9

I've added the jenkins user to the docker group thinking that it would allow Jenkins jobs to run Docker commands. If I switch to the jenkins user, I can verify it works (manually):

ubuntu@hostname:~$ ps aux | grep java
jenkins   2210  9.5  7.5 1950316 292896 ?      Sl   00:01   1:00 /usr/bin/java -jar /data/jenkins/jenkins-1.586.war --httpPort=8080 -Xloggc:/var/log/jenkins/gc.log
ubuntu@hostname:~$ getent group docker
docker:x:999:jenkins
ubuntu@hostname:~$ ls -la /var/run/docker.*
-rw-r--r-- 1 root root   4 Oct 23 18:32 /var/run/docker.pid
srw-rw---- 1 root docker 0 Oct 23 18:32 /var/run/docker.sock
ubuntu@hostname:~$ sudo su -s /bin/bash jenkins
jenkins@hostname:/home/ubuntu$ docker ps
CONTAINER ID        IMAGE                      COMMAND                CREATED             STATUS              PORTS                     NAMES

However, during a Jenkins build/job it does not have permission:

# Job log
Started by user Matt Wright
Building on master in workspace /data/jenkins/jobs/docker-base-images-build/workspace
[ssh-agent] Using credentials CI-jenkins
[ssh-agent] Looking for ssh-agent implementation...
[ssh-agent]   Java/JNR ssh-agent
[ssh-agent] Started.
 > git rev-parse --is-inside-work-tree # timeout=10
Fetching changes from the remote Git repository
 > git config remote.origin.url git@github.com:<redacted>/docker-base-images.git # timeout=10
Fetching upstream changes from git@github.com:<redacted>/docker-base-images.git
 > git --version # timeout=10
using GIT_SSH to set credentials 
 > git fetch --tags --progress git@github.com:<redacted>/docker-base-images.git +refs/heads/*:refs/remotes/origin/*
 > git rev-parse refs/remotes/origin/master^{commit} # timeout=10
 > git rev-parse refs/remotes/origin/origin/master^{commit} # timeout=10
Checking out Revision 83c4463e7195b412a3a803dd7338210c1a772f55 (refs/remotes/origin/master)
 > git config core.sparsecheckout # timeout=10
 > git checkout -f 83c4463e7195b412a3a803dd7338210c1a772f55
 > git rev-list 83c4463e7195b412a3a803dd7338210c1a772f55 # timeout=10
[workspace] $ /bin/sh -xe /tmp/hudson5606381166745886966.sh
+ ./build.sh
Sending build context to Docker daemon 
2014/10/24 16:14:18 Post http:///var/run/docker.sock/v1.15/build?rm=1&t=<redacted>%2Fpython%3A3.4: dial unix /var/run/docker.sock: permission denied
Build step 'Execute shell' marked build as failure
[ssh-agent] Stopped.
Notifying upstream projects of job completion
Finished: FAILURE

This is with Docker 1.3.0 and Ubuntu 14.04.1. Any clues?

Matt W
  • 211
  • 1
  • 2
  • 6
  • Seems related to [this issue](https://github.com/docker/docker/issues/5314). Rebooting solved this for me. – smilly92 Oct 26 '14 at 11:31
  • Rebooting did not resolve this for me. – Matt W Oct 28 '14 at 00:08
  • 1
    It would seem that Jenkins drops groups other than Jenkins user's main group. When I run the id command from a shell as the Jenkins user I see that it's in the docker group, but when I run id in a freestyle job, it only shows the Jenkins user. I haven't figured out how to fix it yet. – Joseph Mulloy Jul 16 '15 at 22:06
  • First make sure you have the jenkins user in docker group. Then if the slave you have trouble with is connected to the master, disconnect and then reconnect it again. Do this through 'manage jenkins'/'manage nodes'. – arminmor Jan 17 '18 at 21:32

2 Answers2

12

I think giving jenkins group privileges to docker unix socket solves the issue. This can be modified with configuring docker daemon startup options in configuration file by adding this line

DOCKER_OPTS=' -G jenkins'

In ubuntu /etc/default/docker is the docker configuration file.

eldos
  • 241
  • 2
  • 5
1

Run groups command using jenkins. Do you see a docker group? If not, try to reboot that Jenkins slave. Or just kill the Jenkins slave.jar process: ps aux|grep jenkins

Vanuan
  • 147
  • 6
  • After doing a few of the steps above, the final piece to get it working was to reconnect the jenkins slave. Thanks for the tip. – Dean Poulin Mar 28 '17 at 17:00