Resolve resolves an error calling Docker on Mac from inside Docker Ubuntu container as non-root user
I am trying to invoke docker on my OSX host running Docker for Mac 17.06.0-ce-mac17 from inside a downloaded denkins docker container ( jenkins: latest ), according to the procedure described at http://jpetazzo.github.io/2015 / 09/03 / do-not-use-docker-in-docker-for-ci / .
I mount /var/run/docker.sock in a container, I insert the duber ubuntu binary inside it and it can execute, but from within the container as user "jenkins" when I run for example. "docker ps" I get
Got permission to refuse when trying to connect to a Docker daemon socket on unix: ///var/run/docker.sock: Get http: //%2Fvar%2Frun%2Fdocker.sock/v1.30/containers/json? All = 1 : dial unix / var / run / docker.sock: connect: allowed.
If I connect to the container as root (docker exec -u 0) it works though.
I need a jenkins user to be able to run this. I tried to add docker group and add jenkins to it inside ubuntu container, but that didn't help as it had nothing to do with appearance and Docker for Mac doesn't work like running this on Linux where you can do semi light uid / gid. I want to distribute this container, so the answers that go and hack part of my Docker for Mac installation won't really help me. I would rather not run the entire jenkins installation as root if I can help her. (I also tried starting the container as privileged, which didn't help.)
As recommended in Permission Denied when trying to connect to Docker Daemon while running Jenkins pipeline on Macbook I chowned / var / run / docker.sock file inside container manually for jenkins and now jenkins can run docker. But I am having trouble with the solution for the distribution container - I cannot do this in the Dockerfile because the file does not exist yet, and antialiasing to the entry point does not help because it works like jenkins.
What do I need to do to create and run an image that will run external docker containers on my Mac as a non-root user from within the container?
source to share
I got this working, at least automated, but currently only works on Mac docker. Docker for Mac has a unique file resolution model . Chowning / var / run / docker.sock for jenkins user manually works and it persists across all container reloads and even image regenerations, but not through docker-docker run. Also, you cannot chown on the Dockerfile because docker.sock does not exist yet, and you cannot do it on the entry point because it works like jenkins.
So I did add jenkins to the "staff" group because on my Mac / var / run / docker.sock is symbolically linked to /Users//Library/Containers/com.docker.docker/Data/S60 and is a staff uid and gid. This allows the jenkins user to run docker commands on the host.
Dockerfile:
FROM jenkins:latest
USER root
RUN \
apt-get update && \
apt-get install -y build-essential && \
apt-get clean && \
rm -rf /var/lib/apt/lists/*
COPY docker /usr/bin/docker
# To allow us to access /var/run/docker.sock on the Mac
RUN gpasswd -a jenkins staff
USER jenkins
ENTRYPOINT ["/bin/tini", "--", "/usr/local/bin/jenkins.sh"]
Docker-compose.yml file:
version: "3"
services:
jenkins:
build: ./cd_jenkins
image: cd_jenkins:latest
ports:
- "8080:8080"
- "5000:5000"
volumes:
- ./jenkins_home:/var/jenkins_home
- /var/run/docker.sock:/var/run/docker.sock
It is, however, not portable to other systems (and depends on what docker group-stay is "staff" which I think is not guaranteed). I would like to suggest improvements to make this solution work on different systems. Other options suggested in questions like Run docker host command in jenkins docker container include:
- Install sudo and give jenkins sudo and run all docker commands with sudo: adds security concerns.
- "Add jenkins to docker group" is UNIX only and probably relies on proper gids matching from host to container?
- Setuid'ing the included docker executable might work, but has the same security issues as sudo.
source to share
Follow this: https://forums.docker.com/t/mounting-using-var-run-docker-sock-in-a-container-not-running-as-root/34390
Basically all you have to do is change the permissions /var/run/docker.sock
inside your container and start docker with sudo
.
I've created a Dockerfile that can be used to help:
FROM jenkinsci/blueocean:latest
USER root
# change docker sock permissions after moutn
RUN if [ -e /var/run/docker.sock ]; then chown jenkins:jenkins /var/run/docker.sock; fi
source to share