在部署到kubernetes的jenkinsci/blueocean映像上连接到Docker守护程序时,权限被拒绝 [英] Permission denied when connecting to docker daemon on jenkinsci/blueocean image deployed to kubernetes
问题描述
使用Docker代理时,在jenkins中运行已部署到kubernetes集群的声明性管道作业失败,并出现以下错误:
Running a declarative pipeline job in jenkins which was deployed to a kubernetes cluster fails when using the docker agent with the following error:
Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Post http://%2Fvar%2Frun%2Fdocker.sock/v1.39/images/create?fromImage=node&tag=10.15.1: dial unix /var/run/docker.sock: connect: permission denied
如何解决kubernetes声明中的此权限错误?
How can I solve this permission error in the kubernetes declaration?
我们有一台jenkins服务器,已使用jenkinsci/blueocean映像将其部署到kubernetes集群. kubernetes声明如下:
We have a jenkins server which was deployed to a kubernetes cluster using the jenkinsci/blueocean image. The kubernetes declaration as done as follows:
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: jenkins-master
spec:
replicas: 1
template:
metadata:
labels:
app: jenkins-master
spec:
terminationGracePeriodSeconds: 10
serviceAccountName: jenkins
containers:
- name: jenkins-master
image: jenkinsci/blueocean
imagePullPolicy: Always
ports:
- name: http-port
containerPort: 8080
- name: jnlp-port
containerPort: 50000
env:
- name: "JAVA_OPTS"
value: "-Dorg.jenkinsci.plugins.durabletask.BourneShellScript.HEARTBEAT_CHECK_INTERVAL=3600"
volumeMounts:
- name: jenkins-home
mountPath: /var/jenkins_home
- name: docker-socket
mountPath: /var/run/docker.sock
volumes:
- name: jenkins-home
persistentVolumeClaim:
claimName: jenkins
- name: docker-socket
hostPath:
path: /var/run/docker.sock
type: File
然后我们声明一个声明性管道詹金斯工作,如下所示:
We then declare a declarative pipeline jenkins job as follows:
pipeline {
agent {
docker {
image 'node:10.15.1'
label 'master'
}
}
stages {
stage('Checkout source code') {
steps {
checkout scm
}
}
stage('Build project') {
steps {
sh 'npm install'
sh 'npm run compile'
}
}
stage('Run quality assurance') {
steps {
sh 'npm run style:check'
sh 'npm run test:coverage'
}
}
}
}
此作业失败,并出现上述错误.我的怀疑是docker套接字已安装到系统中,但是运行作业的用户没有执行该套接字的权限.但是,我无法使用sudo usermod -a -G docker $USER将用户添加到已创建的pod中的组中,因为将在每次重新部署后重新创建pod.
This job fails with the aforementioned error. My suspicion is that the docker socket was mounted into the system, but the user running the job does not have permission to execute the socket. I, however, cannot add the user to the group in the created pod using sudo usermod -a -G docker $USER since the pod will be recreated upon each redeploy.
- 是否可以在kubernetes声明中使用正确的用户挂载docker卷?
- 如果无法在kubernetes声明中设置权限,我可以用不同的方式声明管道吗?
- 还有没有想到的其他解决方案吗?
谢谢.
推荐答案
但是,我无法使用以下方式将用户添加到已创建的窗格中的组中: sudo usermod -a -G docker $ USER,因为将在以下时间重新创建pod 每次重新部署.
I, however, cannot add the user to the group in the created pod using sudo usermod -a -G docker $USER since the pod will be recreated upon each redeploy.
实际上,您可以.
在部署Yaml中为您的容器定义一个usermod命令,例如
Define a usermod command for your container in the deployment yaml, e.g
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: jenkins-master
spec:
replicas: 1
template:
metadata:
labels:
app: jenkins-master
spec:
terminationGracePeriodSeconds: 10
serviceAccountName: jenkins
containers:
- name: jenkins-master
image: jenkinsci/blueocean
imagePullPolicy: Always
ports:
- name: http-port
containerPort: 8080
- name: jnlp-port
containerPort: 50000
env:
- name: "JAVA_OPTS"
value: "-Dorg.jenkinsci.plugins.durabletask.BourneShellScript.HEARTBEAT_CHECK_INTERVAL=3600"
- name: "USER"
value: "Awemo"
volumeMounts:
- name: jenkins-home
mountPath: /var/jenkins_home
- name: docker-socket
mountPath: /var/run/docker.sock
command: ["/bin/sh"]
args: ["-c", "usermod -aG docker $USER"]
volumes:
- name: jenkins-home
persistentVolumeClaim:
claimName: jenkins
- name: docker-socket
hostPath:
path: /var/run/docker.sock
type: File
因此,无论何时创建新的Pod,都会将一个用户添加到docker用户组
So, whenever a new pod is created, a user will be added to the docker usergroup
这篇关于在部署到kubernetes的jenkinsci/blueocean映像上连接到Docker守护程序时,权限被拒绝的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
