Why am I getting 'permission denied' error in Jenkins but not when bash-ing into DIND image?

huangapple go评论56阅读模式
英文:

Why am I getting 'permission denied' error in Jenkins but not when bash-ing into DIND image?

问题

以下是您要翻译的内容:

Jenkins和Docker

您好,我已经在我的主要计算机上使用Docker桌面和建议的当前Jenkins镜像安装了Jenkins。在同一台Windows计算机上,我使用VMware创建了一个Ubuntu虚拟机。在Ubuntu虚拟机上,我安装了Docker引擎。我还安装了sysbox-runc运行时以用于DinD(Docker in Docker)。在Jenkins中,我将Ubuntu虚拟机添加为永久代理,一切都正常,除了Docker客户端命令。

我的JenkinsFile如下所示:

pipeline {
    agent { docker {
        image '自定义的DinD镜像,带有Java和Maven'
        registryCredentialsId '凭据'
        args '-v /var/run/docker.sock:/var/run/docker.sock'
     } }
    stages {
        代码检出
        ...
        stage('编译') {
            steps {
                sh 'mvn compile'
            }
        }

        stage('测试') {
            steps {
                sh 'mvn test'
            }
        }

        stage('构建JAR包') {
            steps {
                sh 'mvn clean compile assembly:single'
            }
        }

        stage('构建Docker镜像') {
            steps {
                sh 'docker build -t img/img .'
            }
        }
    }
}

除了最后一个命令sh 'docker build -t img/img .'之外,一切正常。它显示错误:尝试连接到Docker守护程序套接字时权限被拒绝,位置为unix:///var/run/docker.sock:获取“http://%2Fvar%2Frun%2Fdocker.sock/_ping”:拨号unix /var/run/docker.sock:连接:权限被拒绝

我的Jenkins通过“通过SSH启动代理”启动Ubuntu上的代理。

我将Jenkins用于启动代理的SSH用户添加到了Docker组中,但仍然出现错误。到目前为止,唯一有效的方法是欺骗并在docker.sock上设置777的权限。

奇怪的是,当使用Ubuntu终端时,我运行了一个DinD镜像并进入其中,没有出现任何错误,所有Docker命令都可以正常运行。只有当Jenkins使用Docker代理时,才会出现某种权限问题。

我已经花了很多时间在这个问题上,有人有什么想法吗?
英文:

Jenkins and docker

Hello, I have installed jenkins on my main computer using docker desktop with the recommended current jenkins image. On that same windows computer I created an ubuntu VM with vmware. On the ubuntu VM I installed the docker engine. I also installed sysbox-runc runtime to use with dind. In jenkins I added the ubuntu vm has a permanent agent and everything is working except the docker client commands.

My JenkinsFile look like this

pipeline {
agent { docker {
    image 'custom dind image with java and maven'
    registryCredentialsId 'credential'
    args '-v /var/run/docker.sock:/var/run/docker.sock'
 } }
stages {
    codecheckout
    ...
    stage('compile') {
        steps {
            sh 'mvn compile'
        }
    }

    stage('test') {
        steps {
            sh 'mvn test'
        }
    }

    stage('build jar') {
        steps {
            sh 'mvn clean compile assembly:single'
        }
    }

    stage('docker build') {
        steps {
            sh 'docker build -t img/img .'
        }
    }
}

}

It all work except the last one sh 'docker build -t img/img .'
It says ERROR: permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get "http://%2Fvar%2Frun%2Fdocker.sock/_ping": dial unix /var/run/docker.sock: connect: permission denied

My jenkins start the agent on ubuntu via the launch method "Launch agents via SSH".

I added the ssh user that jenkins is using to start the agent in the docker group. It still does the error. So far the only way it work is if I cheat and put 777 perm on docker.sock.

The wierd thing is when using the ubuntu terminal, I run a dind image and go on it, I don't have any error and all docker commands work. It is only when jenkins does it with the docker agent that it has some kind of permission issues.

I've spend more so much time on this, does someone have ideas?

答案1

得分: 0

这是因为Jenkins会将-u jenkins或您正在运行Jenkins工作器的用户ID传递给Docker容器,因此您在Docker容器内以Jenkins用户的身份运行,并具有Jenkins用户的权限。然而(您完全忽略了您的"dind"镜像),您是从主机挂载Docker,容器内的Jenkins用户很可能是一个未知用户,没有任何用户组,因此它没有权限访问docker.sock。

英文:

This is because Jenkins passes -u jenkins or the user id you are running your jenkins worker with to the docker container, so you are running as Jenkins user with Jenkins user permissions inside the docker container. However (you are completely ignoring your "dind" image and) you are mounting docker from host, and Jenkins user inside the container is most probably unknown user without any groups, so it has no permission to access the docker.sock.

huangapple
  • 本文由 发表于 2023年5月29日 03:37:40
  • 转载请务必保留本文链接:https://go.coder-hub.com/76353305.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定