• Type: New Feature
• Resolution: Unresolved
• Priority: Major
• Component/s: docker-workflow-plugin
• Labels:

  None

[JENKINS-68048] support run docker container as a different user/group

Josef created issue - 2022-03-16 15:13

Josef made changes - 2022-03-16 15:14

Summary

Original: support run docker as different user/group

New: support run docker container as a different user/group

Josef made changes - 2022-03-16 15:15

Description

Original: I'd like to propose new feature for running docker container as different linux user/group   *Motivation* There are permission issues when using mounted {{/var/run/docker.sock}} to allow docker access from within the container.     Currently jenkins fetches user and group using {{org.jenkinsci.plugins.docker.workflow.client.DockerClient#whoAmI by executing commands }}{{id -u}} and {{id -g}}   {{Jenkins slave agent runs under this user}} {code:java} $ id uid=1005(jenkins) gid=1009(jenkins) groups=1009(jenkins),27(sudo),108(lxd),113(docker)  {code}   {{Jenkinsfile}} {code:java}  pipeline {     agent {         dockerfile {             dir './some-folder/'             args '-v /var/run/docker.sock:/var/run/docker.sock'         }     }{code}   {{which results into following docker run command}} {code:java} docker run -t -d -u 1005:1009 -v /var/run/docker.sock:/var/run/docker.sock ... {code} but from within this container I get permission denied when accessing docker socket.   Running the same command and changing the user group from {{jenkins}} to {{docker}} fixes the permission issue {code:java} docker run -t -d -u 1005:113 -v /var/run/docker.sock:/var/run/docker.sock ... {code}   I'd like to propose new option to specify user to start container such as {code:java} pipeline {     agent {         dockerfile {             dir './some-folder/'             args '-v /var/run/docker.sock:/var/run/docker.sock'             user 'jenkins:docker'         }     }{code} and let this plugin resolve the user/group name to their IDs so that run command looks like {code:java} docker run -t -d -u 1005:113 -v /var/run/docker.sock:/var/run/docker.sock ... {code}

New: I'd like to propose new feature for running docker container as different linux user/group   *Motivation* There are permission issues when using mounted {{/var/run/docker.sock}} to allow docker access from within the container.     Currently jenkins fetches user and group using {{org.jenkinsci.plugins.docker.workflow.client.DockerClient#whoAmI}} by executing commands * {{id -u}} * {{id -g}}   {{Jenkins slave agent runs under this user}} {code:java} $ id uid=1005(jenkins) gid=1009(jenkins) groups=1009(jenkins),27(sudo),108(lxd),113(docker)  {code}   {{Jenkinsfile}} {code:java}  pipeline {     agent {         dockerfile {             dir './some-folder/'             args '-v /var/run/docker.sock:/var/run/docker.sock'         }     }{code}   {{which results into following docker run command}} {code:java} docker run -t -d -u 1005:1009 -v /var/run/docker.sock:/var/run/docker.sock ... {code} but from within this container I get permission denied when accessing docker socket.   Running the same command and changing the user group from {{jenkins}} to {{docker}} fixes the permission issue {code:java} docker run -t -d -u 1005:113 -v /var/run/docker.sock:/var/run/docker.sock ... {code}   I'd like to propose new option to specify user to start container such as {code:java} pipeline {     agent {         dockerfile {             dir './some-folder/'             args '-v /var/run/docker.sock:/var/run/docker.sock'             user 'jenkins:docker'         }     }{code} and let this plugin resolve the user/group name to their IDs so that run command looks like {code:java} docker run -t -d -u 1005:113 -v /var/run/docker.sock:/var/run/docker.sock ... {code}

Josef made changes - 2022-03-16 15:16

Priority

Original: Minor [ 4 ]

New: Major [ 3 ]