Welcome to the Linux Foundation Forum!

Chapter 8: Don't `chown 777 /var/run/docker.sock`

danielclough
danielclough Posts: 14
in LFS261 Class Forum

In the lab for 08. Using Docker with Jenkins Pipelines it is suggested to chown 777 /var/run/docker.sock, which is noted as "not recommended".

In the beginning of the course the instructor said that learning too many things makes problems, and I agree, but if you already have a foundation in Linux SysAdmin... the likely problem is not that complicated.

A more elegant solution is to make the /etc/group files match on the host system and within the container.

Example:
daniel@localhost$ tail /etc/group
...
docker:x:1001:daniel
root@d69e61af43ab# tail /etc/group
...
docker:x:999:jenkins

Just make those numbers match and you should be golden.

Comments

  • luisviveropena
    luisviveropena Posts: 1,343
    edited September 2020

    Hi @danielclough ,

    That's correct for a Linux host, in fact it's documented in the installation pages (Docker official documentation). If I'm not wrong, the instructor was running Docker on macOS, and that may not work in the same way (for macOS you use Docker Desktop).

    Anyway it's not a recommended way for macOS as well. We'll take a look to this.

    Regards,
    Luis.

  • cziaul
    cziaul Posts: 39

    Hi, can you please explain more how both can be same, I am getting below error

    org.codehaus.groovy.control.MultipleCompilationErrorsException: startup failed:
    WorkflowScript: 3: Invalid agent type "docker" specified. Must be one of [any, label, none] @ line 3, column 9.
    docker {
    ^

    1 error

    at org.codehaus.groovy.control.ErrorCollector.failIfErrors(ErrorCollector.java:310)
at org.codehaus.groovy.control.CompilationUnit.applyToPrimaryClassNodes(CompilationUnit.java:1085)
at org.codehaus.groovy.control.CompilationUnit.doPhaseOperation(CompilationUnit.java:603)
at org.codehaus.groovy.control.CompilationUnit.processPhaseOperations(CompilationUnit.java:581)
at org.codehaus.groovy.control.CompilationUnit.compile(CompilationUnit.java:558)
at groovy.lang.GroovyClassLoader.doParseClass(GroovyClassLoader.java:298)
at groovy.lang.GroovyClassLoader.parseClass(GroovyClassLoader.java:268)
at groovy.lang.GroovyShell.parseClass(GroovyShell.

    Also when I type docker ps, I get below

    This is outside container

    Appreciate any help

  • cziaul
    cziaul Posts: 39

    Here is sample script

  • gouravshah
    gouravshah Posts: 139
    edited October 2020

    @danielclough your approach of modifying the groups file on the docker host is definitely cleaner. However, I still had the chmod 777 in the course based on my experience of teaching this to over 60k students because from my observations,

    • Not everyone uses linux as the host os. In fact, majority of the students who take this course either setup docker with Windows/Mac OS.
    • Even though considered fundamentals, not everyone has systems knowledge. This course it also relevant for developers and QA who do not want to fiddle with the underlying system and prefer a easier, canned approach.

    Having said that, to make it easier, I would add the following to the script

    usermod -a -G docker jenkins

    This provides a cleaner approach, yet can be provided as canned commands as part of the script.

    @cziaul you seem to have added jenkins user already. Have you tried restarting the jenkins container ?

    docker restart jenkins
  • cziaul
    cziaul Posts: 39

    Yes but still not working, can you please let me know how I can modify group file on the docker host and jenkins docker. I am using ubuntu 18.04. appreciate your help.

  • cziaul
    cziaul Posts: 39

    Can I please get an answer on this?

  • fcioanca
    fcioanca Posts: 2,592

    @cziaul The instructor will get back to you as soon as possible. We appreciate your patience.

  • cziaul
    cziaul Posts: 39

    I am presently getting permission denied msg

  • gouravshah
    gouravshah Posts: 139

    @cziaul please re run the following commands inside the container

    usermod -a -G docker jenkins

chmod 777 /var/run/docker.sock

    I just tested setting a brand new environment with ubuntu as the host, with docker installed and by setting up a jenkins container from scratch.

    Running the script in Lab 6 did the job for me. Above snippet is from the same script. For your reference, this is how my /etc/group files on the host and inside the containers look like

    host

    docker:x:998:

    container (jenkins)

    docker:x:999:jenkins

    when I run docker command from inside jenkins container, it works as expected

     docker ps
CONTAINER ID        IMAGE                        COMMAND                  CREATED             STATUS              PORTS                                              NAMES
f5e2600df555        jenkins/jenkins:2.178-slim   "/sbin/tini -- /usr/…"   19 minutes ago      Up 19 minutes       0.0.0.0:8080->8080/tcp, 0.0.0.0:32768->50000/tcp   jenkins
49df246c7323        k8s.gcr.io/coredns           "/coredns -conf /etc…"   11 hours ago        Up 11 hours                                                            k8s_coredns_coredns-f9fd979d6-tvj25_kube-system_c8597f47-74ff-4812-a7b7-5429c8fe4fcf_0
  • cziaul
    cziaul Posts: 39

    @gouravshah Thanks for the reply, I think what danielclough mentioned above is a cleaner approach and since I am applying above at my work, can you please let me know how I can do it more secure way without applying 777. Appreciate your help.

  • gouravshah
    gouravshah Posts: 139
    edited October 2020

    @cziaul and @danielclough ,

    An even cleaner approach to setup docker along with jenkins is to use a DIND container. That would completely eliminate the need to do the socket mount which has inherent risks. This approach is documented here https://www.jenkins.io/doc/book/installing/docker/.

    I have adapted this approach and created a docker compose file which I have been using for my CI/CD workshops and bootcamps since last few months. I am sharing it here. You may find this useful.

    Filename: docker-compose.yaml

    version: '3.0'

networks:
  custom:
    driver: bridge
    ipam:
      driver: default
      config:
        - subnet: 192.168.61.0/24

volumes:
  jenkins-docker-certs:
  jenkins-data:

services:
  jenkins:
    image: jenkinsci/blueocean
    ports:
      - 8080:8080
      - 50000:50000
    environment:
      - DOCKER_HOST=tcp://docker:2376
      - DOCKER_CERT_PATH=/certs/client
      - DOCKER_TLS_VERIFY=1
    networks:
      custom:
        ipv4_address: 192.168.61.15
    dns: 8.8.8.8
    domainname: codespaces.io
    hostname: jenkins
    restart: always
    volumes:
      - jenkins-data:/var/jenkins_home
      - jenkins-docker-certs:/certs/client:ro
    depends_on:
      - docker

  docker:
    image: docker:dind
    ports:
      - 2376:2376
    environment:
      - DOCKER_TLS_CERTDIR=/certs
    networks:
      custom:
        ipv4_address: 192.168.61.16
        aliases:
          - docker
    privileged: true
    domainname: codespaces.io
    hostname: docker
    restart: always
    volumes:
      - jenkins-docker-certs:/certs/client
      - jenkins-data:/var/jenkins_home

Categories

Upcoming Training