So I'm working with a slightly strange infrastructure: I have a openshift container platform that has a jenkins image from docker running inside it using the image openshift3/jenkins-2-rhel7
I'm trying to run docker build . command's within a jenkins pipeline and i'm getting a "Cannot connect to the Docker daemon" error. I don't understand why docker is installed on the machine yet not running and I don't currently have access to the openshift server other than cli and via the console. Does anyone have recommendations on how to get the docker build . command to run successfully for jenkins either with or without utilizing slaves?
node("master"){
withEnv(["PATH=${tool 'docker'}/bin:${env.PATH}"]) {
docker.withRegistry( 'dockertest') {
git url: "https://github.com/mydockertag/example.git", credentialsId: 'dockertest'
stage "build"
sh "docker build -t mydockertag/example -f ./Dockerfile ."
stage "publish"
}
}
After running the build command i get the following error:
+ docker build -t mydockertag/example -f ./Dockerfile .
Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the
docker daemon running?
There can be two reasons for the error "Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running?".
Docker is running but the user executing the docker command does not have privileges to talk to '/var/run/docker.sock'. Try using 'sudo docker build'. If you do not wish to use 'sudo' everytime, you can add your user to the docker group by following the post docker installation steps here (https://docs.docker.com/install/linux/linux-postinstall/#manage-docker-as-a-non-root-user).
The docker daemon is not up and running at all. You will have to start the docker daemon manually.
By default, OpenShift Container Platform runs containers using an arbitrarily assigned user ID. For an image to support running as an arbitrary user, directories and files that may be written to by processes in the image should be owned by the root group and be read/writable by that group. Files to be executed should also have group execute permissions.
Adding the following to your Dockerfile sets the directory and file permissions to allow users in the root group to access them in the built image:
RUN useradd -g root -G sudo -u 1001 user && \
chown -R user:root /some/directory && \
chgrp -R 0 /some/directory && \
chmod -R g=u /some/directory
#Specify the user with UID
USER 1001
Refer section "Support Arbitrary User IDs" on the Guideline from Openshift
Related
We are running a Kubernetes cluster for building Jenkins jobs. For the pods we are using the odavid/jenkins-jnlp-slave JNLP docker image. I mounted the /var/run/docker.sock to the pod container and added jenkins(uid=1000) user to the docker group on the host systems.
When running a shell script job in Jenkins with e.g. docker ps it fails with error docker: not found.
$ /bin/sh -xe /tmp/jenkins6501091583256440803.sh
+ id
uid=1000(jenkins) gid=1000(jenkins) groups=1000(jenkins)
+ docker ps
/tmp/jenkins2079497433467634278.sh: 8: /tmp/jenkins2079497433467634278.sh: docker: not found
Build step 'Execute shell' marked build as failure
Finished: FAILURE
The interesting thing is that when connecting into the pod manually and executing docker commands directly in the container as jenkins user, it works:
kubectl exec -it jenkins-worker-XXX -- /bin/bash
~$ su - jenkins
~$ id
uid=1000(jenkins) gid=1000(jenkins) groups=1000(jenkins),1000(jenkins)
~$ docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS
What is doing Jenkins in its job differently? Same user, same container, only groups=1000(jenkins),1000(jenkins) lists 1000(jenkins) as group 2 times when connecting manually. What am i missing?
/var/run/docker.sock is just the host socket that allows docker client to run docker commands from the container.
What you are missing is the docker client in your container.
Download the docker client manually and place it on a persistent volume and ensure that he docker client is in the system path. Also, ensure that the docker client is executable.
This command will do it for you. You may have to get the right version of the docker client for your environment
curl -fsSLO https://get.docker.com/builds/Linux/x86_64/docker-17.03.1-ce.tgz &&
tar --strip-components=1 -xvzf docker-17.03.1-ce.tgz -C /usr/local/bin
You may even be able to install the docker using the package manager for your image.
I have been working through the docker book and I am now learning about CI. I tried to run this script within the execute shell of my build:
# Build the image to be used for this job.
IMAGE=$(sudo docker build . | tail -1 | awk '{ print $NF }')
# Build the directory to be mounted into Docker.
MNT="$WORKSPACE/.."
