I am new to docker. I just tried to use docker in my local machine(Ubuntu 16.04) with Jenkins.
I configured a new job with below pipeline script.
node {
stage('Build') {
docker.image('maven:3.3.3').inside {
sh 'mvn --version'
}
}
}
But it fails with below error.
The user jenkins needs to be added to the group docker:
sudo usermod -a -G docker jenkins
Then restart Jenkins.
Edit
If you arrive to this question of stack overflow because you receive this message from docker, but you don't use jenkins, most probably the error is the same: your unprivileged user does not belong to the docker group.
You can do:
sudo usermod -a -G docker alice
or whatever your username is.
You can check it at the end doing cat /etc/group and see somethign like this:
docker:x:998:alice
in one of the lines.
As Ilya Kolesnikov says in the comment, relogin!
My first solutions was:
usermod -aG docker jenkins
usermod -aG root jenkins
chmod 664 /var/run/docker.sock
But none of them work for me, I tried:
chmod 777 /var/run/docker.sock
That works, but I don't know if it is the right call.
Success for me
sudo usermod -a -G docker $USER
reboot
I added the jenkins user to root group and restarted the jenkins and it started working.
sudo usermod -a -G root jenkins
sudo service jenkins restart
2018-08-19
I have been stuck for days on this one and as I haven't found a complete answer with the why and how, I will post one for other people that stumble on the same problem and answers from above do not work.
These are the 3 crucial steps when running Jenkins inside docker:
- You mount the socket
/var/run/docker.sockto the jenkins container in order to be able to use the docker from the host. - You have to install docker inside the container in order to use it. This is a great and simple article on how to do that. Note that newer versions might already have docker installed
- You run
sudo usermod -a -G docker jenkinsin order to add jenkins to the docker group. However, here you might run into a permission problem if the host docker and the container docker don't have the same group id so it is very important to adjust the container docker's gid to be the same as the host docker gid
You can do this as a part of a launch script or simply by using exec and doing it manually: groupmod -g <YOUR_HOST_DOCKER_GID> docker.
Also, do not change permissions of the /var/run/docker.sock to 777 or stuff like that because that is a big security risk.
Hope this helps
I have Jenkins running in Docker and connected Jenkins is using Docker socket from host machine Ubuntu 16.04 via volume to /var/run/docker.sock.
For me solution was:
1) Inside Docker container of Jenkins (docker exec -it jenkins bash on host machine)
usermod -a -G docker jenkins
chmod 664 /var/run/docker.sock
service jenkins restart (or systemctl restart jenkins.service)
su jenkins
2) On host machine:
sudo service docker restart
664 means - read and write(but not execute) for owner and users from group.
Simply adding docker as a supplementary group for the jenkins user
sudo usermod -a -G docker jenkins
is not always enough when using a Docker image as the Jenkins Agent. That is, if your Jenkinsfile starts with pipeline{agent{dockerfile or pipeline{agent{image:
pipeline {
agent {
dockerfile {
filename 'Dockerfile.jenkinsAgent'
}
}
stages {
This is because Jenkins performs a docker run command, which results in three problems.
- The Agent will (probably) not have the Docker programs installed.
- The Agent will not have access to the Docker daemon socket, and so will try to run Docker-in-Docker, which is not recommended.
- Jenkins gives the numeric user ID and numeric group ID that the Agent should use. The Agent will not have any supplementary groups, because
docker rundoes not do a login to the container (it's more like asudo).
Installing Docker for the Agent
Making the Docker programs available within the Docker image simply requires running the Docker installation steps in your Dockerfile:
# Dockerfile.jenkinsAgent
FROM debian:stretch-backports
# Install Docker in the image, which adds a docker group
RUN apt-get -y update && \
apt-get -y install \
apt-transport-https \
ca-certificates \
curl \
gnupg \
lsb-release \
software-properties-common
RUN curl -fsSL https://download.docker.com/linux/debian/gpg | apt-key add -
RUN add-apt-repository \
"deb [arch=amd64] https://download.docker.com/linux/debian \
$(lsb_release -cs) \
stable"
RUN apt-get -y update && \
apt-get -y install \
docker-ce \
docker-ce-cli \
containerd.io
...
