码头上的詹金斯可以访问主机码头 [英] Jenkins in docker with access to host docker
问题描述
我有一个工作流程,将Webapps发布到我的开发人员服务器。服务器有一个docker主机,我使用docker-compose来管理容器。
- 将我的应用程序中的更改推送到私有gitlab (在码头工人运行)。该应用程序包括一个Dockerfile和docker-compose.yml
- Gitlab触发jenkins构建(jenkins也在docker中运行),它执行一些正常的构建内容(例如运行测试)
- Jenkins然后需要构建一个新的码头图像并使用docker-compose进行部署。
我已经在步骤3.我设置的方式,jenkins容器可以访问主机码头,以便在构建脚本中运行任何 docker 命令本质上是与在主机上运行相同。这是使用jenkins的以下 DockerFile 完成的:
FROM jenkins/ pre>
USER root
#给jenkins访问docker
运行groupadd -g 997 docker
运行gpasswd -a jenkins docker
#安装docker -compose
RUN curl -L https://github.com/docker/compose/releases/download/1.2.0/docker-compose-`uname -s` -'uname -m`> / usr / local / bin / docker-compose
运行chmod + x / usr / local / bin / docker-compose
用户jenkins
,并将以下卷映射到jenkins容器:
-v /var/run/docker.sock:/var/run/docker.sock
-v / usr / bin / docker:/ usr / bin / docker
jenkins中的典型构建脚本看起来像这样:
docker-compose build
docker-compose up
这样可以,但是有两个问题:
-
真的感觉像一个黑客。但是我发现的唯一其他选项是使用docker插件进行jenkins,发布到注册表,然后让某些方式让主机知道需要重新启动。这是相当多的移动部件,docker-jenkins插件要求docker主机是在一个开放的端口,我不想露出。
-
jenkins DockerFile包含需要给jenkins用户访问docker的
groupadd -g 997 docker。但是,GID(997)是主机上的GID,因此不可移植。
我不确定我正在寻找什么解决方案。我看不到任何实际的方法来解决这个方法,但是如果有一种方法允许在jenkins容器中运行docker命令,而不必对DockerFile中的GID进行硬编码,那将是很好的。有没有人对此有任何建议?
我遇到了同样的问题。由于GID问题,我最终给予Jenkins无密码的sudo权限。我在这里写了更多关于这一点: http://容器-solutions.com/2015/03/running-docker-in-jenkins-in-docker/
这不会影响安全性,因为有Docker权限实际上等同于sudo权限。
I have a workflow as follows for publishing webapps to my dev server. The server has a single docker host and I'm using docker-compose for managing containers.
- Push changes in my app to a private gitlab (running in docker). The app includes a Dockerfile and docker-compose.yml
- Gitlab triggers a jenkins build (jenkins is also running in docker), which does some normal build stuff (e.g. run test)
- Jenkins then needs to build a new docker image and deploy it using docker-compose.
The problem I have is in step 3. The way I have it set up, the jenkins container has access to the host docker so that running any docker command in the build script is essentially the same as running it on the host. This is done using the following DockerFile for jenkins:
FROM jenkins
USER root
# Give jenkins access to docker
RUN groupadd -g 997 docker
RUN gpasswd -a jenkins docker
# Install docker-compose
RUN curl -L https://github.com/docker/compose/releases/download/1.2.0/docker-compose-`uname -s`-`uname -m` > /usr/local/bin/docker-compose
RUN chmod +x /usr/local/bin/docker-compose
USER jenkins
and mapping the following volumes to the jenkins container:
-v /var/run/docker.sock:/var/run/docker.sock
-v /usr/bin/docker:/usr/bin/docker
A typical build script in jenkins looks something like this:
docker-compose build
docker-compose up
This works ok, but there are two problems:
It really feels like a hack. But the only other options I've found is to use the docker plugin for jenkins, publish to a registry and then have some way of letting the host know it needs to restart. This is quite a lot more moving parts, and the docker-jenkins plugin required that the docker host is on an open port, which I don't really want to expose.
The jenkins DockerFile includes
groupadd -g 997 dockerwhich is needed to give the jenkins user access to docker. However, the GID (997) is the GID on the host machine, and is therefore not portable.
I'm not really sure what solution I'm looking for. I can't see any practical way to get around this approach, but it would be nice if there was a way to allow running docker commands inside the jenkins container without having to hard code the GID in the DockerFile. Does anyone have any suggestions about this?
I ran into the same issues. I ended up giving Jenkins passwordless sudo privileges because of the GID problem. I wrote more about this here: http://container-solutions.com/2015/03/running-docker-in-jenkins-in-docker/
This doesn't really affect security as having docker privileges is effectively equivalent to sudo rights.
这篇关于码头上的詹金斯可以访问主机码头的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
