Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-63650

bad docker run user option



      After upgrading jenkins, we have an issue for some jobs using the docker pipeline plugin (I don't know which plugin version we had before the upgrade).

      The nodes are using the jenkins swarm agent on a jdk8.

      The docker version is 18.09.2

      The os is centos7

      The issue only occurs when the image running also wants to run a docker by using a shared volume on /var/run/docker.sock, and it is a permission issue.


      Before the upgrade, the docker pipeline plugin was running this:


      [Pipeline] withDockerContainer
      18:13:15  $ docker run -t -d -u 510:993 -v /var/run/docker.sock:/var/run/docker.sock ...


      510 corresponds to the jenkins user

      993 corresponds to the docker group



      After the upgrade, whis is not working anymore, it is running this:


      [Pipeline] withDockerContainer
      17:58:17  $ docker run -t -d -u 510:1012 -v /var/run/docker.sock:/var/run/docker.sock ...

      Where 1012 is the jenkins group.


      After trying to do it manually, I confirm that using the docker socket of the host from a container launched with 'jenkins:docker' for the user option  fails with the following error:

      Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get http://%2Fvar%2Frun%2Fdocker.sock/v1.40/containers/json?all=1: dial unix /var/run/docker.sock: connect: permission denied

      While it works fine when using 'jenkins:docker'.

      Sure, jenkins is in the docker group as well.


      I can't figure out when this has changed in the plugin code, it looks like you have always used "id -g": https://github.com/jenkinsci/docker-workflow-plugin/blob/master/src/main/java/org/jenkinsci/plugins/docker/workflow/client/DockerClient.java#L332

      However for some reason, no doubt that the group changed.



      I have a workarround which consists in modifying the rights on /var/run/docker.sock , but I don't like that while it may comes with security issues and a docker upgrade may change these rights as well.

      I could also consider using custom options to specify the user if there is a way to do so.

      Sure, I would prefer the issue to be fixed


      Thanks for your help



            Unassigned Unassigned
            rlegrand reg leg
            0 Vote for this issue
            1 Start watching this issue