Jenkins Pipeline Docker Permissions

[Dan Kinon]

Hello,

   I'm running jenkins as a non-root user and am attempting to use a docker agent in my jenkinsfile.  When I run the job, I get the following error:

~~~~

[VA_Build_containers_develop-NJECFMY5Y6Z5OKTQVWTCSYEZEVQKAXGGRGECV2LSFA2YZ2ALBWQQ] Running shell script

+ docker inspect -f . docker:1.12.6

.

Failed to run image 'docker:1.12.6'. Error: /usr/bin/docker-current: Cannot connect to the Docker daemon. Is the docker daemon running on this host?.

See '/usr/bin/docker-current run --help'.

~~~

   The root cause of course is that docker is running as root and jenkins is not.  The "solution" I've found on the internet is to open up permissions to the world on the docker.sock or to add a tcp connecter to docker.  While that may functionally get me what I want that is a hack not a best practice solution IMHO.

   I want to tell Jenkins docker agent to execute docker via sudo (as I've given the jenkins user all required permissions via sudoers) but I can't figure out how.  Is there any way to currently do this or is this a feature request.

Thanks in advance,

-Dan

[Richard Bywater]

I haven't checked for a while but it used to be that if you add a user to the "docker" group they'll be able to access docker commands.

Richard

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/CAErRXL-EUOsLn9OAZ3xq8zQgmAZcXSpZWRSqzEBScecgwkoEDA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[Dan Kinon]

I'm running centos7 and installing pre-packaged docker 1.12.6 from epel7.  I did see the suggestion out in the wild to add the jenkins user to the "docker" (specifically "dockerroot" on my installation) group.  I tried this early on and it had no effect.  I noticed that the unix socket (/var/run/docker.sock) was owned user root and group root with 660 permissions so that is why adding the jenkins user to the dockerroot group had no effect.  To solve this issue, I had to change the group ownership on the socket by modifying /etc/sysconfig/docker and adding `--group=dockerroot` to the OPTIONS variable:

OPTIONS='--selinux-enabled --log-driver=journald --signature-verification=false --group=dockerroot'

Once I did this (in combination with adding the jenkins user to the dockerroot group) and restarted docker everything worked.  This still feels a little hacky but at least it doesn't carry the negative security implications of some of the other solutions I mentioned.

It would still be nice to have some semblance of control over how jenkins pipeline accesses/calls docker but this will do for now.  Thanks for pointing me back in the docker group direction.

[Richard Bywater]

Took me a while to come back but just wanted to point out the group approach is what is "recommended" by Docker in the docs @ https://docs.docker.com/engine/installation/linux/linux-postinstall/ So definitely the least hacky of all the solutions :)

Richard.

To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/c3035dda-a79c-4dde-8bdf-d21908cd9866%40googlegroups.com.