# Execute the build inside Docker.
CONTAINER=$(sudo docker run -d -v $MNT:/opt/project/ $IMAGE /bin/ bash -c 'cd /opt/project/workspace; rake spec')
# Attach to the container so that we can see the output.
sudo docker attach $CONTAINER
# Get its exit code as soon as the container stops.
RC=$(sudo docker wait $CONTAINER)
# Delete the container we've just used.
sudo docker rm $CONTAINER
# Exit with the same value as that with which the process exited.
exit $RC
Running this script ends in the build failing. It shows these two errors:
Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running?
and
sudo docker run -d -v /private/var/jenkins_home/jobs/${Docker_test_job}/workspace/..:/opt/project/ /bin/ bash -c cd /opt/project/workspace; rake spec
docker: invalid reference format.
See 'docker run --help'.
+ CONTAINER=
Build step 'Execute shell' marked build as failure
Recording test results
ERROR: Step ‘Publish JUnit test result report’ failed: No test report files were found. Configuration error?
Finished: FAILURE
I don't understand how to fix it as I've been following the instructions in the book. I tried using $PWD to try and fix my issue but that didn't work either.
Actaully the jenkins user does not have the permission to run docker command. To do this, add your jenkins user to the docker group:
sudo usermod -aG docker jenkins
Then restart your jenkins server to refresh the group.
Please be informed that ther is a warning "The docker group grants privileges equivalent to the root user. For details on how this impacts security in your system."
I have a node-based project and following are the first few steps that are required to be executed as part of the build:
npm install
npm run build
docker build -t client .
The last command above builds the following Dockerfile:
FROM docker.artifactory.abc.net/nginx
COPY build /usr/share/nginx/html
COPY default.conf /etc/nginx/conf.d/default.conf
Content of .gitlab-ci.yml:
image: docker.artifactory.abc.net/docker/node:1.0
stages:
- build
- deploy
build:
stage: build
script:
- npm install
- npm run build
- docker build -t client .
In the above Dockerfile, i am using a custom node image (node:1.0) which contains the proxy settings for apk to work and Artifactory configuration so all the dependencies are fetched using Artifactory. Now when i was running this build, i was getting docker: command not found error while executing the last command (docker build -t client .), which is expected because the base image is for node and doesn't contain docker. So i added docker setup instructions to the node Dockerfile based on this link except for the last 3 lines where it's configuring the ENTRYPOINT and CMD.
Now when i ran the build, i got:
$ docker build -t client .
Sending build context to Docker daemon 372.7MB
Step 1 : FROM docker.artifactory.abc.net/nginx
Get https://docker.artifactory.abc.net/v2/nginx/manifests/latest: unknown: Authentication is required
ERROR: Job failed: exit code 1
This error, as per my past experience, had to do with running docker login command. Since the docker setup in official image uses tar, i had to add docker user to /etc/group and then add current user (root) to the docker group. Also added the docker login command as shown below to the Dockerfile:
addgroup docker; \
adduser root docker; \
docker login docker.artifactory.abc.net -u svc-art -p "ZTg6#&kq"; \
After that, if i try building this Dockerfile, i get following error:
+ dockerd -v
Docker version 17.05.0-ce, build v17.05.0-ce
+ docker -v
Docker version 17.05.0-ce, build v17.05.0-ce
+ adduser root docker
+ tail -2 /etc/group
node:x:1000:node
docker:x:101:root
+ docker login docker.artifactory.abc.net -u svc-art -p ZTg6#&kq
Warning: failed to get default registry endpoint from daemon (Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running?). Using system default: https://index.docker.io/v1/
Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running?
I also did an ls -ltr /var/run/docker.sock; and the docker socket file was not present inside the image. This seems to be the issue.
Any idea how i can get this working?
Well from the example you have provided I cannot see where you call your docker service, therefore I assume you are not calling it also you are not logging into the registry.
The way your pipeline should look like is something as follows:
image: docker.artifactory.abc.net/docker/node:1.0
stages:
- build
- deploy
build:
image: docker:latest
services:
- docker:dind
stage: build
script:
- docker login -u gitlab-ci-token -p $CI_JOB_TOKEN registry.example.com
- docker build -t registry.example.com/group/project/image:latest .
