Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-68048

support run docker container as a different user/group

      I'd like to propose new feature for running docker container as different linux user/group

       

      Motivation

      There are permission issues when using mounted /var/run/docker.sock to allow docker access from within the container.

       

       

      Currently jenkins fetches user and group using org.jenkinsci.plugins.docker.workflow.client.DockerClient#whoAmI by executing commands

      • id -u
      • id -g

       

      Jenkins slave agent runs under this user

      $ id 
      uid=1005(jenkins) gid=1009(jenkins) groups=1009(jenkins),27(sudo),108(lxd),113(docker)
       

       

      Jenkinsfile

       pipeline {
          agent {
              dockerfile {
                  dir './some-folder/'
                  args '-v /var/run/docker.sock:/var/run/docker.sock'
              }
          }

       

      which results into following docker run command

      docker run -t -d -u 1005:1009 -v /var/run/docker.sock:/var/run/docker.sock ... 

      but from within this container I get permission denied when accessing docker socket.

       

      Running the same command and changing the user group from jenkins to docker fixes the permission issue

      docker run -t -d -u 1005:113 -v /var/run/docker.sock:/var/run/docker.sock ...  

       

      I'd like to propose new option to specify user to start container such as

      pipeline {
          agent {
              dockerfile {
                  dir './some-folder/' 
                  args '-v /var/run/docker.sock:/var/run/docker.sock'
                  user 'jenkins:docker'
              }
          }

      and let this plugin resolve the user/group name to their IDs so that run command looks like

      docker run -t -d -u 1005:113 -v /var/run/docker.sock:/var/run/docker.sock ...  

          [JENKINS-68048] support run docker container as a different user/group

          Josef created issue -
          Josef made changes -
          Summary Original: support run docker as different user/group New: support run docker container as a different user/group
          Josef made changes -
          Description Original: I'd like to propose new feature for running docker container as different linux user/group

           

          *Motivation*

          There are permission issues when using mounted {{/var/run/docker.sock}} to allow docker access from within the container.

           

           

          Currently jenkins fetches user and group using {{org.jenkinsci.plugins.docker.workflow.client.DockerClient#whoAmI by executing commands }}{{id -u}} and {{id -g}}

           

          {{Jenkins slave agent runs under this user}}
          {code:java}
          $ id
          uid=1005(jenkins) gid=1009(jenkins) groups=1009(jenkins),27(sudo),108(lxd),113(docker)
           {code}
           

          {{Jenkinsfile}}
          {code:java}
           pipeline {
              agent {
                  dockerfile {
                      dir './some-folder/'
                      args '-v /var/run/docker.sock:/var/run/docker.sock'
                  }
              }{code}
           

          {{which results into following docker run command}}
          {code:java}
          docker run -t -d -u 1005:1009 -v /var/run/docker.sock:/var/run/docker.sock ... {code}
          but from within this container I get permission denied when accessing docker socket.

           

          Running the same command and changing the user group from {{jenkins}} to {{docker}} fixes the permission issue
          {code:java}
          docker run -t -d -u 1005:113 -v /var/run/docker.sock:/var/run/docker.sock ... {code}
           

          I'd like to propose new option to specify user to start container such as
          {code:java}
          pipeline {
              agent {
                  dockerfile {
                      dir './some-folder/'
                      args '-v /var/run/docker.sock:/var/run/docker.sock'
                      user 'jenkins:docker'
                  }
              }{code}
          and let this plugin resolve the user/group name to their IDs so that run command looks like
          {code:java}
          docker run -t -d -u 1005:113 -v /var/run/docker.sock:/var/run/docker.sock ... {code}
          New: I'd like to propose new feature for running docker container as different linux user/group

           

          *Motivation*

          There are permission issues when using mounted {{/var/run/docker.sock}} to allow docker access from within the container.

           

           

          Currently jenkins fetches user and group using {{org.jenkinsci.plugins.docker.workflow.client.DockerClient#whoAmI}} by executing commands
          * {{id -u}}
          * {{id -g}}

           

          {{Jenkins slave agent runs under this user}}
          {code:java}
          $ id
          uid=1005(jenkins) gid=1009(jenkins) groups=1009(jenkins),27(sudo),108(lxd),113(docker)
           {code}
           

          {{Jenkinsfile}}
          {code:java}
           pipeline {
              agent {
                  dockerfile {
                      dir './some-folder/'
                      args '-v /var/run/docker.sock:/var/run/docker.sock'
                  }
              }{code}
           

          {{which results into following docker run command}}
          {code:java}
          docker run -t -d -u 1005:1009 -v /var/run/docker.sock:/var/run/docker.sock ... {code}
          but from within this container I get permission denied when accessing docker socket.

           

          Running the same command and changing the user group from {{jenkins}} to {{docker}} fixes the permission issue
          {code:java}
          docker run -t -d -u 1005:113 -v /var/run/docker.sock:/var/run/docker.sock ... {code}
           

          I'd like to propose new option to specify user to start container such as
          {code:java}
          pipeline {
              agent {
                  dockerfile {
                      dir './some-folder/'
                      args '-v /var/run/docker.sock:/var/run/docker.sock'
                      user 'jenkins:docker'
                  }
              }{code}
          and let this plugin resolve the user/group name to their IDs so that run command looks like
          {code:java}
          docker run -t -d -u 1005:113 -v /var/run/docker.sock:/var/run/docker.sock ... {code}
          Josef made changes -
          Priority Original: Minor [ 4 ] New: Major [ 3 ]

            Unassigned Unassigned
            ludvicekj Josef
            Votes:
            1 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated: