-
New Feature
-
Resolution: Unresolved
-
Major
-
None
I'd like to propose new feature for running docker container as different linux user/group
Motivation
There are permission issues when using mounted /var/run/docker.sock to allow docker access from within the container.
Currently jenkins fetches user and group using org.jenkinsci.plugins.docker.workflow.client.DockerClient#whoAmI by executing commands
- id -u
- id -g
Jenkins slave agent runs under this user
$ id uid=1005(jenkins) gid=1009(jenkins) groups=1009(jenkins),27(sudo),108(lxd),113(docker)
Jenkinsfile
pipeline { agent { dockerfile { dir './some-folder/' args '-v /var/run/docker.sock:/var/run/docker.sock' } }
which results into following docker run command
docker run -t -d -u 1005:1009 -v /var/run/docker.sock:/var/run/docker.sock ...
but from within this container I get permission denied when accessing docker socket.
Running the same command and changing the user group from jenkins to docker fixes the permission issue
docker run -t -d -u 1005:113 -v /var/run/docker.sock:/var/run/docker.sock ...
I'd like to propose new option to specify user to start container such as
pipeline { agent { dockerfile { dir './some-folder/' args '-v /var/run/docker.sock:/var/run/docker.sock' user 'jenkins:docker' } }
and let this plugin resolve the user/group name to their IDs so that run command looks like
docker run -t -d -u 1005:113 -v /var/run/docker.sock:/var/run/docker.sock ...
[JENKINS-68048] support run docker container as a different user/group
Summary | Original: support run docker as different user/group | New: support run docker container as a different user/group |
Description |
Original:
I'd like to propose new feature for running docker container as different linux user/group
*Motivation* There are permission issues when using mounted {{/var/run/docker.sock}} to allow docker access from within the container. Currently jenkins fetches user and group using {{org.jenkinsci.plugins.docker.workflow.client.DockerClient#whoAmI by executing commands }}{{id -u}} and {{id -g}} {{Jenkins slave agent runs under this user}} {code:java} $ id uid=1005(jenkins) gid=1009(jenkins) groups=1009(jenkins),27(sudo),108(lxd),113(docker) {code} {{Jenkinsfile}} {code:java} pipeline { agent { dockerfile { dir './some-folder/' args '-v /var/run/docker.sock:/var/run/docker.sock' } }{code} {{which results into following docker run command}} {code:java} docker run -t -d -u 1005:1009 -v /var/run/docker.sock:/var/run/docker.sock ... {code} but from within this container I get permission denied when accessing docker socket. Running the same command and changing the user group from {{jenkins}} to {{docker}} fixes the permission issue {code:java} docker run -t -d -u 1005:113 -v /var/run/docker.sock:/var/run/docker.sock ... {code} I'd like to propose new option to specify user to start container such as {code:java} pipeline { agent { dockerfile { dir './some-folder/' args '-v /var/run/docker.sock:/var/run/docker.sock' user 'jenkins:docker' } }{code} and let this plugin resolve the user/group name to their IDs so that run command looks like {code:java} docker run -t -d -u 1005:113 -v /var/run/docker.sock:/var/run/docker.sock ... {code} |
New:
I'd like to propose new feature for running docker container as different linux user/group
*Motivation* There are permission issues when using mounted {{/var/run/docker.sock}} to allow docker access from within the container. Currently jenkins fetches user and group using {{org.jenkinsci.plugins.docker.workflow.client.DockerClient#whoAmI}} by executing commands * {{id -u}} * {{id -g}} {{Jenkins slave agent runs under this user}} {code:java} $ id uid=1005(jenkins) gid=1009(jenkins) groups=1009(jenkins),27(sudo),108(lxd),113(docker) {code} {{Jenkinsfile}} {code:java} pipeline { agent { dockerfile { dir './some-folder/' args '-v /var/run/docker.sock:/var/run/docker.sock' } }{code} {{which results into following docker run command}} {code:java} docker run -t -d -u 1005:1009 -v /var/run/docker.sock:/var/run/docker.sock ... {code} but from within this container I get permission denied when accessing docker socket. Running the same command and changing the user group from {{jenkins}} to {{docker}} fixes the permission issue {code:java} docker run -t -d -u 1005:113 -v /var/run/docker.sock:/var/run/docker.sock ... {code} I'd like to propose new option to specify user to start container such as {code:java} pipeline { agent { dockerfile { dir './some-folder/' args '-v /var/run/docker.sock:/var/run/docker.sock' user 'jenkins:docker' } }{code} and let this plugin resolve the user/group name to their IDs so that run command looks like {code:java} docker run -t -d -u 1005:113 -v /var/run/docker.sock:/var/run/docker.sock ... {code} |
Priority | Original: Minor [ 4 ] | New: Major [ 3 ] |