-
New Feature
-
Resolution: Unresolved
-
Major
-
None
I'd like to propose new feature for running docker container as different linux user/group
Motivation
There are permission issues when using mounted /var/run/docker.sock to allow docker access from within the container.
Currently jenkins fetches user and group using org.jenkinsci.plugins.docker.workflow.client.DockerClient#whoAmI by executing commands
- id -u
- id -g
Jenkins slave agent runs under this user
$ id uid=1005(jenkins) gid=1009(jenkins) groups=1009(jenkins),27(sudo),108(lxd),113(docker)
Jenkinsfile
pipeline {
agent {
dockerfile {
dir './some-folder/'
args '-v /var/run/docker.sock:/var/run/docker.sock'
}
}
which results into following docker run command
docker run -t -d -u 1005:1009 -v /var/run/docker.sock:/var/run/docker.sock ...
but from within this container I get permission denied when accessing docker socket.
Running the same command and changing the user group from jenkins to docker fixes the permission issue
docker run -t -d -u 1005:113 -v /var/run/docker.sock:/var/run/docker.sock ...
I'd like to propose new option to specify user to start container such as
pipeline {
agent {
dockerfile {
dir './some-folder/'
args '-v /var/run/docker.sock:/var/run/docker.sock'
user 'jenkins:docker'
}
}
and let this plugin resolve the user/group name to their IDs so that run command looks like
docker run -t -d -u 1005:113 -v /var/run/docker.sock:/var/run/docker.sock ...
