为什么Jenkins用户没有访问Docker unix套接字的权限?

9

我已将该jenkins用户添加到docker组中,认为这将允许Jenkins作业运行Docker命令。如果我切换到jenkins用户,则可以验证它是否可以(手动):

ubuntu@hostname:~$ ps aux | grep java
jenkins   2210  9.5  7.5 1950316 292896 ?      Sl   00:01   1:00 /usr/bin/java -jar /data/jenkins/jenkins-1.586.war --httpPort=8080 -Xloggc:/var/log/jenkins/gc.log
ubuntu@hostname:~$ getent group docker
docker:x:999:jenkins
ubuntu@hostname:~$ ls -la /var/run/docker.*
-rw-r--r-- 1 root root   4 Oct 23 18:32 /var/run/docker.pid
srw-rw---- 1 root docker 0 Oct 23 18:32 /var/run/docker.sock
ubuntu@hostname:~$ sudo su -s /bin/bash jenkins
jenkins@hostname:/home/ubuntu$ docker ps
CONTAINER ID        IMAGE                      COMMAND                CREATED             STATUS              PORTS                     NAMES

但是,在Jenkins构建/作业期间,没有权限:

# Job log
Started by user Matt Wright
Building on master in workspace /data/jenkins/jobs/docker-base-images-build/workspace
[ssh-agent] Using credentials CI-jenkins
[ssh-agent] Looking for ssh-agent implementation...
[ssh-agent]   Java/JNR ssh-agent
[ssh-agent] Started.
 > git rev-parse --is-inside-work-tree # timeout=10
Fetching changes from the remote Git repository
 > git config remote.origin.url git@github.com:<redacted>/docker-base-images.git # timeout=10
Fetching upstream changes from git@github.com:<redacted>/docker-base-images.git
 > git --version # timeout=10
using GIT_SSH to set credentials 
 > git fetch --tags --progress git@github.com:<redacted>/docker-base-images.git +refs/heads/*:refs/remotes/origin/*
 > git rev-parse refs/remotes/origin/master^{commit} # timeout=10
 > git rev-parse refs/remotes/origin/origin/master^{commit} # timeout=10
Checking out Revision 83c4463e7195b412a3a803dd7338210c1a772f55 (refs/remotes/origin/master)
 > git config core.sparsecheckout # timeout=10
 > git checkout -f 83c4463e7195b412a3a803dd7338210c1a772f55
 > git rev-list 83c4463e7195b412a3a803dd7338210c1a772f55 # timeout=10
[workspace] $ /bin/sh -xe /tmp/hudson5606381166745886966.sh
+ ./build.sh
Sending build context to Docker daemon 
2014/10/24 16:14:18 Post http:///var/run/docker.sock/v1.15/build?rm=1&t=<redacted>%2Fpython%3A3.4: dial unix /var/run/docker.sock: permission denied
Build step 'Execute shell' marked build as failure
[ssh-agent] Stopped.
Notifying upstream projects of job completion
Finished: FAILURE

这是Docker 1.3.0和Ubuntu 14.04.1。有什么线索吗?

linux  user-management  jenkins  user-permissions  docker 
马特·W
source
似乎与此问题有关。重新启动为我解决了这个问题。
smilly92 2014年
重新启动无法为我解决此问题。
Matt W
1
Jenkins似乎删除了除Jenkins用户的主组之外的其他组。当我以Jenkins用户身份从shell运行id命令时,我看到它在docker组中,但是当我在自由式作业中运行id时,它仅显示Jenkins用户。我还没有想出如何解决它。
约瑟夫·穆洛伊
首先确保您在docker组中具有jenkins用户。然后,如果您遇到问题的从属设备已连接到主设备,请断开连接,然后再次重新连接。通过“管理詹金斯” /“管理节点”执行此操作。
arminmor

Answers:

12

我认为将jenkins组特权赋予docker unix socket可解决此问题。可以通过添加以下行来在配置文件中配置docker daemon启动选项进行修改

DOCKER_OPTS=' -G jenkins'

ubuntu中/etc/default/docker是docker配置文件。

埃尔多斯
source
对于Ubuntu 16.04上的新安装,这仍然是我的
首选
1

groups使用jenkins 运行命令。你看到一个docker小组吗?如果不是,请尝试重新启动该Jenkins从属服务器。或只是杀死Jenkins slave.jar进程:ps aux | grep jenkins

瓦努安
source
完成上述一些步骤后,使它工作的最后一步是重新连接詹金斯奴隶。谢谢你的提示。
Dean Poulin
By using our site, you acknowledge that you have read and understand our Cookie Policy and Privacy Policy.
Licensed under cc by-sa 3.0 with attribution required.