如何找出哪个用户正在访问/var/run/docker.sock,这将导致权限被拒绝错误 [英] How to find out which user is accessing /var/run/docker.sock that will cause permission denied error
问题描述
此问题与以下问题不同:
This question is different from the following questions:
泊坞窗:尝试连接到unix://上的Docker守护程序套接字时,权限被拒绝/var/run/docker.sock 因为他们不考虑将jenkins安装为docker容器,所以在这里我没有jenkins用户授予该用户访问此文件的权限。
Docker: Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock Because they didn't consider jenkins to be installed as docker container, here I don't have jenkins user to give that user access to this file.
这也是 docker.sock权限被拒绝,因为我不知道我为哪个用户遇到此错误,这里的用户 root 可以访问此文件,但该错误再次发生。
And also from this one docker.sock permission denied Because I don't know which user I got this error for, Here the user root has access to this file but the error happened again.
这是我的问题:
我想在ubuntu上使用以下命令运行docker jenkinsci / blueocean image:
I want to run docker jenkinsci/blueocean image using following command on ubuntu:
docker container run \
--name jenkins-blueocean \
--rm \
--detach \
--publish 8181:8080 \
--publish 50000:50000 \
--volume jenkins-data:/var/jenkins_home \
--volume jenkins-docker-certs:/certs/client:ro \
--volume /var/run/docker.sock:/var/run/docker.sock \
jenkinsci/blueocean
在运行jenkins之后当我按如下方式使用代理时,可以使用以下容器:
After running jenkins on dokcer container when I use agent as follows:
agent {
docker {
image 'maven:3-alpine'
}
}
我遇到以下错误:
Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Post http://%2Fvar%2Frun%2Fdocker.sock/v1.39/images/create?fromImage=maven&tag=3-alpine: dial unix /var/run/docker.sock: connect: permission denied
在这里,当我使用此命令时,它将解决问题:
Here when I use this command it will solve the problem:
chmod 777 /var/run/docker.sock
但是由于安全漏洞,我不想允许所有用户访问此套接字。
But I don't want to permit all users to access this socket because of security vulnerabilities.
我还应该说当前用户是root用户,并且可以访问 /var/run/docker.sock
I should also say that the current user is root and it has access to /var/run/docker.sock
以下是一些有用的信息:
Here are some useful information:
echo $USER
root
ls -ls /var/run/docker.sock
srw-rw---- 1 root docker 0 Jul 24 14:56 /var/run/docker.sock
groups
root docker
我应该允许哪个用户访问此文件? jenkins在容器上运行,并且我的系统上没有jenkins用户,如何确定哪个用户正在尝试访问此套接字文件 /var/run/docker.sock 因此,我得到了这个错误?
Which user should I permit access to this file? jenkins is run on container and there is no jenkins user on my system, How can I find out which user is trying to access this socket file /var/run/docker.sock and consequently I got this error?
推荐答案
如果您查看jenkinsci / blueocean的Dockerfile,例如, 1.23.2 。您会看到詹金斯用户是uid 1000和gid1000。这些ID必须与卷访问匹配,而不是用户名。
If you look at the Dockerfile for jenkinsci/blueocean, for example, 1.23.2. You can see that the "jenkins" user is uid 1000 and gid 1000. It is these IDs that have to match for volume access, not the username.
而不是向uid / gid 1000授予对/ var / run / docker的访问权限.sock在主机上,也许最好以具有权限的用户/组身份运行容器。您可以使用 id -u root 和 id -g docker 进行检查,然后将其与<$ c $例如c> docker run 命令(假设根uid为0), docker run -u 0 ... 。有关如何使用<$ c $的更多示例,请参见文档页面。 c> -u / -用户。如果您在容器中以与root用户相同的uid运行,则可能不会有问题,但是,如果这是不同的id,则可能会遇到问题,因为其他uid可能缺少必要的配置才能
Rather than granting uid/gid 1000 access to /var/run/docker.sock on the host, perhaps it would be better to run the container as the user/group that has permission. You can check that with id -u root and id -g docker, then use that with your docker run command, for example (assuming root uid is 0), docker run -u 0 .... See the doc page for more examples of how to use -u/--user. If you're running as the same uid as root in the container, you probably won't have a problem, but if if that is a different id, you may run into issues as other uids might be missing necessary configuration to be able to run the Jenkins stuff correctly.
如果您真的要改变/var/run/docker.sock的路线,那么答案就是创建gid为1000的组并将根添加到该组。
If you really want to go the route of changing /var/run/docker.sock, then the answer would be to create a group with gid 1000 and add root to that group I guess.
这篇关于如何找出哪个用户正在访问/var/run/docker.sock,这将导致权限被拒绝错误的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
