This question is different from the following questions:
Docker: Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock Because they didn't consider jenkins to be installed as docker container, here I don't have jenkins user to give that user access to this file.
And also from this one docker.sock permission denied Because I don't know which user I got this error for, Here the user root has access to this file but the error happened again.
Here's my problem:
I want to run docker jenkinsci/blueocean image using following command on ubuntu:
docker container run \
--name jenkins-blueocean \
--rm \
--detach \
--publish 8181:8080 \
--publish 50000:50000 \
--volume jenkins-data:/var/jenkins_home \
--volume jenkins-docker-certs:/certs/client:ro \
--volume /var/run/docker.sock:/var/run/docker.sock \
jenkinsci/blueocean
After running jenkins on dokcer container when I use agent as follows:
agent {
docker {
image 'maven:3-alpine'
}
}
I got following error:
Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Post http://%2Fvar%2Frun%2Fdocker.sock/v1.39/images/create?fromImage=maven&tag=3-alpine: dial unix /var/run/docker.sock: connect: permission denied
Here when I use this command it will solve the problem:
chmod 777 /var/run/docker.sock
But I don't want to permit all users to access this socket because of security vulnerabilities.
I should also say that the current user is root and it has access to /var/run/docker.sock
Here are some useful information:
echo $USER
root
ls -ls /var/run/docker.sock
srw-rw---- 1 root docker 0 Jul 24 14:56 /var/run/docker.sock
groups
root docker
Which user should I permit access to this file? jenkins is run on container and there is no jenkins user on my system, How can I find out which user is trying to access this socket file /var/run/docker.sock and consequently I got this error?
If you look at the Dockerfile for jenkinsci/blueocean, for example, 1.23.2. You can see that the "jenkins" user is uid 1000 and gid 1000. It is these IDs that have to match for volume access, not the username.
Rather than granting uid/gid 1000 access to /var/run/docker.sock on the host, perhaps it would be better to run the container as the user/group that has permission. You can check that with id -u root and id -g docker, then use that with your docker run command, for example (assuming root uid is 0), docker run -u 0 .... See the doc page for more examples of how to use -u/--user. If you're running as the same uid as root in the container, you probably won't have a problem, but if if that is a different id, you may run into issues as other uids might be missing necessary configuration to be able to run the Jenkins stuff correctly.
If you really want to go the route of changing /var/run/docker.sock, then the answer would be to create a group with gid 1000 and add root to that group I guess.