如何以非root用户身份从docker容器内部访问/var/run/docker.sock? (MacOS主机) [英] How to access /var/run/docker.sock from inside a docker container as a non-root user? (MacOS Host)
问题描述
我已经在Mac上安装了docker,一切运行正常.我正在使用Jenkins docker映像并运行它.在将Jenkins用作CI服务器并通过运行docker命令来构建进一步的映像时,我知道我们必须在运行Jenkins映像时绑定mount /var/run/docker.sock
,以便它可以访问docker守护程序.
I have installed docker on Mac and everything is running fine. I am using a Jenkins docker image and running it. While using Jenkins as a CI server and to build further images by running docker commands through it, I came to know that we have to bind mount /var/run/docker.sock
while running the Jenkins images so it can access the docker daemon.
我做到了,然后将Docker CLI安装在Jenkins的容器中.但是在运行docker ps
或任何其他docker命令时,它会抛出错误:
I did that, and installed docker CLI inside Jenkins’s container. But when running docker ps
or any other docker commands it is throwing an error:
Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get http://%2Fvar%2Frun%2Fdocker.sock/v1.28/containers/json: dial unix /var/run/docker.sock: connect: permission denied
当我以root用户身份连接到容器时,它可以正常工作.但是切换到詹金斯"用户则会引发上述错误.我已经将"jenkins"用户添加到sudo列表中,但无济于事.
When I connect to container as a root user, it works fine. But switching to the ‘jenkins’ user throws the above error. I have already added ‘jenkins’ user to sudo list but does not help.
我发现很少有文章建议将"jenkins"用户添加到"docker"组,但令我惊讶的是,我在Mac或容器内找不到任何docker组.
I found few articles suggesting to add ‘jenkins’ user to ‘docker’ group but to my surprise I do not find any docker group on Mac or inside container.
我们非常感谢您的帮助.谢谢
Any help is much appreciated. Thanks
推荐答案
发生这种情况的原因很简单:UNIX权限不允许jenkins
用户读取/var/run/docker.sock
.实际上,最简单的选择是将/var/run/docker.sock
上的组分配从root
更改为另一个组,然后将jenkins
添加到该组:
It looks like the reason this is happening is pretty straight forward: UNIX permissions are not letting the jenkins
user read /var/run/docker.sock
. Really the easiest option is to just change the group assignment on /var/run/docker.sock
from root
to another group, and then add jenkins
to that group:
[as root, inside the container]
root@host:/# usermod -G docker jenkins
root@host:/# chgrp docker /var/run/docker.sock
这当然假设您已经安装了Docker CLI,并且存在名为docker
的组.如果没有:
This assumes of course that you already have the docker CLI installed, and that a group called docker
exists. If not:
[as root, inside the container]
root@host:/# groupadd docker
或者,您可以更改/var/run/docker.sock
上的world权限,以允许非root用户访问套接字,但是我不建议您这样做.这似乎是不良的安全做法.同样,您可以将chown
套接字直接提供给jenkins
用户,尽管我只想更改组设置.
Alternatively, you could change the world permissions on /var/run/docker.sock
to allow non-root users to access the socket, but I wouldn't recommend doing that; it just seems like bad security practice. Similarly, you could outright chown
the socket to the jenkins
user, although I'd rather just change the group settings.
我很困惑为什么使用sudo
对您不起作用.我只是尝试了一下,我相信正是您所描述的设置,并且可以正常工作.
I'm confused why using sudo
didn't work for you. I just tried what I believe is exactly the setup you described and it worked without problems.
启动容器:
[on macos host]
darkstar:~$ docker run \
-v /var/run/docker.sock:/var/run/docker.sock \
docker.io/jenkins/jenkins:lts
darkstar:~$ docker exec -u root -it <container id> /bin/bash
安装Docker CLI:
Install Docker CLI:
[as root, inside container]
root@host:/# apt-get update
root@host:/# apt-get -y install apt-transport-https \
ca-certificates \
curl \
gnupg2 \
software-properties-common
root@host:/# rel_id=$(. /etc/os-release; echo "$ID")
root@host:/# curl -fsSL https://download.docker.com/linux/${rel_id}/gpg > /tmp/dkey
root@host:/# apt-key add /tmp/dkey
root@host:/# add-apt-repository \
"deb [arch=amd64] https://download.docker.com/linux/${rel_id} \
$(lsb_release -cs) stable"
root@host:/# apt-get update
root@host:/# apt-get -y install docker-ce
然后设置詹金斯用户:
[as root, inside container]
root@host:/# usermod -G sudo jenkins
root@host:/# passwd jenkins
[...]
并尝试一下:
[as jenkins, inside container]
jenkins@host:/$ sudo docker ps -a
[...]
password for jenkins:
CONTAINER ID IMAGE COMMAND CREATED ...
69340bc13bb2 jenkins/jenkins:lts "/sbin/tini -- /usr/…" 8 minutes ago ...
对我来说似乎很好.也许您采用了其他方法来安装Docker CLI?不确定,但是如果您想使用sudo
访问docker套接字,则这些步骤将起作用.虽然,我认为如上所述更改组分配会比较容易.祝你好运:)
it seems to work fine for me. Maybe you took a different route to install the Docker CLI? Not sure, but if you want to access the docker socket using sudo
, those steps will work. Although, I think it would be easier to just change the group assignment as explained up above. Good luck :)
注意:使用运行Docker Engine v19.03.2的macOS Mojave v10.14.3执行的所有测试.这似乎并不严重依赖于主机平台,因此我希望它可以在Linux或任何其他类似UNIX的操作系统(包括其他版本的macOS/OSX)上运行.
Note: All tests performed using macOS Mojave v10.14.3 running Docker Engine v19.03.2. This doesn't seem to be heavily dependent on the host platform, so I would expect it to work on Linux or any other UNIX-like OS, including other versions of macOS/OSX.
这篇关于如何以非root用户身份从docker容器内部访问/var/run/docker.sock? (MacOS主机)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!