jenkins application itself. This has the advantage of being portable, able to run on any desktop or server environment, without hard coding the docker GID into the container:

#!/bin/sh

# By: Brandon Mitchell <public@bmitch.net>
# License: MIT
# Source Repo: https://github.com/sudo-bmitch/jenkins-docker

set -x

# configure script to call original entrypoint
set -- tini -- /usr/local/bin/jenkins.sh "$@"

# In Prod, this may be configured with a GID already matching the container
# allowing the container to be run directly as Jenkins. In Dev, or on unknown
# environments, run the container as root to automatically correct docker
# group in container to match the docker.sock GID mounted from the host.
if [ "$(id -u)" = "0" ]; then
  # get gid of docker socket file
  SOCK_DOCKER_GID=`ls -ng /var/run/docker.sock | cut -f3 -d' '`

  # get group of docker inside container
  CUR_DOCKER_GID=`getent group docker | cut -f3 -d: || true`

  # if they don't match, adjust
  if [ ! -z "$SOCK_DOCKER_GID" -a "$SOCK_DOCKER_GID" != "$CUR_DOCKER_GID" ]; then
    groupmod -g ${SOCK_DOCKER_GID} -o docker
  fi
  if ! groups jenkins | grep -q docker; then
    usermod -aG docker jenkins
  fi
  # Add call to gosu to drop from root user to jenkins user
  # when running original entrypoint
  set -- gosu jenkins "$@"
fi

# replace the current pid 1 with original entrypoint
exec "$@"

You can find the full example, including the Dockerfile to install docker and gosu inside the image, at: https://github.com/sudo-bmitch/jenkins-docker

The same concept is in a fix-perms script in my base image that can be applied to other scenarios: https://github.com/sudo-bmitch/docker-base

Answer 2

Your main problem because user that being used through Jenkins, probably named jenkins does not have the enough permission to run docker.

So you basically need to make the user join into staff group.

I have answered this question few days ago, the second half of the answer is what you looking for: How to add user to a group from Mac OS X command line?

Please test it and let me know if it does not work for you with the output you got while trying to add the user to the staff group