Permission denied when connecting to docker daemon on jenkinsci/blueocean image deployed to kubernetes

5/23/2019

Summary

Running a declarative pipeline job in jenkins which was deployed to a kubernetes cluster fails when using the docker agent with the following error:

Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Post http://%2Fvar%2Frun%2Fdocker.sock/v1.39/images/create?fromImage=node&tag=10.15.1: dial unix /var/run/docker.sock: connect: permission denied

How can I solve this permission error in the kubernetes declaration?

Background

We have a jenkins server which was deployed to a kubernetes cluster using the jenkinsci/blueocean image. The kubernetes declaration as done as follows:

apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: jenkins-master
spec:
  replicas: 1
  template:
    metadata:
      labels:
        app: jenkins-master
    spec:
      terminationGracePeriodSeconds: 10
      serviceAccountName: jenkins
      containers:
        - name: jenkins-master
          image: jenkinsci/blueocean
          imagePullPolicy: Always
          ports:
            - name: http-port
              containerPort: 8080
            - name: jnlp-port
              containerPort: 50000
          env:
            - name: "JAVA_OPTS"
              value: "-Dorg.jenkinsci.plugins.durabletask.BourneShellScript.HEARTBEAT_CHECK_INTERVAL=3600"
          volumeMounts:
            - name: jenkins-home
              mountPath: /var/jenkins_home
            - name: docker-socket
              mountPath: /var/run/docker.sock
      volumes:
        - name: jenkins-home
          persistentVolumeClaim:
            claimName: jenkins
        - name: docker-socket
          hostPath:
            path: /var/run/docker.sock
            type: File

We then declare a declarative pipeline jenkins job as follows:

pipeline {
  agent {
    docker {
      image 'node:10.15.1'
      label 'master'
    }
  }
  stages {
    stage('Checkout source code') {
      steps {
          checkout scm
      }
    }
    stage('Build project') {
      steps {
        sh 'npm install'
        sh 'npm run compile'
      }
    }
    stage('Run quality assurance') {
      steps {
        sh 'npm run style:check'
        sh 'npm run test:coverage'
      }
    }
  }
}

This job fails with the aforementioned error. My suspicion is that the docker socket was mounted into the system, but the user running the job does not have permission to execute the socket. I, however, cannot add the user to the group in the created pod using sudo usermod -a -G docker $USER since the pod will be recreated upon each redeploy.

Questions

  1. Is it possible to mount the docker volume using the correct user in the kubernetes declaration?
  2. Can I declare the pipeline differently, if it is not possible to set up the permission in the kubernetes declaration?
  3. Is there some other solution which I have not thought about?

Thanks.

-- Awemo
docker
jenkins
jenkins-pipeline
kubernetes

1 Answer

6/6/2019

I, however, cannot add the user to the group in the created pod using sudo usermod -a -G docker $USER since the pod will be recreated upon each redeploy.

Actually, you can.

Define a usermod command for your container in the deployment yaml, e.g

apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: jenkins-master
spec:
  replicas: 1
  template:
    metadata:
      labels:
        app: jenkins-master
    spec:
      terminationGracePeriodSeconds: 10
      serviceAccountName: jenkins
      containers:
        - name: jenkins-master
          image: jenkinsci/blueocean
          imagePullPolicy: Always
          ports:
            - name: http-port
              containerPort: 8080
            - name: jnlp-port
              containerPort: 50000
          env:
            - name: "JAVA_OPTS"
              value: "-Dorg.jenkinsci.plugins.durabletask.BourneShellScript.HEARTBEAT_CHECK_INTERVAL=3600"
            - name: "USER"
              value: "Awemo"
          volumeMounts:
            - name: jenkins-home
              mountPath: /var/jenkins_home
            - name: docker-socket
              mountPath: /var/run/docker.sock
          command: ["/bin/sh"]
          args: ["-c", "usermod -aG docker $USER"]
      volumes:
        - name: jenkins-home
          persistentVolumeClaim:
            claimName: jenkins
        - name: docker-socket
          hostPath:
            path: /var/run/docker.sock
            type: File

So, whenever a new pod is created, a user will be added to the docker usergroup

-- A_Suh
Source: StackOverflow