如何在Docker容器中以正确的组装载Docker套筒 [英] How to mount docker socket as volume in docker container with correct group

问题描述

我想在码头集装箱中运行一个Jenkins实例。

我想让Jenkins本身能够将Docker容器作为从属机构来运行测试。 / p>

似乎最好的方法是使用

  docker运行-v /var/run.docker.sock:/var/run/docker.sock -p 8080：8080 -ti my-jenkins-image 
  

来源

我正在使用的 Dockerfile

  FROM jenkins 
 COPY plugins.txt /usr/share/jenkins/plugins.txt 
 RUN / usr / local / bin /plugins.sh /usr/share/jenkins/plugins.txt 
 
 USER root 
 RUN apt-get update&& apt-get install -y docker.io 
运行usermod -aG docker jenkins 
用户jenkins 
  

如果我在运行容器中启动一个bash会话，并在我的图像上运行 docker info ，我得到

  $ docker info 
 FATA [0000]获取http：///var/run/docker.sock/v1.18/info：dial unix / var / run / docker。袜子：许可被拒绝。您是否尝试连接到不带TLS的启用TLS的守护程序？ 
  

如果我以root身份运行bash会话

＃pre> $ code> docker exec -u 0 -ti cocky_mccarthy bash
root @ 5dbd0efad2b0：/＃docker info
容器：42
图片：50
...

所以我猜，$ code> docker 组我将jenkins用户添加到内部Docker的组，因此套接字在没有sudo的情况下是不可读的。这是一个问题，因为jenkins docker插件等没有设置为使用sudo。

如何安装套接字，以便可以从没有sudo的图像

解决方案

我使用你的docker文件，但做了一个小编辑：

  FROM jenkins 
 COPY plugins.txt /usr/share/jenkins/plugins.txt 
 RUN / usr / local / bin / plugins .sh /usr/share/jenkins/plugins.txt 
 
 USER root 
 RUN apt-get update 
 RUN groupadd docker&& gpasswd -a jenkins docker 
用户jenkins 
  

构建图像后，我可以使用我在centos7）：

  docker run -d \ 
 -v / var / run / docker。 sock：/var/run/docker.sock \ 
 -v $（哪个docker）：/ usr / bin / docker：ro \ 
 -v /lib64/libdevmapper.so.1.02:/ usr / lib / x86_64-linux-gnu / libdevmapper.so.1.02 \ 
 -v /lib64/libudev.so.0:/usr/lib/x86_64-linux-gnu/libudev.so.0 \ 
 -p 8080：8080 \ 
 --name jenkins \ 
 --privileged = true -t -i \ 
 test / jenkins 
  

您尝试在您的图像中安装docker.io包。但是这个包也在你的主机上（否则就不可能在其上运行docker容器）。所以建议将其安装到您的容器，而不是将其安装在您的docker文件中。
我认为mount / lib64 / ...特定于Centos 7。

  $ docker exec -it 9fc27d5fcec1 bash 
 jenkins @ 9fc27d5fcec1：/ $ whoami 
 jenkins 
 jenkins @ 9fc27d5fcec1：/ $ docker ps 
 CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 
 9fc27d5fcec1 test/ bin / tini  -  / usr / lo6分钟前Up 6分钟0.0.0.0:8080->8080/tcp，50000 / tcp jenkins 
  

I want to run a Jenkins instance in a docker container.

I want Jenkins itself to be able to spin up docker containers as slaves to run tests in.

It seems the best way to do this is to use

docker run -v /var/run.docker.sock:/var/run/docker.sock -p 8080:8080 -ti my-jenkins-image

source

The Dockerfile I'm using is

FROM jenkins
COPY plugins.txt /usr/share/jenkins/plugins.txt
RUN /usr/local/bin/plugins.sh /usr/share/jenkins/plugins.txt

USER root
RUN apt-get update && apt-get install -y docker.io
RUN usermod -aG docker jenkins
USER jenkins

If I start a bash session in my running container and run docker info on my image I get

$ docker info
FATA[0000] Get http:///var/run/docker.sock/v1.18/info: dial unix /var/run/docker.sock: permission denied. Are you trying to connect to a TLS-enabled daemon without TLS?

And if I run the bash session as root

docker exec -u 0 -ti cocky_mccarthy bash
root@5dbd0efad2b0:/# docker info
Containers: 42
Images: 50
...

So I guess the docker group I'm adding the jenkins user to is the group for the internal docker hence the socket is not readable without sudo. That's kind of a problem as the jenkins docker plugin etc are not set up to use sudo.

How can I mount the socket so it can be used from the image without sudo?

解决方案

I used your dockerfile but did a small edit:

FROM jenkins
COPY plugins.txt /usr/share/jenkins/plugins.txt
RUN /usr/local/bin/plugins.sh /usr/share/jenkins/plugins.txt

USER root
RUN apt-get update
RUN groupadd docker && gpasswd -a jenkins docker
USER jenkins

After building the image I can start it using (I'm on centos7):

docker run -d \
-v /var/run/docker.sock:/var/run/docker.sock \
     -v $(which docker):/usr/bin/docker:ro \
     -v /lib64/libdevmapper.so.1.02:/usr/lib/x86_64-linux-gnu/libdevmapper.so.1.02 \
     -v /lib64/libudev.so.0:/usr/lib/x86_64-linux-gnu/libudev.so.0 \
     -p 8080:8080 \
     --name jenkins \
     --privileged=true -t -i \
test/jenkins

You tried to install the package docker.io inside your image. But this package is also on your host (otherwise it's not possible to run docker containers on it). So It's recommended to mount this to your container instead of installing it in your docker file. I think the mounted /lib64/... is specific for Centos 7.

$ docker exec -it 9fc27d5fcec1 bash
jenkins@9fc27d5fcec1:/$ whoami 
jenkins
jenkins@9fc27d5fcec1:/$ docker ps
CONTAINER ID        IMAGE               COMMAND                  CREATED             STATUS              PORTS                               NAMES
9fc27d5fcec1        test                "/bin/tini -- /usr/lo"   6 minutes ago       Up 6 minutes        0.0.0.0:8080->8080/tcp, 50000/tcp   jenkins

这篇关于如何在Docker容器中以正确的组装载Docker套筒的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！