- docker push registry.example.com/group/project/image:latest
You could also find more info here
I have airflow running on an EC2 instance, and I am scheduling some tasks that spin up a docker container. How do I do that? Do I need to install docker on my airflow container? And what is the next step after. I have a yaml file that I am using to spin up the container, and it is derived from the puckel/airflow Docker image
I got a simpler solution working which just requires a short Dockerfile to build a derived image:
FROM puckel/docker-airflow
USER root
RUN groupadd --gid 999 docker \
&& usermod -aG docker airflow
USER airflow
and then
docker build -t airflow_image .
docker run -v /var/run/docker.sock:/var/run/docker.sock:ro \
-v /usr/bin/docker:/bin/docker:ro \
-v /usr/lib/x86_64-linux-gnu/libltdl.so.7:/usr/lib/x86_64-linux-gnu/libltdl.so.7:ro \
-d airflow_image
Finally resolved
My EC2 setup is running unbuntu Xenial 16.04 and using a modified the puckel/airflow docker image that is running airflow
Things you will need to change in the Dockerfile
Add USER root at the top of the Dockerfile
USER root
mounting docker bin was not working for me, so I had to install the
docker binary in my docker container
Install Docker from Docker Inc. repositories.
RUN curl -sSL https://get.docker.com/ | sh
search for wrapdocker file on the internet. Copy it into scripts directory in the folder where the Dockerfile is located. This starts the docker daemon inside airflow docker
Install the magic wrapper
ADD ./script/wrapdocker /usr/local/bin/wrapdocker
RUN chmod +x /usr/local/bin/wrapdocker
add airflow as a user to the docker group so the airflow can run docker jobs
RUN usermod -aG docker airflow
switch to airflow user
USER airflow
Docker compose file or command line arguments to docker run
Mount docker socket from docker airflow to the docker image just installed
- /var/run/docker.sock:/var/run/docker.sock
You should be good to go !
You can spin up docker containers from your airflow docker container by attaching volumes to your container.
Example:
docker run -v /var/run/docker.sock:/var/run/docker.sock:ro -v /path/to/bin/docker:/bin/docker:ro your_airflow_image
You may also need to attach some libraries required by docker. This depends on the system you are running Docker on. Just read the error messages you get when running a docker command inside the container, it will indicate you what you need to attach.
Your airflow container will then have full access to Docker running on the host.
So if you launch docker containers, they will run on the host running the airflow container.
I would like to run Docker shell commands on Jenkins like:
docker ps
Is it possible to do it with out using any plugins? Since Jenkins isn't a user, but a service account how can I add to docker group?
First execute
sudo groupadd docker
Then execute
sudo usermod -aG docker $USER
Then logout its important to logout because your group membership is re-evaluated
Login and try again
docker ps
It works!
Following approach worked for me to run docker commands without any plugins
Rather than adding jenkins user to docker group, allowed jenkins user to run sudo commands with out prompting for password and then created an alias to avoid sudo in Dockerfile for jenkins slave. I had to install docker client in the container which connects to daemon running in the host machine.
## allowing jenkins user to run sudo commands
RUN echo "jenkins ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers
## avoid typing sudo in command line
RUN echo "alias docker='sudo docker '" >> /home/jenkins/.bashrc
(Taken from this answer: https://askubuntu.com/a/477554)
If you run on Ubuntu and Jenkins runs directly on the host machine (i.e. not inside a Docker container):
Add the docker group if it doesn't already exist:
sudo groupadd docker
Add the user "jenkins" to the docker group:
sudo gpasswd -a jenkins docker
Restart the Docker daemon:
sudo service docker restart
Either do a newgrp docker or log out/in to activate the changes to groups.
I had the issue when I was running from jenkins pipeline. I added jenkins user to docker group, restarted the docker engine and rebooted the machine as well. However I still get the same error dial unix /var/run/docker.sock: connect: permission denied.
Finally I added jenkins to root group and it resolved my issue (ubuntu 18.04) (VM on Azure)
sudo gpasswd -a jenkins root
sudo service docker restart