Skip to content

Commit

Permalink
Cleanup the docker permission issues. (jenkinsci#1706)
Browse files Browse the repository at this point in the history
* Cleanup the docker permission issues.

The permissions on the mounted docker.sock where incorrect for the
current user, which lead to workarounds setting the docker binary SUID.

However this was a bit hacky and if programatic access to docker was
needed (e.g. TestContainers, or anything else that used the socket and
not the binary) then access would fail.

Rather than set the binary SUID which only works for some of the docker
use cases, we add the ath-user to the docker group that has access to
the socket on the host at run time.

* Update method of obtaining docker group

Suggested by @dduportal that for docker-dekstop on mac the permission
needeed needs to be obtained from the server (so spawn a container and
check it!)

* use ubuntu:noble to avoid pulling a new image
  • Loading branch information
jtnord authored Sep 5, 2024
1 parent 93f5d22 commit 180888e
Show file tree
Hide file tree
Showing 3 changed files with 6 additions and 6 deletions.
3 changes: 2 additions & 1 deletion Jenkinsfile
Original file line number Diff line number Diff line change
Expand Up @@ -125,7 +125,8 @@ for (int i = 0; i < splits.size(); i++) {
def image = skipImageBuild ? docker.image('jenkins/ath') : docker.build('jenkins/ath', '--build-arg uid="$(id -u)" --build-arg gid="$(id -g)" ./src/main/resources/ath-container/')
sh 'mkdir -p target/ath-reports && chmod a+rwx target/ath-reports'
def cwd = pwd()
image.inside("-v /var/run/docker.sock:/var/run/docker.sock -v '${cwd}/target/ath-reports:/reports:rw' --shm-size 2g") {
def dockergid = sh label: 'get docker group', returnStdout: true, script: 'getent group docker | cut -d: -f3'
image.inside("--group-add ${dockergid} -v /var/run/docker.sock:/var/run/docker.sock -v '${cwd}/target/ath-reports:/reports:rw' --shm-size 2g") {
def exclusions = splits.get(index).join('\n')
writeFile file: 'excludes.txt', text: exclusions
infra.withArtifactCachingProxy {
Expand Down
4 changes: 4 additions & 0 deletions ath-container.sh
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,9 @@ docker build \
"$DIR/src/main/resources/ath-container" \
-t "$tag"

# obtain the groupId to grant to access the docker socket
dockergid=$(docker run --rm -v /var/run/docker.sock:/var/run/docker.sock ubuntu:noble stat -c %g /var/run/docker.sock)

docker run \
--interactive \
--tty \
Expand All @@ -34,6 +37,7 @@ docker run \
--user ath-user \
--workdir /home/ath-user/sources \
--shm-size 2g \
--group-add ${dockergid} \
-v /var/run/docker.sock:/var/run/docker.sock \
-v "$(pwd):/home/ath-user/sources" \
-v "${HOME}/.m2/repository:/home/ath-user/.m2/repository" \
Expand Down
5 changes: 0 additions & 5 deletions src/main/resources/ath-container/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -86,11 +86,6 @@ RUN deluser --remove-home ubuntu \
&& groupadd ath-user -g $gid \
&& useradd ath-user -l -c 'ATH User' -u $uid -g $gid -m -d /home/ath-user -s /bin/bash

# Set SUID and SGID for docker binary so it can communicate with mapped socket its uid:gid we can not control. Alternative
# approach used for this is adding ath-user to the group of /var/run/docker.sock but that require root permission we do not
# have in ENTRYPOINT as the container is started as ath-user.
RUN chmod ug+s /usr/bin/docker*

# Give permission to modify the alternatives links to change the java version in use
RUN chmod u+s "$(which update-alternatives)"

Expand Down

0 comments on commit 180888e

Please sign in to comment.