I'm running centos7 and installing pre-packaged docker 1.12.6 from epel7. I did see the suggestion out in the wild to add the jenkins user to the "docker" (specifically "dockerroot" on my installation) group. I tried this early on and it had no effect. I noticed that the unix socket (/var/run/docker.sock) was owned user root and group root with 660 permissions so that is why adding the jenkins user to the dockerroot group had no effect. To solve this issue, I had to change the group ownership on the socket by modifying /etc/sysconfig/docker and adding `--group=dockerroot` to the OPTIONS variable:
> OPTIONS='--selinux-enabled --log-driver=journald > --signature-verification=false --group=dockerroot' > Once I did this (in combination with adding the jenkins user to the dockerroot group) and restarted docker everything worked. This still feels a little hacky but at least it doesn't carry the negative security implications of some of the other solutions I mentioned. It would still be nice to have some semblance of control over how jenkins pipeline accesses/calls docker but this will do for now. Thanks for pointing me back in the docker group direction. On Friday, July 7, 2017 at 3:10:12 PM UTC-7, Richard Bywater wrote: > > I haven't checked for a while but it used to be that if you add a user to > the "docker" group they'll be able to access docker commands. > > Richard > > On Sat, 8 Jul 2017, 9:27 AM Dan Kinon <[email protected] <javascript:>> > wrote: > >> Hello, >> I'm running jenkins as a non-root user and am attempting to use a >> docker agent in my jenkinsfile. When I run the job, I get the following >> error: >> ~~~~ >> [VA_Build_containers_develop-NJECFMY5Y6Z5OKTQVWTCSYEZEVQKAXGGRGECV2LSFA2YZ2ALBWQQ] >> >> Running shell script >> + docker inspect -f . docker:1.12.6 >> . >> Failed to run image 'docker:1.12.6'. Error: /usr/bin/docker-current: >> Cannot connect to the Docker daemon. Is the docker daemon running on this >> host?. >> See '/usr/bin/docker-current run --help'. >> ~~~ >> >> The root cause of course is that docker is running as root and jenkins >> is not. The "solution" I've found on the internet is to open up >> permissions to the world on the docker.sock or to add a tcp connecter to >> docker. While that may functionally get me what I want that is a hack not >> a best practice solution IMHO. >> >> I want to tell Jenkins docker agent to execute docker via sudo (as >> I've given the jenkins user all required permissions via sudoers) but I >> can't figure out how. Is there any way to currently do this or is this a >> feature request. >> >> Thanks in advance, >> -Dan >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Jenkins Users" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected] <javascript:>. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/jenkinsci-users/CAErRXL-EUOsLn9OAZ3xq8zQgmAZcXSpZWRSqzEBScecgwkoEDA%40mail.gmail.com >> >> <https://groups.google.com/d/msgid/jenkinsci-users/CAErRXL-EUOsLn9OAZ3xq8zQgmAZcXSpZWRSqzEBScecgwkoEDA%40mail.gmail.com?utm_medium=email&utm_source=footer> >> . >> For more options, visit https://groups.google.com/d/optout. >> > -- You received this message because you are subscribed to the Google Groups "Jenkins Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/c3035dda-a79c-4dde-8bdf-d21908cd9866%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
