Permission denied error invoking Docker on Mac host from inside Docker Ubuntu container as non-root user

Question

I\'m trying to invoke docker on my OSX host running Docker for Mac 17.06.0-ce-mac17 from inside a running jenkins docker container (jenkins:latest), per the procedure described

Answer 1

I got this working, at least automated but currently only working on docker for Mac. Docker for Mac has a unique file permission model. Chowning /var/run/docker.sock to the jenkins user manually works, and it persists across container restarts and even image regeneration, but not past docker daemon restarts. Plus, you can't do the chown in the Dockerfile because docker.sock doesn't exist yet, and you can't do it in the entrypoint because that runs as jenkins.

So what I did was add jenkins to the "staff" group, because on my Mac, /var/run/docker.sock is symlinked down into /Users//Library/Containers/com.docker.docker/Data/‌​s60 and is uid and gid staff. This lets the jenkins user run docker commands on the host.

Dockerfile:

FROM jenkins:latest

USER root

RUN \
    apt-get update && \
    apt-get install -y build-essential && \
    apt-get clean && \
    rm -rf /var/lib/apt/lists/*

COPY docker /usr/bin/docker

# To allow us to access /var/run/docker.sock on the Mac
RUN gpasswd -a jenkins staff

USER jenkins

ENTRYPOINT ["/bin/tini", "--", "/usr/local/bin/jenkins.sh"]

docker-compose.yml file:

version: "3"
services:
  jenkins:
    build: ./cd_jenkins
    image: cd_jenkins:latest
    ports:
      - "8080:8080"
      - "5000:5000"
    volumes:
      - ./jenkins_home:/var/jenkins_home
      - /var/run/docker.sock:/var/run/docker.sock

This is, however, not portable to other systems (and depends on that docker for mac group staying "staff," which I imagine isn't guaranteed). I'd love suggested improvements to make this solution work across host systems. Other options suggested in questions like Execute docker host command inside jenkins docker container include:

• Install sudo and let jenkins sudo and run all docker commands with sudo: adds security issues
• "Add jenkins to the docker group" - UNIX only and probably relies on matching up gids from host to container right?
• Setuid'ing the included docker executable might work, but has the same security elevation issues as sudo.

Answer 2

Another approach that worked for me - set the uid argument to the uid that owns /var/run/docker.sock (501 in my case). Not sure of the syntax for Dockerfile, but for docker-compose.yml, it's like this:

version: 3
services:
  jenkins:
    build:
      context: ./JENKINS
      dockerfile: Dockerfile
      args:
        uid: 501
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
    ...

Note this is based on using a Dockerfile to build the jenkins image, so many details left out. The key bit here is the uid: 501 under args.

Answer 3

Follow this: https://forums.docker.com/t/mounting-using-var-run-docker-sock-in-a-container-not-running-as-root/34390

Basically, all you need to do is to change /var/run/docker.sock permissions inside your container and run the docker with sudo.

I've created a Dockerfile that can be used to help:

FROM jenkinsci/blueocean:latest

USER root
# change docker sock permissions after moutn
RUN if [ -e /var/run/docker.sock ]; then chown jenkins:jenkins /var/run/docker.sock; fi