使用在Docker容器中运行的Jenkins构建Docker映像 [英] Building Docker images with Jenkins that runs inside a Docker container
问题描述
我正在阅读有关设置的这篇文章 Jenkins在Docker容器内运行,使Jenkins能够自行构建Docker映像.尽管此解决方案有效,但作者也指出了一些安全问题.
I was reading this article about setting up Jenkins running inside a Docker container in a way that Jenkins is able to build Docker images itself. Although this solution works, there are some security issues as also pointed out by the author.
主要的安全问题在于Jenkins需要运行Docker命令,这需要在Jenkins容器内安装Docker套接字(此外,Jenkins需要sudo才能运行Docker命令).因此,有权访问Jenkins Web界面的任何人都可以运行对主机系统具有完全访问权限的任何命令(通过运行docker容器).
The main security problem lies in the fact that Jenkins needs to run Docker commands, which requires a mount of the Docker socket inside the Jenkins container (plus Jenkins need sudo to be able to run Docker commands). So whoever has access to the Jenkins web interface can run any command with full access to the host system (via running a docker container).
因此,我想知道我是否有人有一些想法可以使此设置更加安全.对我来说,在Docker容器内(但直接在主机系统上)不运行Jenkins似乎并不安全,因为Jenkins仍然需要能够执行Docker命令(使用sudo)来构建新映像,从而使Jenkins用户仍然能够启动任何任意的容器.使用防火墙是限制可以访问Jenkins的IP的一种选择,但我希望可能还有其他解决方案来降低安全风险.
Therefore I'm wondering if I someone has some ideas to make this setup more secure. Not running Jenkins inside a Docker container (but directly on the host system) does not seem more secure to me since Jenkins still needs the be able to execute Docker commands (with sudo) to build new images leaving the Jenkins user still able to start up any arbitrary container. Using a firewall would be an option to limit the IP's from which Jenkins can be reached, but I was hoping that there might be some other solutions to decrease security risks.
修改 我忘了提一下,詹金斯还应该能够在同一台机器上启动(新创建的)容器.
Edit I forgot to mention that Jenkins should also be able to start the (newly created) containers on the same machine.
推荐答案
我想你是这样的人.
您可以在运行映像时挂载docker袜子. -v/var/run/docker.sock:/var/run/docker.sock -v $(哪个docker):/usr/bin/docker 您可以在jenkins容器中访问docker.
You can mount the docker sock while running your images. -v /var/run/docker.sock:/var/run/docker.sock -v $(which docker):/usr/bin/docker and you can access docker inside jenkins container.
请点击以下链接 http://container-solutions.com/running-docker-in -jenkins-in-docker/
这篇关于使用在Docker容器中运行的Jenkins构建Docker映像的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
