Clever Geek Handbook

Accessing docker.sock from container

I am running jenkins docker container from which I need to build and run docker. The container is started using -v /var/run/docker.sock:/var/run/docker.sock

. The problem is I get the ban access when jenkins (from inside the container) tries to use it.

This is what I have tried so far with no luck:

  • Create jenkins user in host and add it to docker group.
  • Start the docker daemon with the parameter -G jenkins

    so that the socket belongs to the jenkins group and not docker. Jenkins runs with user jenkins who belongs to the jenkins group inside the container.

The only thing that worked was a "hack" that I don't like at all: I changed the jenkins group id inside the container to match the group id docker.sock

.

Any suggestion on how to solve this in a more elegant way would be appreciated.

+3


source to share


3 answers


This sounds like a basic Unix permissions issue. To access a file (or socket), you need to: (a) be root, or (b) have a numeric UID or GID that allows you access depending on the mode of the file.

If you are running something inside a container and you want it to have access to something on your host, you will either have to run the contents inside the container as root, or you will have to work out a synchronization uid / gid between the host and your container.



One way to work around the last problem is to pass the target GID when starting the container and then ENTRYPOINT script to set up the appopriate users / groups before starting the CMD. Something like:

if [ "$DOCKER_GID" ]; then
    groupadd -g $DOCKER_GID hostdocker
    usermod -a -G hostdocker jenkins
fi

exec "$@"
+3


source


I had similar problems and ended up just giving jenkins users rights without a sudo password. This meant that I had to prefix all docker commands with sudo, but it works and is portable across hosts.



0


source


You can create custom image with jenkins user who has gock docker. This can be called bad as it is not portable:

FROM jenkins

USER root

RUN groupadd -g 999 hostdocker && usermod -G hostdocker -a jenkins
RUN wget https://get.docker.io/builds/Linux/x86_64/docker-1.7.1 -O /usr/local/bin/docker && chmod +x /usr/local/bin/docker

USER jenkins

ENTRYPOINT ["/bin/tini", "--", "/usr/local/bin/jenkins.sh"]
0


source






More articles:


All Articles