以非root用户身份在docker-container中以jenkins-agent身份运行Docker [英] Run Docker as jenkins-agent, in a docker-container, as non-root user

问题描述

类似问题

• Got尝试连接到unix:///var/run/docker.sock
上的Docker守护程序套接字时，权限被拒绝
• 如何解决由触发时的Docker权限错误詹金斯(Jenkins)
• https://github.com/jenkinsci/docker/issues/263

• Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock
• How to solve Docker permission error when trigger by Jenkins
• https://github.com/jenkinsci/docker/issues/263

Dockerfile

FROM  jenkins/jenkins:lts
USER root
RUN apt-get -qq update  && apt-get -qq -y install --no-install-recommends curl
RUN curl -sSL https://get.docker.com/ | sh
RUN usermod -aG docker jenkins
USER jekins

终端命令

docker run -p 8080:8080 -p 50000:50000 \
  -v jenkins_home:/var/jenkins_home \
  -v /var/run/docker.sock:/var/run/docker.sock \
  -ti bluebrown/docker-in-jenkins-in-docker /bin/bash

在容器内部

docker image ls

输出

Got permission denied while trying to connect to the Docker daemon
socket at unix:///var/run/docker.sock: Get
http://%2Fvar%2Frun%2Fdocker.sock/v1.39/images/json: dial unix
/var/run/docker.sock: connect: permission denied

当我注释掉dockerfile的最后一行时，以root用户身份运行实例，

# USER jenkins

出于显而易见的原因，我可以毫无问题地访问docker套接字.但是，我认为这不是一个适当的解决方案.这就是为什么我想问问是否有人设法以非root用户身份访问Docker套接字.

推荐答案

您已将docker组添加到了容器内的Jenkins用户.但是，这不一定可行，因为主机和容器之间用户和组到uid和gid的映射可能不同.通常这不是问题，但是在主机卷和其他绑定装入容器的情况下，文件将使用相同的uid/gid以及权限进行映射.因此，在容器内部，除非两个环境之间的gid完全相同，否则docker组将无法访问docker套接字.

You've added the docker group to the Jenkins user inside the container. However, that will not necessarily work because the mapping of users and groups to uids and gids can be different between the host and container. That's normally not an issue, but with host volumes and other bind mounts into the container, the files are mapped with the same uid/gid along with the permissions. Therefore, inside the container, the docker group will not have access to the docker socket unless the gid happens to be identical between the two environments.

有几种解决方案，包括手动传递主机gid作为在容器内部使用的gid.或者，您可以得到主机的指导，并使用硬编码的值构建映像.

There are several solutions, including manually passing the host gid as the gid to use inside the container. Or you can get the gid of the host and build the image with that value hard coded in.

我的首选解决方案是以root用户身份启动入口点，修复容器内的docker组以匹配已安装的docker套接字的gid，然后切换到Jenkins用户以启动应用程序.这在可能难以控制uid/gids的开发环境中特别有效.所有的步骤/脚本都在我的仓库中: https://github.com/sudo- bmitch/jenkins-docker

My preferred solution is to start an entrypoint as root, fix the docker group inside the container to match the gid of the mounted docker socket, and then switch to the Jenkins user to launch the app. This works especially well in development environments where control of uid/gids may be difficult. All the steps/scripts for this are in my repo: https://github.com/sudo-bmitch/jenkins-docker

对于受控环境中的生产，我尝试在主机和容器中获取用于装入主机卷的任何内容的标准化uid/gid值.然后，我可以运行没有根入口点步骤的容器.

For production in a controlled environment, I try to get standardized uid/gid values, both on the host and in containers, for anything that mounts host volumes. Then I can run the container without the root entrypoint steps.

这篇关于以非root用户身份在docker-container中以jenkins-agent身份运行Docker的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！