Docker in Docker with Jenkins : Permission problem
Having troubles with permissions when running jenkins in a docker container and you need to access the host docker service? This is for you!
The problem
You’re running a jenkins container to build your project and you need to build a docker image inside your job. Well, there are ways to perform that, but in this case the jenkins are running inside a docker container, the best way is to allow Jenkins use the docker service that are running in the host.
But how do that?
When you execute the command to run Jenkins you can bind the folder /var/run/docker.sock
in host to the same folder inside the container.
Like below :
$ docker run -name jenkins -p 8080:8080 -p 50000:50000 -v ‘/var/run/docker.sock:/var/run/docker.sock’ jenkins/jenkins:lts
This will bind you host directory with the same folder inside the container.
But you can face this problem when you try to use the docker inside jenkins job :
Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get http://%2Fvar%2Frun%2Fdocker.sock/v1.39/version: dial unix /var/run/docker.sock: connect: permission denied
Why this problem happens?
This problem happens because jenkins container uses by default the user jenkins
from the group jenkins
and this groupd doesn’t have enough permissions to access the folder /var/run/docker.sock
.
How to fix?
First thing you have to know is which group has permissions to access the directory in the host. You can check by typing this command in terminal:
$ ls -l /var/run/docker.sock
You will get something similiar to this:
s - file type
rw - owner permission
rw - group permission
-- - all other users or groups
0 - owner UID (User identification)
993 - owner GID (Group Identification)
Now we know the user group that has enough permissions to access the folder /var/run/docker.sock
.
Next, we need to add the user jenkins
of our Jenkins container in a group with the same GID.
To do that we can access our container’s terminal typing this command in host.
$ docker exec -it -u root jenkins bash
Now we will check if a group named docker
exists with this command:
$ cat /etc/group
You will get something like this:
If your container doesn’t have the group docker
, you can create it by typing this command:
$ groupadd -g 993 docker
Note that 993 is the GID of the group that has enough permissions
And the last step is to add jenkins
user to the group docker
with this command:
$ gpasswd -a jenkins docker
Now if we restart our container it will have enough permissions to access /var/run/docker.sock
allowing it to use the host docker engine.
Calm Down and pay attention!
This article was just to explain what was happening and how solve it, but if you access the container terminal and run those commands, when your container die all your work will be gone and we will have to do it again.
To this problem I created repository in GitHub that contains a Dockerfile that create a derived image from official Jenkins image and run all those commands for you. The only thing you need to do is to discover the right GID of you docker engine host, replace in the docker file and build you custom Jenkins image.
You can find the Dockerfile in here:
https://github.com/igorgsousa/docker-jenkins
I hope this article helped you!
My solution is based on this article!
Thanks & good coding!!!