-
Bug
-
Resolution: Unresolved
-
Major
-
None
We have a Jenkins master/slave setup, both running in Docker containers under a user with uid 1000 and gid 1000. The slave has the Docker socket mounted and the user is in group docker, i. e. Docker can be run without any problems in the slave. We use Jenkinsfiles and and the Docker Workflow plugin to build in containers. The plugin automatically mounts all volumes from the slave including the Docker socket into the build container. The build image has Docker installed and has a user with uid/gui 1000 which is also in group docker. However, due to the fact that the plugin passes -u 1000:1000 when the build container is started, the user effectively is no longer in the docker group and access to the Docker socket fails.
$ # On host $ id uid=1000(ubuntu) gid=1000(ubuntu) groups=1000(ubuntu),[...],999(docker) $ $ # Run build container with uid only $ docker run --rm -ti -u 1000 -v /var/run/docker.sock:/var/run/docker.sock mybuildimage bash ubuntu@b467415839f6:/$ ubuntu@b467415839f6:/$ # User has docker group, running Docker works ubuntu@b467415839f6:/$ id uid=1000(ubuntu) gid=1000(ubuntu) groups=1000(ubuntu),999(docker) ubuntu@b467415839f6:/$ docker info Containers: 8 Running: 8 Paused: 0 Stopped: 0 Images: 217 [...] ubuntu@b467415839f6:/$ exit $ $ # Run build container with uid and gid as the Docker Workflow plugin does it $ docker run --rm -ti -u 1000:1000 -v /var/run/docker.sock:/var/run/docker.sock mybuildimage bash ubuntu@fb8994abddd9:/$ # User does not have docker group, running Docker fails ubuntu@fb8994abddd9:/$ id uid=1000(ubuntu) gid=1000(ubuntu) groups=1000(ubuntu) ubuntu@fb8994abddd9:/$ docker info Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get http://%2Fvar%2Frun%2Fdocker.sock/v1.30/info: dial unix /var/run/docker.sock: connect: permission denied
I can work around this by explicitly passing the user only as args:
docker.image('mybuildimage').inside(-u 1000') { sh 'docker info' }
This seems, however, kind of hacky because the plugin just adds my args and the latter ones seem to win:
docker run -t -d -u 1000:1000 -u 1000 -w /home/ubuntu/workspace/testjob
Can the behavior be changed to only pass the user and not the group? Wouldn't that suffice? Alternatively, what about an option to explicitly specify the user?
