Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-45473

Running Docker inside docker.image().inside() fails because group is set

XMLWordPrintable

      We have a Jenkins master/slave setup, both running in Docker containers under a user with uid 1000 and gid 1000. The slave has the Docker socket mounted and the user is in group docker, i. e. Docker can be run without any problems in the slave. We use Jenkinsfiles and and the Docker Workflow plugin to build in containers. The plugin automatically mounts all volumes from the slave including the Docker socket into the build container. The build image has Docker installed and has a user with uid/gui 1000 which is also in group docker. However, due to the fact that the plugin passes -u 1000:1000 when the build container is started, the user effectively is no longer in the docker group and access to the Docker socket fails.
       

      $ # On host
      $ id
      uid=1000(ubuntu) gid=1000(ubuntu) groups=1000(ubuntu),[...],999(docker)
      $
      $ # Run build container with uid only
      $ docker run --rm -ti -u 1000 -v /var/run/docker.sock:/var/run/docker.sock mybuildimage bash
      ubuntu@b467415839f6:/$
      ubuntu@b467415839f6:/$ # User has docker group, running Docker works
      ubuntu@b467415839f6:/$ id
      uid=1000(ubuntu) gid=1000(ubuntu) groups=1000(ubuntu),999(docker)
      ubuntu@b467415839f6:/$ docker info
      Containers: 8
       Running: 8
       Paused: 0
       Stopped: 0
      Images: 217
      [...]
      ubuntu@b467415839f6:/$ exit
      $
      $ # Run build container with uid and gid as the Docker Workflow plugin does it
      $ docker run --rm -ti -u 1000:1000 -v /var/run/docker.sock:/var/run/docker.sock mybuildimage bash
      ubuntu@fb8994abddd9:/$ # User does not have docker group, running Docker fails
      ubuntu@fb8994abddd9:/$ id
      uid=1000(ubuntu) gid=1000(ubuntu) groups=1000(ubuntu)
      ubuntu@fb8994abddd9:/$ docker info
      Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get http://%2Fvar%2Frun%2Fdocker.sock/v1.30/info: dial unix /var/run/docker.sock: connect: permission denied
      

      I can work around this by explicitly passing the user only as args:

      docker.image('mybuildimage').inside(-u 1000') {
          sh 'docker info'
      }
      

      This seems, however, kind of hacky because the plugin just adds my args and the latter ones seem to win:

      docker run -t -d -u 1000:1000 -u 1000 -w /home/ubuntu/workspace/testjob
      

      Can the behavior be changed to only pass the user and not the group? Wouldn't that suffice? Alternatively, what about an option to explicitly specify the user?

            Unassigned Unassigned
            unguiculus unguiculus
            Votes:
            2 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated: