Use docker inside docker with jenkins user #263
Comments
|
most likely you are mixing your container users/groups with the host users/groups, that have the same name but not the same uid/gid. |
|
It's quite likely that @carlossg is right about mixing container and host users and groups. Instead of mounting everything inside the Jenkins container, consider following https://docs.docker.com/engine/installation/linux/debian/ and building an image based on the Jenkins image but with Docker installed, i.e. by doing something like (untested): Then you only need to mount |
|
@konradstrack |
|
@lorenzvth7, please see #196 (comment). The gist of this is that as ... and then drop down to |
|
@konradstrack your solution seems to work on Ubuntu but not on CentOS |
|
@dweomer I don't know gosu. jenkins.sh: |
|
You don't need gosu. What you need is for the user |
|
I'm having the same problem, and tracked it down to the fact that the I can chmod the socket if I disable $ docker run -i -t jenkins /bin/bash Currently I'm unable to use this jenkins image to run docker containers, which seems to me something that definitely should work, has anyone managed to use it? thanks |
|
you must be using your own |
|
Thanks for the reply, That's odd: if I run your command: and if I run: I dropped all the images on my local machine and ran your command and I get your same result... the file is not there. what could have happened? |
|
@DonGiulio Bad volume mount most-like. Long version: So, random guess: maybe you've used |
|
Closing. Docker in docker is a bad idea for a jenkins CI setup anyway |
|
@ndeloof ,
|
|
Actually, I'm able to sucessfully run the https://jenkins.io/doc/pipeline/tour/hello-world/ |
@ndeloof @laugimethods , this did not work at all for me. I ended up with the following: docker-compose.yaml jenkins:
build: jenkins
volumes:
- jenkins-master-data:/var/jenkins_home
- /var/run/docker.sock:/var/run/docker.sock
- /usr/bin/docker:/usr/bin/docker
jenkins dockerfile |
|
@brthor I'm not saying running Jenkins in docker is a bad idea, I'm saying using docker-in-docker (https://github.com/jpetazzo/dind) is bad, with terrible infrastructure impacts. Prefer access to the underlying docker daemon from your jenkins container. |
|
Here are ready to use Jenkins & Blueocean Docker Images that can call the underlying docker daemon: https://github.com/Logimethods/docker-jenkins @brthor Could you explain your environment & what did not work for you with my solution? (so to try to to fix it if possible) @ndeloof I agree with you that literally running docker inside docker is a bad idea... But it is not what we all expect. So, would you agree to reopen that issue after renaming it like "Using Docker FROM a Jenkins Container"? |
|
@ndeloof, please reconsider and reopen this issue. I agree with others here that this feature would be useful and it should just be a simple Dockerfile or jenkins.sh change. No one is talking about the old "docker in docker" scenario. We just want to use the docker client within jenkins and have this image automatically configure /var/run/docker.sock so that the jenkins user has access. |
|
I can't consider running a container as root as a "solution" |
|
@ndeloof , what do you mean by "as root"? |
|
yes, as you explicitly had to switch to root user to add some tools, it's clear you have to roll back to jenkins user. If the docker image has |
|
@ndeloof So, then, how could we run Declarative Pipelines made of Docker Agents (https://jenkins.io/doc/pipeline/tour/hello-world/)? Btw, that's probably my last comment.
|
|
@laugimethods declarative pipeline doesn't use "docker agent", it uses plain classic jenkins agent with a local docker daemon so it can run docker containers (DSL translates into docker-pipeline-plugin). Also, this isn't just a beauty consideration to prevent root usage, for official docker image we can't just let end-user shoot in their own foot. I guess most production users will anyway prefer to run their own baked jenkins docker image with adequate tools/version under their own control |
|
@brthor see
in setup like yours. Any ideas? |
|
You need the jenkins user to be in the "docker" group so it can access this socket. Start your container with |
|
actually i gave the user permissions like this, but it didn't worked somehow. what helped is: inside container. |
|
I am facing the exactly same issue. How we are supposed to do that? I tried to run first sample pipeline and it failed. It was really frustrating and disappointed. Any proper workaround? |
|
Thanks @laugimethods! |
|
@sudo-bmitch's example (https://github.com/sudo-bmitch/jenkins-docker) is the best/cleanest way I've been able to do this—I have tested in a build I'm using in a variety of environments (local Mac, local Windows, Ubuntu in AWS, Kubernetes in AKS, and Kubernetes in local VirtualBox with Debian). To be clear, to do DinD with Jenkins in Docker, you should:
Most of the other solutions I've seen in this thread are just too fragile or need a lot of weird conditions (or are outright dangerous, like setting su -s /bin/bash -c "/usr/local/bin/jenkins.sh" jenkins |
at your own peril. Actually way more dangerous than running jenkins as root. Or maybe you use some docker API proxy to limit the risks ?
