如何以非root用户身份从docker容器内部访问/var/run/docker.sock? (MacOS主机) [英] How to access /var/run/docker.sock from inside a docker container as a non-root user? (MacOS Host)

问题描述

我已经在Mac上安装了docker，一切运行正常.我正在使用Jenkins docker映像并运行它.在将Jenkins用作CI服务器并通过运行docker命令来构建进一步的映像时，我知道我们必须在运行Jenkins映像时绑定mount /var/run/docker.sock，以便它可以访问docker守护程序.

I have installed docker on Mac and everything is running fine. I am using a Jenkins docker image and running it. While using Jenkins as a CI server and to build further images by running docker commands through it, I came to know that we have to bind mount /var/run/docker.sock while running the Jenkins images so it can access the docker daemon.

我做到了，然后将Docker CLI安装在Jenkins的容器中.但是在运行docker ps或任何其他docker命令时，它会抛出错误:

I did that, and installed docker CLI inside Jenkins’s container. But when running docker ps or any other docker commands it is throwing an error:

Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get http://%2Fvar%2Frun%2Fdocker.sock/v1.28/containers/json: dial unix /var/run/docker.sock: connect: permission denied

当我以root用户身份连接到容器时，它可以正常工作.但是切换到詹金斯"用户则会引发上述错误.我已经将"jenkins"用户添加到sudo列表中，但无济于事.

When I connect to container as a root user, it works fine. But switching to the ‘jenkins’ user throws the above error. I have already added ‘jenkins’ user to sudo list but does not help.

我发现很少有文章建议将"jenkins"用户添加到"docker"组，但令我惊讶的是，我在Mac或容器内找不到任何docker组.

I found few articles suggesting to add ‘jenkins’ user to ‘docker’ group but to my surprise I do not find any docker group on Mac or inside container.

我们非常感谢您的帮助.谢谢

Any help is much appreciated. Thanks

推荐答案

发生这种情况的原因很简单:UNIX权限不允许jenkins用户读取/var/run/docker.sock.实际上，最简单的选择是将/var/run/docker.sock上的组分配从root更改为另一个组，然后将jenkins添加到该组:

It looks like the reason this is happening is pretty straight forward: UNIX permissions are not letting the jenkins user read /var/run/docker.sock. Really the easiest option is to just change the group assignment on /var/run/docker.sock from root to another group, and then add jenkins to that group:

[as root, inside the container]
root@host:/# usermod -G docker jenkins
root@host:/# chgrp docker /var/run/docker.sock

这当然假设您已经安装了Docker CLI，并且存在名为docker的组.如果没有:

This assumes of course that you already have the docker CLI installed, and that a group called docker exists. If not:

[as root, inside the container]
root@host:/# groupadd docker

或者，您可以更改/var/run/docker.sock上的world权限，以允许非root用户访问套接字，但是我不建议您这样做.这似乎是不良的安全做法.同样，您可以将chown套接字直接提供给jenkins用户，尽管我只想更改组设置.

Alternatively, you could change the world permissions on /var/run/docker.sock to allow non-root users to access the socket, but I wouldn't recommend doing that; it just seems like bad security practice. Similarly, you could outright chown the socket to the jenkins user, although I'd rather just change the group settings.

我很困惑为什么使用sudo对您不起作用.我只是尝试了一下，我相信正是您所描述的设置，并且可以正常工作.

I'm confused why using sudo didn't work for you. I just tried what I believe is exactly the setup you described and it worked without problems.

启动容器:

[on macos host]
darkstar:~$ docker run \
                  -v /var/run/docker.sock:/var/run/docker.sock \  
                  docker.io/jenkins/jenkins:lts
darkstar:~$ docker exec -u root -it <container id> /bin/bash

安装Docker CLI:

Install Docker CLI:

[as root, inside container]
root@host:/# apt-get update
root@host:/# apt-get -y install apt-transport-https \
                                ca-certificates \
                                curl \
                                gnupg2 \
                                software-properties-common
root@host:/# rel_id=$(. /etc/os-release; echo "$ID")
root@host:/# curl -fsSL https://download.docker.com/linux/${rel_id}/gpg > /tmp/dkey
root@host:/# apt-key add /tmp/dkey
root@host:/# add-apt-repository \
             "deb [arch=amd64] https://download.docker.com/linux/${rel_id} \
              $(lsb_release -cs) stable"
root@host:/# apt-get update
root@host:/# apt-get -y install docker-ce

然后设置詹金斯用户:

[as root, inside container]
root@host:/# usermod -G sudo jenkins
root@host:/# passwd jenkins
[...]

并尝试一下:

[as jenkins, inside container]
jenkins@host:/$ sudo docker ps -a
[...]
password for jenkins:

CONTAINER ID        IMAGE                 COMMAND                  CREATED     ...
69340bc13bb2        jenkins/jenkins:lts   "/sbin/tini -- /usr/…"   8 minutes ago ...

对我来说似乎很好.也许您采用了其他方法来安装Docker CLI?不确定，但是如果您想使用sudo访问docker套接字，则这些步骤将起作用.虽然，我认为如上所述更改组分配会比较容易.祝你好运:)

it seems to work fine for me. Maybe you took a different route to install the Docker CLI? Not sure, but if you want to access the docker socket using sudo, those steps will work. Although, I think it would be easier to just change the group assignment as explained up above. Good luck :)

注意:使用运行Docker Engine v19.03.2的macOS Mojave v10.14.3执行的所有测试.这似乎并不严重依赖于主机平台，因此我希望它可以在Linux或任何其他类似UNIX的操作系统(包括其他版本的macOS/OSX)上运行.

Note: All tests performed using macOS Mojave v10.14.3 running Docker Engine v19.03.2. This doesn't seem to be heavily dependent on the host platform, so I would expect it to work on Linux or any other UNIX-like OS, including other versions of macOS/OSX.

这篇关于如何以非root用户身份从docker容器内部访问/var/run/docker.sock? (MacOS主机)的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！