Jenkins in docker with access to host docker

前端 未结 3 1934
星月不相逢
星月不相逢 2021-01-02 01:14

I have a workflow as follows for publishing webapps to my dev server. The server has a single docker host and I\'m using docker-compose for managing containers.

    <
相关标签:
3条回答
  • 2021-01-02 01:28

    I ran into the same issues. I ended up giving Jenkins passwordless sudo privileges because of the GID problem. I wrote more about this here: https://blog.container-solutions.com/running-docker-in-jenkins-in-docker

    This doesn't really affect security as having docker privileges is effectively equivalent to sudo rights.

    0 讨论(0)
  • 2021-01-02 01:40

    Please take a look at this docker file I just posted: https://github.com/bdruemen/jenkins-docker-uid-from-volume/blob/master/gid-from-volume/Dockerfile

    Here the GID extracted from a mounted volume (host directory), with

    stat -c '%g' <VOLUME-PATH>
    

    Then the GID of the group of the container user is changed to the same value with

    groupmod -g <GID>
    

    This has to be done as root, but then root privileges are dropped with

    gosu <USERNAME> <COMMAND>
    

    Everything is done in the ENTRYPOINT, so the real GID is unknown until you run

    docker run -d -v <HOST-DIRECTORY>:<VOLUME-PATH> ...
    

    Note that after changing the GID, there might be other files in the container no longer accessible for the process, so you might need a

    chgrp -R <GROUPNAME> <SOME-PATH>    
    

    before the gosu command.

    You can also change the UID, see my answer here Changing the user's uid in a pre-build docker container (jenkins) and maybe you want to change both to increase security.

    0 讨论(0)
  • 2021-01-02 01:48

    My previous answer was more generic, telling how you can modify the GID inside the container at runtime. Now, by coincidence, someone from my close colleagues asked for a jenkins instance that can do docker development so I created this:

    FROM bdruemen/jenkins-uid-from-volume
    RUN apt-get -yqq update && apt-get -yqq install docker.io && usermod -g docker jenkins
    VOLUME /var/run/docker.sock
    ENTRYPOINT groupmod -g $(stat -c "%g" /var/run/docker.sock) docker && usermod -u $(stat -c "%u" /var/jenkins_home) jenkins && gosu jenkins /bin/tini -- /usr/local/bin/jenkins.sh
    

    (The parent Dockerfile is the same one I have described in my answer to: Changing the user's uid in a pre-build docker container (jenkins))

    To use it, mount both, jenkins_home and docker.sock.

    docker run -d /home/jenkins:/var/jenkins_home -v /var/run/docker.sock:/var/run/docker.sock <IMAGE>
    

    The jenkins process in the container will have the same UID as the mounted host directory. Assuming the docker socket is accessible to the docker group on the host, there is a group created in the container, also named docker, with the same GID.

    0 讨论(0)
提交回复
热议问题