Bind docker socket inside container fails with permission denied

I have the following compose and docker files

  jenkins-agent:
    image: git.example.com:8444/devops/docker-services/jenkins-agent:linux-jdk11
    build: services/jenkins-agent 
    user: root
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock

services/jenkins-agent/Dockerfile

FROM jenkins/ssh-agent:bullseye-jdk11

RUN apt-get update \
    && apt-get install -y \
        git \
        gpg \
        curl \
        lsb-release

RUN mkdir -p /etc/apt/keyrings \
    && curl -fsSL https://download.docker.com/linux/debian/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg \
    && echo \
        "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian \
        $(lsb_release -cs) stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null \ 
    && apt-get update && apt-get install -y docker-ce docker-ce-cli

I’m wanting to run docker in docker for my jenkins agents, but whenever I try and run a docker command in the container I get Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Post "http://%2Fvar%2Frun%2Fdocker.sock/v1.24/images/create?fromImage=ubuntu&tag=focal": dial unix /var/run/docker.sock: connect: permission denied. I’ve gotten to work before by creating a docker group in the container with the same id as the one on the host. I was wondering if there was a more portable solution for binding the docker socket

There is no portable solution, if you want to keep it secure.

There are some other options to interact with the docker engine:

  • delegate docker.sock access to a docker-socket-proxy container, see Docker Hub. Please check the dockerhub discription!
  • enable the tls tcp endpoint for the docker engine and use certificate based authentification
  • and finaly the most obvious and least secure option: run the container as root user

is there documentation on the second option, tls authentication?

are there any capabilities that may work? or a way to run the container as root from swarm

I am afraid you last question needs further explaination: is it still about tls and certiicate auth?

no, the tls method doesn’t appear to be what I’m looking for. I’ve also tried sysbox but I keep getting the error
services.jenkins Additional property runtime is not allowed when I do

services:
  jenkins:
    image: git.example.com:8444/devops/docker-services/jenkins
    runtime: sysbox-runc
    build: 
      context: services/jenkins
      args:
        - jenkins_version=2.346.2
        - plugin_cli_version=2.9.3
    volumes:
      - jenkins-home:/var/jenkins_home
    ports:
      - 443:443
      - 636:636
      - 3268:3268
      - 50000:50000
    deploy:
      mode: replicated
      replicas: 1
      placement:
        constraints: [node.role == manager]

I am not sure how this is related with access to the docker engine…

Have you checked the compose file 3 reference? You should make it a habit, as things that can not be found there usualy doesn’t exist for this schema version and therefor not available for swarm deployments.

Docker in docker doesn’t work for a rootless cd/ci deployment, that says to use sysbox runtime in order to properly run docker in docker. I installed sysbox and set the container runtime to use it, following the docs. But now I get an error

I want to be able to deploy both Jenkins and the Jenkins Agents to a swarm and have them be able to kick off containerized builds from each. I need all the agents to be able to run docker in order to spin up more containers.