How to find out which user is accessing /var/run/docker.sock that will cause permission denied error

二次信任 提交于 2020-08-26 04:35:11

问题


This question is different from the following questions:

Docker: Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock Because they didn't consider jenkins to be installed as docker container, here I don't have jenkins user to give that user access to this file.

And also from this one docker.sock permission denied Because I don't know which user I got this error for, Here the user root has access to this file but the error happened again.

Here's my problem:

I want to run docker jenkinsci/blueocean image using following command on ubuntu:

docker container run \
  --name jenkins-blueocean \
  --rm \
  --detach \
  --publish 8181:8080 \
  --publish 50000:50000 \
  --volume jenkins-data:/var/jenkins_home \
  --volume jenkins-docker-certs:/certs/client:ro \
  --volume /var/run/docker.sock:/var/run/docker.sock \
  jenkinsci/blueocean

After running jenkins on dokcer container when I use agent as follows:

agent {
        docker {
            image 'maven:3-alpine'
        }
}

I got following error:

Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Post http://%2Fvar%2Frun%2Fdocker.sock/v1.39/images/create?fromImage=maven&tag=3-alpine: dial unix /var/run/docker.sock: connect: permission denied

Here when I use this command it will solve the problem:

chmod 777 /var/run/docker.sock

But I don't want to permit all users to access this socket because of security vulnerabilities.

I should also say that the current user is root and it has access to /var/run/docker.sock

Here are some useful information:

echo $USER
root

ls -ls /var/run/docker.sock
srw-rw---- 1 root docker 0 Jul 24 14:56 /var/run/docker.sock

groups
root docker

Which user should I permit access to this file? jenkins is run on container and there is no jenkins user on my system, How can I find out which user is trying to access this socket file /var/run/docker.sock and consequently I got this error?


回答1:


If you look at the Dockerfile for jenkinsci/blueocean, for example, 1.23.2. You can see that the "jenkins" user is uid 1000 and gid 1000. It is these IDs that have to match for volume access, not the username.

Rather than granting uid/gid 1000 access to /var/run/docker.sock on the host, perhaps it would be better to run the container as the user/group that has permission. You can check that with id -u root and id -g docker, then use that with your docker run command, for example (assuming root uid is 0), docker run -u 0 .... See the doc page for more examples of how to use -u/--user. If you're running as the same uid as root in the container, you probably won't have a problem, but if if that is a different id, you may run into issues as other uids might be missing necessary configuration to be able to run the Jenkins stuff correctly.

If you really want to go the route of changing /var/run/docker.sock, then the answer would be to create a group with gid 1000 and add root to that group I guess.




回答2:


According to the Jenkins downloading-and-running-jenkins-in-docker documentation:

4. In order to execute Docker commands inside Jenkins nodes, download and run the docker:dind

Docker in Docker(dind) allows Docker engine to run as a Container inside Docker - which is the kind of inception that feels intuitive to do.

I just reproduced and just worked just fine for me with these commands(I also included --privileged in the launch options. Not sure if it is mandatory):

docker container prune -f;
docker container run   --name jenkins-docker     --detach   --privileged   --network jenkins   --network-alias docker   --env DOCKER_TLS_CERTDIR=/certs   --volume jenkins-docker-certs:/certs/client   --volume jenkins-data:/var/jenkins_home   --publish 2376:2376   docker:dind;
docker container run   --name jenkins-blueocean   --rm   --detach  --privileged   --network jenkins   --env DOCKER_HOST=tcp://docker:2376   --env DOCKER_CERT_PATH=/certs/client   --env DOCKER_TLS_VERIFY=1   --publish 8080:8080   --publish 50000:50000   --volume jenkins-data:/var/jenkins_home   --volume jenkins-docker-certs:/certs/client:ro   jenkinsci/blueocean

However, at the very top of the dind repo README.md you can find the following statement that strongly discourages the setup described above(thanks @David Maze for pointing this):

If you came here because you would like to run a testing system like Jenkins in a container, and want that container to spin up more containers, then please read this blog post first. Thank you!


I personally use it in my own playground from home, where I often do wipe everything anyway, on my own risk.


回答3:


This repo may contain solution to your problem, I had tried it recently and it works fine. Keep in mind though that jenkinsci/blueocean image is outdated one and is currently deprecated by Jenkins.

In case you prefer using official jenkins/jenkins image, utilizing docker.sock communication - you may find solutions by posting your question to Jenkins Docker packaging and plugin channel



来源:https://stackoverflow.com/questions/63075375/how-to-find-out-which-user-is-accessing-var-run-docker-sock-that-will-cause-per

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!