如何使用除根以外的其他用戶訪問容器中的docker守護進程

Question

我試圖運行構建docker映像的Jenkins容器。我上週開始使用docker，我對使用主機卷以及如何處理用戶感到困惑。

我一直在互聯網上搜索，我發現一個git問題是有人發佈了一個解決方案，從容器中訪問docker守護進程。基本上，這個想法是詹金斯容器內丘包含泊塢窗bin文件夾和docker.sock從主機這樣的卷：

 volumes: 
     - /var/run/docker.sock:/var/run/docker.sock 
     - /usr/local/bin/docker:/usr/local/bin/docker 

我已經做了和它的作品，但只有當我的根。當我開始學習docker的時候，我在博客中關注了這個例子，作者不是直接使用jenkins鏡像，而是從jenkins鏡像本身和它的依賴關係中複製了Dockerfiles來解釋這個過程。作爲該過程的一部分，創建一個jenkins用戶，並在啓動容器時使用該用戶。我現在的問題是，我無法讓詹金斯用戶有權訪問docker.sock，因爲它屬於根目錄，而docker屬於主機。我嘗試在Dockerfile中添加用戶docker，但在訪問docker.sock時，我仍然從Jenkins作業中獲得了權限被拒絕的錯誤。如果我檢查在容器內部安裝的/var/run/docker.sock，我可以看到docker.sock屬於組user而不是docker，所以我不知道掛載目錄時到底發生了什麼。我沒有用Linux做過多的工作，所以我猜測當用戶docker在掛載目錄時不存在，然後它使用默認的user，但我可能完全錯誤。

我還沒有得到的另一件事是，如果我創建一個專門用作Jenkins容器的容器，並且沒有別的東西應該在那裏運行，那麼創建特定jenkins用戶的目的是什麼？我有什麼理由不能直接使用用戶root？

這是我使用的Dockerfile。謝謝。

FROM centos:7 

# Yum workaround to stalled mirror 
RUN sed -i -e 's/enabled=1/enabled=0/g' /etc/yum/pluginconf.d/fastestmirror.conf 

RUN rm -f /var/lib/rpm/__* 
RUN rpm --rebuilddb -v -v 
RUN yum clean all 


# see https://bugs.debian.org/775775 
# and https://github.com/docker-library/java/issues/19#issuecomment-70546872 
ENV CA_CERTIFICATES_JAVA_VERSION 20140324 

RUN yum -v install -y \ 
    wget \ 
    zip \ 
    which \ 
    openssh-client \ 
    unzip \ 
    java-1.8.0-openjdk-devel \ 
    git \ 
    && yum clean all 

#RUN /var/lib/dpkg/info/ca-certificates-java.postinst configure 

# Install Tini 
ENV TINI_VERSION 0.9.0 
ENV TINI_SHA fa23d1e20732501c3bb8eeeca423c89ac80ed452 

# Use tini as subreaper in Docker container to adopt zombie processes 
RUN curl -fsSL https://github.com/krallin/tini/releases/download/v${TINI_VERSION}/tini-static -o /bin/tini && chmod +x /bin/tini \ 
    && echo "$TINI_SHA /bin/tini" | sha1sum -c - 

# SET Jenkins Environment Variables 
ENV JENKINS_HOME /var/jenkins_home 
ENV JENKINS_SLAVE_AGENT_PORT 50000 
ENV JENKINS_VERSION 2.22 
ENV JENKINS_SHA 5b89b6967e7af8119c52c7e86223b47665417a22 
ENV JENKINS_UC https://updates.jenkins-ci.org 
ENV COPY_REFERENCE_FILE_LOG $JENKINS_HOME/copy_reference_file.log 

# SET Java variables 
ENV JAVA_HOME /usr/lib/jvm/java/jre 
ENV PATH /usr/lib/jvm/java/bin:$PATH 

# Jenkins is run with user `jenkins`, uid = 1000 
# If you bind mount a volume from the host or a data container, 
# ensure you use the same uid 
RUN useradd -d "$JENKINS_HOME" -u 1000 -m -s /bin/bash jenkins 

#Not working. Folder not yet mounted? 
#RUN DOCKER_GID=$(stat -c '%g' /var/run/docker.sock) && \ 

#Using gid from host 
RUN groupadd -for -g 50 docker && \ 
    usermod -aG docker jenkins 

# Jenkins home directory is a volume, so configuration and build history 
# can be persisted and survive image upgrades 
VOLUME /var/jenkins_home 

# `/usr/share/jenkins/ref/` contains all reference configuration we want 
# to set on a fresh new installation. Use it to bundle additional plugins 
# or config file with your custom jenkins Docker image. 
RUN mkdir -p /usr/share/jenkins/ref/init.groovy.d 

# Install Jenkins 
RUN curl -fL http://repo.jenkins-ci.org/public/org/jenkins-ci/main/jenkins-war/${JENKINS_VERSION}/jenkins-war-${JENKINS_VERSION}.war -o /usr/share/jenkins/jenkins.war \ 
    && echo "$JENKINS_SHA /usr/share/jenkins/jenkins.war" | sha1sum -c - 

ENV JAVA_OPTS="-Xmx8192m" 
ENV JENKINS_OPTS="--logfile=/var/log/jenkins/jenkins.log --webroot=/var/cache/jenkins/war" 

# Prep Jenkins Directories 
RUN chown -R jenkins "$JENKINS_HOME" /usr/share/jenkins/ref 
RUN mkdir /var/log/jenkins 
RUN mkdir /var/cache/jenkins 
RUN chown -R jenkins:jenkins /var/log/jenkins 
RUN chown -R jenkins:jenkins /var/cache/jenkins 

# Expose Ports for web and slave agents 
EXPOSE 8080 
EXPOSE 50000 

# Copy in local config files 
COPY init.groovy /usr/share/jenkins/ref/init.groovy.d/tcp-slave-agent-port.groovy 
COPY jenkins.sh /usr/local/bin/jenkins.sh 
COPY plugins.sh /usr/local/bin/plugins.sh 
RUN chmod +x /usr/local/bin/plugins.sh 
RUN chmod +x /usr/local/bin/jenkins.sh 


# Install default plugins 
COPY plugins.txt /tmp/plugins.txt 
RUN /usr/local/bin/plugins.sh /tmp/plugins.txt 


# Add ssh key 
RUN eval "$(ssh-agent -s)" 
RUN mkdir /usr/share/jenkins/ref/.ssh && \ 
    chmod 700 /usr/share/jenkins/ref/.ssh && \ 
    ssh-keyscan github.com > /usr/share/jenkins/ref/.ssh/known_hosts 

COPY id_rsa /usr/share/jenkins/ref/.ssh/id_rsa 
COPY id_rsa /usr/share/jenkins/ref/.ssh/id_rsa.pub 
COPY hudson.tasks.Maven.xml /usr/share/jenkins/ref/hudson.tasks.Maven.xml 

RUN chown -R jenkins:jenkins /usr/share/jenkins/ref && \ 
    chmod 600 /usr/share/jenkins/ref/.ssh/id_rsa && \ 
    chmod 600 /usr/share/jenkins/ref/.ssh/id_rsa.pub && \ 
    chmod 600 /usr/share/jenkins/ref/hudson.tasks.Maven.xml 

COPY id_rsa /root/.ssh/id_rsa 
COPY id_rsa /root/.ssh/id_rsa.pub 

# ssh keys for root. To use root as the user 
RUN chmod 600 /root/.ssh/id_rsa && \ 
    chmod 600 /root/.ssh/id_rsa.pub && \ 
    ssh-keyscan github.com > /root/.ssh/known_hosts 

# Switch to the jenkins user 
USER jenkins 

# Tini as the entry point to manage zombie processes 
ENTRYPOINT ["/bin/tini", "--", "/usr/local/bin/jenkins.sh"] 

Answer 1

顯然問題出在gid中。出於某種原因，我認爲主持人的團隊的碼頭工人的gid是50，但實際上它實際上是100.當我將它改爲100時，jenkins工作開始工作。 我仍然不知道爲什麼docker.sock顯示它屬於組user而不是docker在容器中。如果我在容器做cat /etc/group我看到

root:x:0: 
... 
users:x:100: 
... 
jenkins:x:1000: 
docker:x:100:jenkins 

，並在宿主

root:x:0: 
lp:x:7:lp 
nogroup:x:65534: 
staff:x:50:docker 
docker:x:100:docker 
dockremap:x:101:dockremap