Would be nice not to fully install docker, but only get the CLI. Jenkins image is already big ;)
Running container with |
This would be fairly trivial to add with the 18.09 packaging, so I pushed an update to do exactly that just now. (https://github.com/sudo-bmitch/jenkins-docker)
It does not. It will add a user to a group according to the GID already defined inside the container. It does not correct the GID of that group to match the GID of the host. In fact the group doesn't even need to exist on the host.
You do not need Adding |
Rereading some of the above comments, I see the suggestion was to use |
Agree with @geerlingguy However, the major issue I see all come down to docker designed to run as a root account, which is a fundamental mistaken in the modern distributed systems. |
|
you can just use --user "UID:{docker-sock-gid-here}" |
it's ok |
|
|
any form of docker in docker have the same issue basically. But yeah, 777 on docker socket is something people who don't understand basics of Linux would do. But setting 777 on any file is generally a bad idea. |
|
Got the same pb. Solved adding docker run parameter |
|
Thanks @phk0 👍 perfect solution... |
|
@phk0 Perfect solution. It saved many days for me. |
@phk0 I got this error after adding your run parameter: Any idea? |
|
Oh shoot, I added the param in wrong place. It needs to be before the I am feeling stupid now... |
|
Tried several posted solutions but only this helped: Dockerfile: |
Is there any way to make this solution to work on Docker for Windows? |
Run with Can confirm the group id of |
Thank you so much. It works :). My final code is: DOCKER_SOCK=/var/run/docker.sock
if [[ "$WINDOWS" == "true" ]]; then
DOCKER_SOCK_GID=$($DOCKER run --rm -v /$DOCKER_SOCK:$DOCKER_SOCK alpine stat -c '%g' /$DOCKER_SOCK)
else
DOCKER_SOCK_GID=$(stat -c '%g' $DOCKER_SOCK)
fi |
|
This solved our problem after going through all the options. Adding jenkins to sudoers USER root
#install docker
RUN curl -sSL https://get.docker.com/ | sh
#install sudo
RUN apt-get update \
&& apt-get install -y sudo \
&& rm -rf /var/lib/apt/lists/*
#Adding jenkins to sudoers list and making an alias for sudo docker
RUN echo "jenkins ALL=NOPASSWD: ALL" >> /etc/sudoers \
&& printf '#!/bin/bash\nsudo /usr/bin/docker "$@"' > /usr/local/bin/docker \
&& chmod +x /usr/local/bin/docker
USER jenkins |
yes , this help me!, chmod a+rw /var/run/docker.sock |
|
Is there a way to get this working from a Jenkins pipeline job? Example: pipeline{
agent{
sh "echo test"
docker{
label "linux-docker-proper"
image "test-image"
args "--group-add \$(stat -c '%g' /var/run/docker.sock) -v /var/run/docker.sock:/var/run/docker.sock"
}
}
stages{
stage("test"){
steps{
sh "docker ps -a"
}
}
}
}The job produces this command + error. If I copy / paste the exact docker run command Jenkins shows in the output it works fine. Something to do with the way Jenkins is trying to parse things, but I haven't figured out the solution. Ask expected if I quote the $() portion it treats it as a literal string (despite this working on the CLI too) |
|
Also, what are the repercussions of mapping the pipeline{
agent{
sh "echo test"
docker{
label "linux-docker-proper"
image "test-image"
args "-v /var/run/docker.sock:/var/run/docker.sock -v /etc/passwd:/etc/passwd:ro"
}
}
stages{
stage("test"){
steps{
sh "docker ps -a"
}
}
}
} |
|
@bverkron did you find a solution to your problem? --group-add $(stat -c '%g' /var/run/docker.sock) Error: invalid argument "%g" for "-c, --cpu-shares" flag: strconv.ParseInt: parsing "%g": invalid syntax |
|
@robbinvandamme how about |
|
@felipecrs no that didn't work, I have no docker group in my docker image. However, I got it to work in a jenkins pipeline by doing the following: |
and others
version:
I have a docker container (jenkins). I've mounted the sockets to my container so that I can perform docker commands inside my jenkins container. This works fine when I am root user in my container:
My dockerfile now looks like this: I add my jenkins user to the docker group so I can perform docker commands with my jenkins user:
When I start this container I'm not able to perform the docker commands with my jenkins user. But jenkins is in the dockergroup:
But than it does not work
This is the content of my /etc/groupon my container
my jenkins user is in the docker group
The text was updated successfully, but these errors were encountered: