Skip to content

Home

Jump to bottom
Stefan Kuhn edited this page Nov 2, 2017 · 13 revisions

Jenkins Docker Image runs Docker on host

The "Official Jenkins Docker image" works fine, but Jenkins can not start Docker in it without modifications:

  • Docker socket on host must belong to group docker on host (create group docker on host)
  • Docker socket on host must be mapped to the container
  • Docker container must run with --privileged flag
  • Docker must be installed in the container
  • Jenkins user must be allowed to start Docker in the container (in a group with same GID as docker gorup on host)

Quite a few if you ask me - and I did not find a tutorial that covers all points!

These are the reasons for this small project: Provide an image that contains everything possible and a tutorial on what has to be configured outside the Docker image.

Quick start:

These are the minimal steps to get the image running:

  • On the host: Create a docker group, then restart Docker
    • /var/run/docker.sock must now run with the docker group.
  • Run the Docker image with these 2 additional parameters:
    • --privileged
    • -v /var/run/docker.sock:/var/run/docker.sock

Example of full run-command: docker run -d -v /var/run/docker.sock:/var/run/docker.sock --privileged -p 8080:8080 -p 50000:50000 -v jenkins_home:/var/jenkins_home --name jenkinsdockerimage jenkinsdockerimage

How-To

This is on Fedora, commands may vary on other OS. Assume sudo.

Install docker on host as service

yum install docker
systemctl start docker
systemctl enable docker

Create docker group on host

groupadd docker
newgrp docker

Restart Docker and check if the Docker socket is owned by group docker (was root):

systemctl restart docker
ls -alh /var/run/docker.sock

Test calling host docker from inside container

Save yourself some trouble and test this!

Start the docker image on docker and from inside that container start another docker container.

docker run -v /var/run/docker.sock:/var/run/docker.sock --privileged -ti docker

This runs the docker image and opens a command line inside the image. Type:

docker run hello-world; exit

To run the hello-world image and close the container.

You should not see any socket-permission-denied error!

Build the Docker image

Grab the Dockerfile and navigate to the same folder. Then build with:

docker build -t jenkinsdockerimage .

Run the Jenkins image

The full command could be:

docker run -d -v /var/run/docker.sock:/var/run/docker.sock --privileged -p 8080:8080 -p 50000:50000 -v jenkins_home:/var/jenkins_home --name jenkinsdockerimage jenkinsdockerimage
  • -d
    • detach: Run container in background and print container ID
  • -v /var/run/docker.sock:/var/run/docker.sock
    • bind/mount Docker socket
  • --privileged
    • Give extended privileges to this container
  • -p 8080:8080 -p 50000:50000
    • Publish ports for jenkins from container to host
  • -v jenkins_home:/var/jenkins_home
    • mount/persist Jenkins data folder as Docker volume named "jenkins_home"
  • --name jenkinsdockerimage
    • Name for the container
  • jenkinsdockerimage
    • The image

Test if Jenkins user in image can run docker

Again, save yourself some time, this has to work. Also helps when debugging.

Enter the container and try to run docker as jenkins user without sudo:

docker exec -u 0 -it jenkinsdockerimage bash
su jenkins
docker run hello-world
exit
exit

Where is everything?

Jenkins

Open a browser to :8080. Once ready, it will ask for an unlock password. See below ...

Docker container logs

View the container logs with:

docker container logs jenkinsdockerimage

You should see the unlock password.

Jenkins data in Docker volume

The jenkins_home Docker volume should be in /var/lib/docker/volumes/jenkins_home/_data. Thus you can see the unlock password with:

cat /var/lib/docker/volumes/jenkins_home/_data/secrets/initialAdminPassword

You can see where the Docker volume is with:

docker volume inspect jenkins_home

Setup Jenkins

  • Enter the initial password
  • Install recommended plugins
  • Create first admin user

Test Jenkins

Credentials

*In Jenkins > Credentials, add a credential of:

  • kind _SSH Username with private key
  • Private Key: Enter directly

This is important and I had some problems using ssh-key on Jenkins outside Docker. ("enter directly" broken, files on Jenkins master are not in /home/jenkins/.ssh)

Add the public key to your Github account.

First Pipeline: Run Docker from Jenkins

Test the ssh-key and test if Jenkins can run Docker from this repo:

  1. Go to Jenkins Dashboard > New Item
  2. Name item: jenkinsdockerimage
  3. Select "MultibranchPipeline" and OK
  4. Add Source > Git
  5. Enter this repository: [email protected]:Wuodan/jenkinsdockerimage.git
  6. Select the created ssh credentials
  7. Click save

Scan Multibranch Pipeline Log You should see the Scan Multibranch Pipeline Log. Verify that the ssh authentication and the download were successful.

Build Log

Debugging

Enter the Jenkins Docker image as root with:

docker exec -u 0 -it jenkinsdockerimagebash

From there, switch to the jenkins user and test if it can run Docker

su jenkins
sudo docker run hello-world; exit
exit
docker run hello-world && exit
Clone this wiki locally