Accessing docker.sock from container
I am running jenkins docker container from which I need to build and run docker. The container is started using -v /var/run/docker.sock:/var/run/docker.sock
. The problem is I get the ban access when jenkins (from inside the container) tries to use it.
This is what I have tried so far with no luck:
- Create jenkins user in host and add it to docker group.
- Start the docker daemon with the parameter
-G jenkins
so that the socket belongs to the jenkins group and not docker. Jenkins runs with user jenkins who belongs to the jenkins group inside the container.
The only thing that worked was a "hack" that I don't like at all: I changed the jenkins group id inside the container to match the group id docker.sock
.
Any suggestion on how to solve this in a more elegant way would be appreciated.
source to share
This sounds like a basic Unix permissions issue. To access a file (or socket), you need to: (a) be root, or (b) have a numeric UID or GID that allows you access depending on the mode of the file.
If you are running something inside a container and you want it to have access to something on your host, you will either have to run the contents inside the container as root, or you will have to work out a synchronization uid / gid between the host and your container.
One way to work around the last problem is to pass the target GID when starting the container and then ENTRYPOINT script to set up the appopriate users / groups before starting the CMD. Something like:
if [ "$DOCKER_GID" ]; then
groupadd -g $DOCKER_GID hostdocker
usermod -a -G hostdocker jenkins
fi
exec "$@"
source to share
You can create custom image with jenkins user who has gock docker. This can be called bad as it is not portable:
FROM jenkins
USER root
RUN groupadd -g 999 hostdocker && usermod -G hostdocker -a jenkins
RUN wget https://get.docker.io/builds/Linux/x86_64/docker-1.7.1 -O /usr/local/bin/docker && chmod +x /usr/local/bin/docker
USER jenkins
ENTRYPOINT ["/bin/tini", "--", "/usr/local/bin/jenkins.sh"]
source to share