Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-63650

bad docker run user option

XMLWordPrintable

      Hello,

      After upgrading jenkins, we have an issue for some jobs using the docker pipeline plugin (I don't know which plugin version we had before the upgrade).

      The nodes are using the jenkins swarm agent on a jdk8.

      The docker version is 18.09.2

      The os is centos7

      The issue only occurs when the image running also wants to run a docker by using a shared volume on /var/run/docker.sock, and it is a permission issue.

       

      Before the upgrade, the docker pipeline plugin was running this:

       

      [Pipeline] withDockerContainer
...
18:13:15  $ docker run -t -d -u 510:993 -v /var/run/docker.sock:/var/run/docker.sock ...

      Where:

      510 corresponds to the jenkins user

      993 corresponds to the docker group

       

       

      After the upgrade, whis is not working anymore, it is running this:

       

      [Pipeline] withDockerContainer
...
17:58:17  $ docker run -t -d -u 510:1012 -v /var/run/docker.sock:/var/run/docker.sock ...

      Where 1012 is the jenkins group.

       

      After trying to do it manually, I confirm that using the docker socket of the host from a container launched with 'jenkins:docker' for the user option  fails with the following error:

      Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get http://%2Fvar%2Frun%2Fdocker.sock/v1.40/containers/json?all=1: dial unix /var/run/docker.sock: connect: permission denied

      While it works fine when using 'jenkins:docker'.

      Sure, jenkins is in the docker group as well.

       

      I can't figure out when this has changed in the plugin code, it looks like you have always used "id -g": https://github.com/jenkinsci/docker-workflow-plugin/blob/master/src/main/java/org/jenkinsci/plugins/docker/workflow/client/DockerClient.java#L332

      However for some reason, no doubt that the group changed.

       

       

      I have a workarround which consists in modifying the rights on /var/run/docker.sock , but I don't like that while it may comes with security issues and a docker upgrade may change these rights as well.

      I could also consider using custom options to specify the user if there is a way to do so.

      Sure, I would prefer the issue to be fixed

       

      Thanks for your help

       

       

            Unassigned Unassigned
            rlegrand reg leg
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:
              Resolved: