权限被拒绝的错误以非root用户身份从Docker Ubuntu容器内部调用Mac主机上的Docker [英] Permission denied error invoking Docker on Mac host from inside Docker Ubuntu container as non-root user
问题描述
我试图从运行的jenkins Docker容器内部调用运行Mac的Docker for Mac 17.06.0-ce-mac17的OSX主机上的docker(
I'm trying to invoke docker on my OSX host running Docker for Mac 17.06.0-ce-mac17 from inside a running jenkins docker container (jenkins:latest), per the procedure described at http://jpetazzo.github.io/2015/09/03/do-not-use-docker-in-docker-for-ci/.
我将/var/run/docker.sock安装到容器中,将ubuntu docker二进制文件粘贴在容器中,并且能够执行-但是在运行例如时,以用户"jenkins"的身份从容器内部执行我得到"docker ps"
I mount /var/run/docker.sock into the container, I stick a ubuntu docker binary inside it, and it's able to execute - but from inside the container as user "jenkins" when I run e.g. "docker ps" I get
尝试连接到unix:///var/run/docker.sock上的Docker守护程序套接字时,获得的权限被拒绝:获取
Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get http://%2Fvar%2Frun%2Fdocker.sock/v1.30/containers/json?all=1: dial unix /var/run/docker.sock: connect: permission denied.
如果我以root用户身份(docker exec -u 0)连接到容器,则它可以正常工作.
If I connect to the container as root (docker exec -u 0) it works though.
我需要jenkins用户能够运行它.我尝试在ubuntu容器中添加一个docker组并向其中添加jenkins,但这没有帮助,因为它与外部无关,并且Mac版Docker不能像在linux上运行此功能那样简单uid/gid匹配.我想分发这个容器,所以回答并破解我的Docker for Mac安装的一部分并不能真正帮助我.如果可以的话,我宁愿不以root用户身份运行整个jenkins安装程序. (我也尝试过以特权方式运行容器,但这没有帮助.)
I need the jenkins user to be able to run this. I tried adding a docker group and adding jenkins to it inside the ubuntu container but that didn't help, since it's got nothing to do with the outside and Docker for Mac doesn't work like running this on linux where you can do semi easy uid/gid matching. I want to distribute this container so answers that go and hack part of my Docker for Mac install won't really help me. I'd rather not run the whole jenkins setup as root if I can help it. (I also tried running the container as privileged, that didn't help.)
Per the advice in Permission Denied while trying to connect to Docker Daemon while running Jenkins pipeline in Macbook I chowned the /var/run/docker.sock file inside the container manually to jenkins and now jenkins can run docker. But I'm having trouble coming up with a solution for a distributable container - I can't do that chown in the Dockerfile because the file doesn't exist yet, and shimming in into the entrypoint doesn't help because that runs as jenkins.
我需要做什么才能构建并运行一个映像,该映像将以非root用户身份从容器内部在Mac上运行外部docker容器?
What do I need to do in order to build and run an image that will run external docker containers on my Mac as a non-root user from inside the container?
推荐答案
我做到了这一点,至少是自动化的,但目前仅在Mac的docker上工作. 适用于Mac的Docker具有唯一的文件权限模型.手动将/var/run/docker.sock赋予jenkins用户有效,并且在容器重新启动甚至映像重新生成期间仍然存在,但在过去的docker守护程序重新启动之后仍然如此.另外,您无法在Dockerfile中执行chown,因为docker.sock还不存在,并且您无法在入口点中执行它,因为它作为jenkins运行.
I got this working, at least automated but currently only working on docker for Mac. Docker for Mac has a unique file permission model. Chowning /var/run/docker.sock to the jenkins user manually works, and it persists across container restarts and even image regeneration, but not past docker daemon restarts. Plus, you can't do the chown in the Dockerfile because docker.sock doesn't exist yet, and you can't do it in the entrypoint because that runs as jenkins.
所以我要做的是将jenkins添加到"staff"组,因为在我的Mac上,/var/run/docker.sock被符号链接到/Users//Library/Containers/com.docker.docker/Data/ss60是uid和gid工作人员.这使jenkins用户可以在主机上运行docker命令.
So what I did was add jenkins to the "staff" group, because on my Mac, /var/run/docker.sock is symlinked down into /Users//Library/Containers/com.docker.docker/Data/s60 and is uid and gid staff. This lets the jenkins user run docker commands on the host.
Dockerfile:
Dockerfile:
FROM jenkins:latest
USER root
RUN \
apt-get update && \
apt-get install -y build-essential && \
apt-get clean && \
rm -rf /var/lib/apt/lists/*
COPY docker /usr/bin/docker
# To allow us to access /var/run/docker.sock on the Mac
RUN gpasswd -a jenkins staff
USER jenkins
ENTRYPOINT ["/bin/tini", "--", "/usr/local/bin/jenkins.sh"]
docker-compose.yml文件:
docker-compose.yml file:
version: "3"
services:
jenkins:
build: ./cd_jenkins
image: cd_jenkins:latest
ports:
- "8080:8080"
- "5000:5000"
volumes:
- ./jenkins_home:/var/jenkins_home
- /var/run/docker.sock:/var/run/docker.sock
但是,这不能移植到其他系统(并且该docker使mac组保持人员",我想不能保证).我很乐意提出改进建议,以使该解决方案能够在主机系统上正常工作.其他问题中建议的其他选项,例如在jenkins中执行docker host命令docker容器包括:
This is, however, not portable to other systems (and depends on that docker for mac group staying "staff," which I imagine isn't guaranteed). I'd love suggested improvements to make this solution work across host systems. Other options suggested in questions like Execute docker host command inside jenkins docker container include:
- 安装sudo并让jenkins sudo并使用sudo运行所有docker命令:增加安全性问题
- 将jenkins添加到docker组"-仅限于UNIX,可能依赖于主机与容器之间的gid匹配吗?
- 设置包含的docker可执行文件的设置可能有效,但与sudo一样具有相同的安全提升问题.
这篇关于权限被拒绝的错误以非root用户身份从Docker Ubuntu容器内部调用Mac主机上的Docker的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
