How to access /var/run/docker.sock from inside a docker container as a non-root user? (MacOS Host)

Question

I have installed docker on Mac and everything is running fine. I am using a Jenkins docker image and running it. While using Jenkins as a CI server and to build further imag

Answer 1

Add volume

volumes:
  - /var/run/docker.sock:/var/run/docker.sock

and you will have access to socket

Answer 2

It looks like the reason this is happening is pretty straight forward: UNIX permissions are not letting the jenkins user read /var/run/docker.sock. Really the easiest option is to just change the group assignment on /var/run/docker.sock from root to another group, and then add jenkins to that group:

[as root, inside the container]
root@host:/# usermod -G docker jenkins
root@host:/# chgrp docker /var/run/docker.sock

This assumes of course that you already have the docker CLI installed, and that a group called docker exists. If not:

[as root, inside the container]
root@host:/# groupadd docker

Alternatively, you could change the world permissions on /var/run/docker.sock to allow non-root users to access the socket, but I wouldn't recommend doing that; it just seems like bad security practice. Similarly, you could outright chown the socket to the jenkins user, although I'd rather just change the group settings.

---

I'm confused why using sudo didn't work for you. I just tried what I believe is exactly the setup you described and it worked without problems.

Start the container:

[on macos host]
darkstar:~$ docker run \
                  -v /var/run/docker.sock:/var/run/docker.sock \  
                  docker.io/jenkins/jenkins:lts
darkstar:~$ docker exec -u root -it <container id> /bin/bash

Install Docker CLI:

[as root, inside container]
root@host:/# apt-get update
root@host:/# apt-get -y install apt-transport-https \
                                ca-certificates \
                                curl \
                                gnupg2 \
                                software-properties-common
root@host:/# rel_id=$(. /etc/os-release; echo "$ID")
root@host:/# curl -fsSL https://download.docker.com/linux/${rel_id}/gpg > /tmp/dkey
root@host:/# apt-key add /tmp/dkey
root@host:/# add-apt-repository \
             "deb [arch=amd64] https://download.docker.com/linux/${rel_id} \
              $(lsb_release -cs) stable"
root@host:/# apt-get update
root@host:/# apt-get -y install docker-ce

Then set up the jenkins user:

[as root, inside container]
root@host:/# usermod -G sudo jenkins
root@host:/# passwd jenkins
[...]

And trying it out:

[as jenkins, inside container]
jenkins@host:/$ sudo docker ps -a
[...]
password for jenkins:

CONTAINER ID        IMAGE                 COMMAND                  CREATED     ...
69340bc13bb2        jenkins/jenkins:lts   "/sbin/tini -- /usr/…"   8 minutes ago ...

it seems to work fine for me. Maybe you took a different route to install the Docker CLI? Not sure, but if you want to access the docker socket using sudo, those steps will work. Although, I think it would be easier to just change the group assignment as explained up above. Good luck :)

---

Note: All tests performed using macOS Mojave v10.14.3 running Docker Engine v19.03.2. This doesn't seem to be heavily dependent on the host platform, so I would expect it to work on Linux or any other UNIX-like OS, including other versions of macOS/OSX.

Answer 3

No, but this works:

• Add the user (e.g. jenkins) to the staff-group: sudo dseditgroup -o edit -a jenkins -t user staff
• Allow group to sudo, in sudo visudo add: %staff ALL = (ALL) ALL