-
Type:
New Feature
-
Resolution: Unresolved
-
Priority:
Major
-
Component/s: docker-workflow-plugin
I'd like to propose new feature for running docker container as different linux user/group
Â
Motivation
There are permission issues when using mounted /var/run/docker.sock to allow docker access from within the container.
Â
Â
Currently jenkins fetches user and group using org.jenkinsci.plugins.docker.workflow.client.DockerClient#whoAmI by executing commands
- id -u
- id -g
Â
Jenkins slave agent runs under this user
$ id uid=1005(jenkins) gid=1009(jenkins) groups=1009(jenkins),27(sudo),108(lxd),113(docker)
Â
Jenkinsfile
pipeline {
agent {
dockerfile {
dir './some-folder/'
args '-v /var/run/docker.sock:/var/run/docker.sock'
}
}
Â
which results into following docker run command
docker run -t -d -u 1005:1009 -v /var/run/docker.sock:/var/run/docker.sock ...
but from within this container I get permission denied when accessing docker socket.
Â
Running the same command and changing the user group from jenkins to docker fixes the permission issue
docker run -t -d -u 1005:113 -v /var/run/docker.sock:/var/run/docker.sock ...
Â
I'd like to propose new option to specify user to start container such as
pipeline {
agent {
dockerfile {
dir './some-folder/'
args '-v /var/run/docker.sock:/var/run/docker.sock'
user 'jenkins:docker'
}
}
and let this plugin resolve the user/group name to their IDs so that run command looks like
docker run -t -d -u 1005:113 -v /var/run/docker.sock:/var/run/docker.sock ...
