1

This is my dockerfile i'm using for the container/agent

FROM ubuntu:20.04

ARG DEBIAN_FRONTEND=noninteractive

RUN groupadd -g 999 docker

# Install Docker CLI
RUN apt-get update && apt-get install -y docker.io

# Install OpenJDK, Git, and other build tools
RUN apt-get install -y openjdk-17-jdk git wget

RUN wget https://mirrors.estointernet.in/apache/maven/maven-3/3.8.5/binaries/apache-maven-3.8.5-bin.tar.gz
RUN tar -xvf apache-maven-3.8.5-bin.tar.gz
RUN mv apache-maven-3.8.5 /opt/

ENV M2_HOME='/opt/apache-maven-3.8.5'
ENV PATH="$M2_HOME/bin:$PATH"

# Set up your user and workspace

RUN useradd -m -u 1005 -g 999 -s /bin/bash jenkins

USER jenkins
WORKDIR /home/jenkins/agent

My pipeline where 1005 is my jenkins user and 999 is my docker group

pipeline {
agent { docker {
    image 'my docker img'
    args '-u 1005:999 -v /var/run/docker.sock:/var/run/docker.sock --entrypoint=""'
    registryCredentialsId 'hubdocker'
    alwaysPull true
 } }

stages {
   stage('Print User and Groups') {
        steps {
            script {
                // Print current user
                sh 'id'
            }
        }
    }
    ...

    stage('docker build') {
        steps {
            sh 'docker build -t myregistrery/test1 .'
        }
    }
}

The result for id command logged as 1005 on the host and in the container is the same. (exept for roles that are not needed in the container)

(result) uid=1005(jenkins) gid=999(docker) groups=999(docker)

I have notice that when I use ls -ln /var/run/docker.sock inside the container it says srw-rw---- 1 65534 65534

I think that's the problem, it there a way to map the mounted docker.sock to keep host permission or a work around?

I don't want to have to change the perm of docker.sock in the host.

Note that I can reproduce the problem by running the docker agent in the terminal without using jenkins.

I am getting permission denied when a docker command is used in the container

for exemple 'docker ps' will throw that error. Same thing for sh 'docker build -t myregistrery/test1 .' in the pipeline.

docker build -t myregistrery/test1 . Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Post "http://%2Fvar%2Frun%2Fdocker.sock/v1.24/build?buildargs=%7B%7D&cachefrom=%5B%5D&cgroupparent=&cpuperiod=0&cpuquota=0&cpusetcpus=&cpusetmems=&cpushares=0&dockerfile=Dockerfile&labels=%7B%7D&memory=0&memswap=0&networkmode=default&rm=1&shmsize=0&t=jplamondon%2Ftest1&target=&ulimits=null&version=1": dial unix /var/run/docker.sock: connect: permission denied

Improve this question
3
  • what/when/where are you getting a permission denied ? Commented Aug 16, 2023 at 18:36
  • I have a permission denied when I use a docker command in the container for exemple ''docker ps' when I connect into it or when the pipeline try to execute the build sh 'docker build -t myregistrery/test1 .' Commented Aug 16, 2023 at 18:38
  • are you or do you, need a mounted volume ? if so you must pass the jenkins home on useradd Commented Aug 16, 2023 at 23:08

1 Answer 1

Reset to default
0

Since you are not using root user you need to perform the following steps (firstly check inside the container the user with su -s ${USER} ):

  1. Add docker group (i see it on your docker file)

groupadd docker

  1. Add user/s to docker group (where $user is the user running the sock, i guess it is jenkins), or whatever user you want to use, also you do not need to use useradd unless needed (keep it simple):

usermod -aG docker jenkins

Another approach (you dont want) is to change docker.sock permissions, ie:

chmod 666 /var/run/docker.sock

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

I already have a group called docker, and my user is in it. that work fine when I use that user in the host but once inside the container it does not work. 1005 is jenkins user on my host and 999 is docker group on my host.
im replicating your error on my environment since im sure i experienced that error a while ago
I recreated a VM from scatch and now it work.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.