Took me a while to come back but just wanted to point out the group approach is what is "recommended" by Docker in the docs @ https://docs.docker.com/engine/installation/linux/linux-postinstall/ So definitely the least hacky of all the solutions :)
Richard. On Sun, 9 Jul 2017 at 06:55 Dan Kinon <[email protected]> wrote: > I'm running centos7 and installing pre-packaged docker 1.12.6 from epel7. > I did see the suggestion out in the wild to add the jenkins user to the > "docker" (specifically "dockerroot" on my installation) group. I tried > this early on and it had no effect. I noticed that the unix socket > (/var/run/docker.sock) was owned user root and group root with 660 > permissions so that is why adding the jenkins user to the dockerroot group > had no effect. To solve this issue, I had to change the group ownership on > the socket by modifying /etc/sysconfig/docker and adding > `--group=dockerroot` to the OPTIONS variable: > >> OPTIONS='--selinux-enabled --log-driver=journald >> --signature-verification=false --group=dockerroot' >> > > Once I did this (in combination with adding the jenkins user to the > dockerroot group) and restarted docker everything worked. This still feels > a little hacky but at least it doesn't carry the negative security > implications of some of the other solutions I mentioned. > > It would still be nice to have some semblance of control over how jenkins > pipeline accesses/calls docker but this will do for now. Thanks for > pointing me back in the docker group direction. > > On Friday, July 7, 2017 at 3:10:12 PM UTC-7, Richard Bywater wrote: > >> I haven't checked for a while but it used to be that if you add a user to >> the "docker" group they'll be able to access docker commands. >> >> Richard >> >> On Sat, 8 Jul 2017, 9:27 AM Dan Kinon <[email protected]> wrote: >> > Hello, >>> I'm running jenkins as a non-root user and am attempting to use a >>> docker agent in my jenkinsfile. When I run the job, I get the following >>> error: >>> ~~~~ >>> [VA_Build_containers_develop-NJECFMY5Y6Z5OKTQVWTCSYEZEVQKAXGGRGECV2LSFA2YZ2ALBWQQ] >>> Running shell script >>> + docker inspect -f . docker:1.12.6 >>> . >>> Failed to run image 'docker:1.12.6'. Error: /usr/bin/docker-current: >>> Cannot connect to the Docker daemon. Is the docker daemon running on this >>> host?. >>> See '/usr/bin/docker-current run --help'. >>> ~~~ >>> >>> The root cause of course is that docker is running as root and >>> jenkins is not. The "solution" I've found on the internet is to open up >>> permissions to the world on the docker.sock or to add a tcp connecter to >>> docker. While that may functionally get me what I want that is a hack not >>> a best practice solution IMHO. >>> >>> I want to tell Jenkins docker agent to execute docker via sudo (as >>> I've given the jenkins user all required permissions via sudoers) but I >>> can't figure out how. Is there any way to currently do this or is this a >>> feature request. >>> >>> Thanks in advance, >>> -Dan >>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "Jenkins Users" group. >>> >> To unsubscribe from this group and stop receiving emails from it, send an >>> email to [email protected]. >> >> >>> To view this discussion on the web visit >>> https://groups.google.com/d/msgid/jenkinsci-users/CAErRXL-EUOsLn9OAZ3xq8zQgmAZcXSpZWRSqzEBScecgwkoEDA%40mail.gmail.com >>> <https://groups.google.com/d/msgid/jenkinsci-users/CAErRXL-EUOsLn9OAZ3xq8zQgmAZcXSpZWRSqzEBScecgwkoEDA%40mail.gmail.com?utm_medium=email&utm_source=footer> >>> . >>> For more options, visit https://groups.google.com/d/optout. >>> >> -- > You received this message because you are subscribed to the Google Groups > "Jenkins Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/jenkinsci-users/c3035dda-a79c-4dde-8bdf-d21908cd9866%40googlegroups.com > <https://groups.google.com/d/msgid/jenkinsci-users/c3035dda-a79c-4dde-8bdf-d21908cd9866%40googlegroups.com?utm_medium=email&utm_source=footer> > . > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "Jenkins Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/CAMui946m8LmmM%2B8scNYywpgjarB5JbxQJY9v81%3Dsj0RTrSNiVA%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
