Permission denied error invoking Docker on Mac host from inside Docker Ubuntu container as non-root user

前端 未结 3 1757

I\'m trying to invoke docker on my OSX host running Docker for Mac 17.06.0-ce-mac17 from inside a running jenkins docker container (jenkins:latest), per the procedure described

相关标签:
3条回答
  • 2021-02-15 17:33

    I got this working, at least automated but currently only working on docker for Mac. Docker for Mac has a unique file permission model. Chowning /var/run/docker.sock to the jenkins user manually works, and it persists across container restarts and even image regeneration, but not past docker daemon restarts. Plus, you can't do the chown in the Dockerfile because docker.sock doesn't exist yet, and you can't do it in the entrypoint because that runs as jenkins.

    So what I did was add jenkins to the "staff" group, because on my Mac, /var/run/docker.sock is symlinked down into /Users//Library/Containers/com.docker.docker/Data/‌​s60 and is uid and gid staff. This lets the jenkins user run docker commands on the host.

    Dockerfile:

    FROM jenkins:latest
    
    USER root
    
    RUN \
        apt-get update && \
        apt-get install -y build-essential && \
        apt-get clean && \
        rm -rf /var/lib/apt/lists/*
    
    COPY docker /usr/bin/docker
    
    # To allow us to access /var/run/docker.sock on the Mac
    RUN gpasswd -a jenkins staff
    
    USER jenkins
    
    ENTRYPOINT ["/bin/tini", "--", "/usr/local/bin/jenkins.sh"]
    

    docker-compose.yml file:

    version: "3"
    services:
      jenkins:
        build: ./cd_jenkins
        image: cd_jenkins:latest
        ports:
          - "8080:8080"
          - "5000:5000"
        volumes:
          - ./jenkins_home:/var/jenkins_home
          - /var/run/docker.sock:/var/run/docker.sock
    

    This is, however, not portable to other systems (and depends on that docker for mac group staying "staff," which I imagine isn't guaranteed). I'd love suggested improvements to make this solution work across host systems. Other options suggested in questions like Execute docker host command inside jenkins docker container include:

    • Install sudo and let jenkins sudo and run all docker commands with sudo: adds security issues
    • "Add jenkins to the docker group" - UNIX only and probably relies on matching up gids from host to container right?
    • Setuid'ing the included docker executable might work, but has the same security elevation issues as sudo.
    0 讨论(0)
  • 2021-02-15 17:34

    Another approach that worked for me - set the uid argument to the uid that owns /var/run/docker.sock (501 in my case). Not sure of the syntax for Dockerfile, but for docker-compose.yml, it's like this:

    version: 3
    services:
      jenkins:
        build:
          context: ./JENKINS
          dockerfile: Dockerfile
          args:
            uid: 501
        volumes:
          - /var/run/docker.sock:/var/run/docker.sock
        ...
    

    Note this is based on using a Dockerfile to build the jenkins image, so many details left out. The key bit here is the uid: 501 under args.

    0 讨论(0)
  • 2021-02-15 17:38

    Follow this: https://forums.docker.com/t/mounting-using-var-run-docker-sock-in-a-container-not-running-as-root/34390

    Basically, all you need to do is to change /var/run/docker.sock permissions inside your container and run the docker with sudo.

    I've created a Dockerfile that can be used to help:

    FROM jenkinsci/blueocean:latest
    
    USER root
    # change docker sock permissions after moutn
    RUN if [ -e /var/run/docker.sock ]; then chown jenkins:jenkins /var/run/docker.sock; fi
    
    0 讨论(0)
提交回复
热议问题