背景
在项目中要使用jenkins实现自动化CI/CD功能,jenkins以docker容器方式运行,其中项目编译完要以docker方式构建image,上传到harbor私有仓库中。那jenkins容器中就要有docker运行环境以实现docker build images。
问题
我使用的官方的镜像文件jenkins/jenkins:lts,jenkins容器中是要以jenkins用户方式运行的。但宿主机host中的docker是以root所有的。
这样的,在jenkins一运行docker就会报Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get http://%2Fvar%2Frun%2Fdocker.sock/v1.38/info: dial unix /var/run/docker.sock: connect: permission denied
docker run --rm -it -v /var/run/docker.sock:/var/run/docker.sock docker-jenkins-test bash
这是因为当前容器中是以jenkins用户在运行的,所以没有权限去访问/var/run/docker.sock。
可以看到容器中还是宿主机的权限模式,其中994是宿主机的docker的GID
宿主机的docker GID查看
为了验证这个问题,可以把jenkins容器以root用户方式去运行。
docker run --rm -it -u root -v /var/run/docker.sock:/var/run/docker.sock docker-jenkins-test bash
可以看到以root方式运行,是可以成功执行docker info命令的,这说明可以在jenkins容器中运行了。
docker-jenkins-test镜像Dockerfile如下:
FROM jenkins/jenkins:lts
USER root
RUN apt-get -qq update \
&& apt-get -qq -y install \
curl
RUN curl -sSL https://get.docker.com/ | sh
RUN usermod -a -G staff jenkins
USER jenkins
在参考其他几种jenkins with docker的实现方式:
How can i run docker command inside a docker container?
A jenkins capable of running docker agents using docker engine of host.
Use docker inside docker with jenkins user 里面有各种实现方式,但我试验过了,在不改变宿主机/var/run/docker.sock权限的情况,都没有成功过。
无奈实现方式
最简单的,就是在容器中不jenkins用户运行。
The simple way to run Docker-in-Docker for CI跟这个仁兄实现方法类似,以root用户去运行,手工安装docker,再挂载宿主机/var/run/docker.sock。
FROM jenkins/jenkins:lts
# if we want to install via apt
USER root
RUN apt-get update \
&& apt-get -y install \
maven \
nodejs \
apt-transport-https \
ca-certificates \
curl \
gnupg2 \
software-properties-common \
&& curl -fsSL https://download.docker.com/linux/$(. /etc/os-release; echo "$ID")/gpg > /tmp/dkey; apt-key add /tmp/dkey \
&& add-apt-repository \
"deb [arch=amd64] https://download.docker.com/linux/$(. /etc/os-release; echo "$ID") $(lsb_release -cs) stable" \
&& apt-get update \
&& apt-get -y install docker-ce \
&& rm -rf /var/lib/apt/lists/*
启动容器
docker run -it -d --name jenkins \
-p 8081:8080 -p 50000:50000 \
-v /data/dockerwork/jenkins/jenkins_home:/var/jenkins_home \
-v /var/run/docker.sock:/var/run/docker.sock \
maven-node-docker-jenkins-withroot:lts
运行情况:
这个jenkins容器中docker info跟宿主机的docker info是一样的。
[root@htwy maven-node-docker-jenkins-withroot]# docker run --rm -it -v /var/run/docker.sock:/var/run/docker.sock maven-node-docker-jenkins-withroot:lts bash
root@536823d29e10:/# whoami
root
root@536823d29e10:/# docker info
Containers: 19
Running: 19
Paused: 0
Stopped: 0
Images: 83
Server Version: 18.06.1-ce
Storage Driver: overlay2
Backing Filesystem: xfs
Supports d_type: true
Native Overlay Diff: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
Volume: local
Network: bridge host macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file logentries splunk syslog
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 468a545b9edcd5932818eb9de8e72413e616e86e
runc version: 69663f0bd4b60df09991c08812a60108003fa340
init version: fec3683
Security Options:
seccomp
Profile: default
Kernel Version: 3.10.0-862.el7.x86_64
Operating System: CentOS Linux 7 (Core)
OSType: linux
Architecture: x86_64
CPUs: 6
Total Memory: 31.02GiB
Name: htwy
ID: XKVN:JBW6:RFQX:4SJA:TVR3:VCOH:2WGT:E2SF:LYMC:GPQN:MW33:MICD
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): false
Registry: https://index.docker.io/v1/
Labels:
Experimental: false
Insecure Registries:
127.0.0.0/8
Live Restore Enabled: false