Sharing the Docker daemon socket
As has been said before, fixing the second problem means running the Jenkins Docker container so it shares the Docker daemon socket with the Docker daemon that is outside the container. So you need to tell Jenkins to run the Docker container with that sharing, thus:
pipeline {
agent {
dockerfile {
filename 'Dockerfile.jenkinsAgent'
args '-v /var/run/docker.sock:/var/run/docker.sock'
}
}
Setting UIDs and GIDs
The ideal fix to the third problem would be set up supplementary groups for the Agent. That does not seem possible. The only fix I'm aware of is to run the Agent with the Jenkins UID and the Docker GID (the socket has group write permission and is owned by root.docker). But in general, you do not know what those IDs are (they were allocated when the useradd ... jenkins and groupadd ... docker ran when Jenkins and Docker were installed on the host). And you can not simply tell Jenkins to user user jenkins and group docker
args '-v /var/run/docker.sock:/var/run/docker.sock -u jenkins:docker'
because that tells Docker to use the user and group that are named jenkins and docker within the image, and your Docker image probably does not have the jenkins user and group, and even if it did there would be no guarantee it would have the same UID and GID as the host, and there is similarly no guarantee that the docker GID is the same
Fortunately, Jenkins runs the docker build command for your Dockerfile in a script, so you can do some shell-script magic to pass through that information as Docker build arguments:
pipeline {
agent {
dockerfile {
filename 'Dockerfile.jenkinsAgent'
additionalBuildArgs '--build-arg JENKINSUID=`id -u jenkins` --build-arg JENKINSGID=`id -g jenkins` --build-arg DOCKERGID=`stat -c %g /var/run/docker.sock`'
args '-v /var/run/docker.sock:/var/run/docker.sock -u jenkins:docker'
}
}
That uses the id command to get the UID and GID of the jenkins user and the stat command to get information about the Docker socket.
Your Dockerfile can use that information to setup a jenkins user and docker group for the Agent, using groupadd, groupmod and useradd:
# Dockerfile.jenkinsAgent
FROM debian:stretch-backports
ARG JENKINSUID
ARG JENKINSGID
ARG DOCKERGID
...
# Install Docker in the image, which adds a docker group
RUN apt-get -y update && \
apt-get -y install \
apt-transport-https \
ca-certificates \
curl \
gnupg \
lsb-release \
software-properties-common
RUN curl -fsSL https://download.docker.com/linux/debian/gpg | apt-key add -
RUN add-apt-repository \
"deb [arch=amd64] https://download.docker.com/linux/debian \
$(lsb_release -cs) \
stable"
RUN apt-get -y update && \
apt-get -y install \
docker-ce \
docker-ce-cli \
containerd.io
...
# Setup users and groups
RUN groupadd -g ${JENKINSGID} jenkins
RUN groupmod -g ${DOCKERGID} docker
RUN useradd -c "Jenkins user" -g ${JENKINSGID} -G ${DOCKERGID} -M -N -u ${JENKINSUID} jenkins
2019-02-16
Most of the steps were the same for me as the others has written. However, I was not able to add jenkins to the group docker using usermod with the mentioned solutions.
I tried the following command from the docker host, and from the running docker container:
sudo usermod -a -G docker jenkins
(I entered to the running docker container with the following command from the docker host:
docker exec -t -i my_container_id_or_name /bin/bash
)
Received from docker host:
usermod: user 'jenkins' does not exist
Received from docker container:
We trust you have received the usual lecture from the local System Administrator. It usually boils down to these three things:
#1) Respect the privacy of others. #2) Think before you type. #3) With great power comes great responsibility.[sudo] password for jenkins:
I didnt know the password.
Without the sudo part of the command, in the docker container I received:
usermod: Permission denied. usermod: cannot lock /etc/passwd; try again later.
Solution: I entered to the running docker container from the docker host with the following command:
docker exec -t -i -u root my_container_id_or_name /bin/bash
Now, I entered as root, and issued the following command:
usermod -a -G docker jenkins
Then, from the docker host, I restarted my running docker container with the following command:
docker restart my_container_id_or_name
After that, I started the jenkins job and it finished with success.
I only used the root user to issue the usermod command for the user jenkins.
In my case, it was not only necessary add jenkins user to docker group, but make that group the primary group of the jenkins user.
# usermod -g docker jenkins
# usermod -a -G jenkins jenkins
Don't forget to reconnect the jenkins slave node or restart the jenkins server, depend on your case.
sudo usermod -a -G docker jenkins
sudo service jenkins restart
2019-05-26
This worked for me !
Example docker-compose:
version: "3"
services:
jenkins:
image: jenkinsci/blueocean
privileged: true
ports:
- "8080:8080"
volumes:
- $HOME/learning/jenkins/jenkins_home:/var/jenkins_home
environment:
- DOCKER_HOST=tcp://socat:2375
links:
- socat
socat:
image: bpack/socat
command: TCP4-LISTEN:2375,fork,reuseaddr UNIX-CONNECT:/var/run/docker.sock
volumes:
- /var/run/docker.sock:/var/run/docker.sock
expose:
- "2375"
On the server where Jenkins is running, I used
sudo setfacl -m user:tomcat:rw /var/run/docker.sock
And then run each docker container with
-v /var/run/docker.sock:/var/run/docker.sock
Using setfacl seems a better option, and no "-u user" is needed. The containers then run as the same user that is running Jenkins. But I would appreciate any feedback from the security experts.
Maybe you should run the docker with option "-u root" from the very beginning
At least that solved my problem
来源:https://stackoverflow.com/questions/47854463/got-permission-denied-while-trying-to-connect-to-the-docker-daemon-socket-at-uni