Docker Community Forums

Share and learn in the Docker community.

Cannot add docker group in alpine

We are building image inside a docker container, actually mounting ‘/var/run/docker.sock’ but using root as the user. It’s absolutely not good to use root. So we tried to use our build user, named ‘jenkins’, inside the container, then we just needed to create a docker group according to the gid of ‘/var/run/docker.sock’ then added jenkins to the group. However, we failed to add jenkins to docker group.

Here is part of our Dockerfile:

FROM docker:1.12.6

RUN mkdir -p /aws
&& apk -Uuv add groff
less
python
py-pip
git
bash
sudo
&& pip install awscli
&& apk --purge -v del py-pip
&& rm /var/cache/apk/*

ARG JENKINS_ID=510
RUN addgroup -g $JENKINS_ID jenkins && adduser -D -G jenkins -u $JENKINS_ID jenkins
RUN echo “jenkins ALL=(ALL) NOPASSWD:ALL” >>/etc/sudoers

USER jenkins

And following were the commands we ran:

14:14 $ docker run --rm -ti -v /var/run/docker.sock:/var/run/docker.sock test_api
jenkins $ sudo addgroup -g $(ls -l /var/run/docker | awk ‘{print $4}’) docker
jenkins $ sudo addgroup jenkins docker
jenkins $ id
uid=510(jenkins) gid=510(jenkins) groups=510(jenkins)
jenkins $ id jenkins
uid=510(jenkins) gid=510(jenkins) groups=510(jenkins),510(jenkins),50(docker)
jenkins $ docker ps -a
Cannot connect to the Docker daemon. Is the docker daemon running on this host?

Looks like, “We added jenkins to docker group, but current user was not, while current user is jenkins” it’s very odd…Any suggestions?

Belated answer, but it may help others.

The problem here is that even though user jenkins was added to the docker group, the new group membership has not taken effect on the shell.

The fix is to do the group addition while launching the container:

docker run --rm -ti --group-add $(stat -c '%g' /var/run/docker.sock) -v /var/run/docker.sock:/var/run/docker.sock test_api

But beyond this, running Jenkins + Docker CLI in a container with a /var/run/docker.sock mount may be fine in some cases, but you’ll run into problems if your Jenkins pipeline has docker build or run steps in it (a common pattern).

This blog, which I wrote, has a bunch of info on the types of problems you’ll face and shows a clean solution based on running Jenkins + Docker cli + docker daemon inside a Docker container. The solution has already helped others in this forum.

I recently founded a company called Nestybox that has developed a container runtime (runc) that enables running Docker-in-Docker securely, without using privileged containers. It allows solutions like the one I described above, which may save you lots of headaches when using Jenkins + Docker.