Bind docker socket inside container fails with permission denied

I have the following compose and docker files

  jenkins-agent:
    image: git.example.com:8444/devops/docker-services/jenkins-agent:linux-jdk11
    build: services/jenkins-agent 
    user: root
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock

services/jenkins-agent/Dockerfile

FROM jenkins/ssh-agent:bullseye-jdk11

RUN apt-get update \
    && apt-get install -y \
        git \
        gpg \
        curl \
        lsb-release

RUN mkdir -p /etc/apt/keyrings \
    && curl -fsSL https://download.docker.com/linux/debian/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg \
    && echo \
        "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian \
        $(lsb_release -cs) stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null \ 
    && apt-get update && apt-get install -y docker-ce docker-ce-cli

I’m wanting to run docker in docker for my jenkins agents, but whenever I try and run a docker command in the container I get Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Post "http://%2Fvar%2Frun%2Fdocker.sock/v1.24/images/create?fromImage=ubuntu&tag=focal": dial unix /var/run/docker.sock: connect: permission denied. I’ve gotten to work before by creating a docker group in the container with the same id as the one on the host. I was wondering if there was a more portable solution for binding the docker socket

1 Like

There is no portable solution, if you want to keep it secure.

There are some other options to interact with the docker engine:

  • delegate docker.sock access to a docker-socket-proxy container, see Docker Hub. Please check the dockerhub discription!
  • enable the tls tcp endpoint for the docker engine and use certificate based authentification
  • and finaly the most obvious and least secure option: run the container as root user

is there documentation on the second option, tls authentication?

are there any capabilities that may work? or a way to run the container as root from swarm

I am afraid you last question needs further explaination: is it still about tls and certiicate auth?

no, the tls method doesn’t appear to be what I’m looking for. I’ve also tried sysbox but I keep getting the error
services.jenkins Additional property runtime is not allowed when I do

services:
  jenkins:
    image: git.example.com:8444/devops/docker-services/jenkins
    runtime: sysbox-runc
    build: 
      context: services/jenkins
      args:
        - jenkins_version=2.346.2
        - plugin_cli_version=2.9.3
    volumes:
      - jenkins-home:/var/jenkins_home
    ports:
      - 443:443
      - 636:636
      - 3268:3268
      - 50000:50000
    deploy:
      mode: replicated
      replicas: 1
      placement:
        constraints: [node.role == manager]

I am not sure how this is related with access to the docker engine…

Have you checked the compose file 3 reference? You should make it a habit, as things that can not be found there usualy doesn’t exist for this schema version and therefor not available for swarm deployments.

Docker in docker doesn’t work for a rootless cd/ci deployment, that says to use sysbox runtime in order to properly run docker in docker. I installed sysbox and set the container runtime to use it, following the docs. But now I get an error

I want to be able to deploy both Jenkins and the Jenkins Agents to a swarm and have them be able to kick off containerized builds from each. I need all the agents to be able to run docker in order to spin up more containers.