How do i give a non root user access to docker when using docker-dind?
When running a dind
container, IE docker in docker, it its common place to volume mount /var/run/docker.sock:/var/run/docker.sock
from the host into the dind-container.
When this occurs, the PID is not only owned by root, but by a numeric group id from the host.
Running the following inside the container should show you the host GID:
$ ls -alh /var/run/docker.socksrw-rw---- 1 root 993 0 Apr 20 2017 /var/run/docker.sock
The above process is owned by group 993, 993 is derived from the host machines /etc/group -> docker role.
As it is nearly impossible to ensure that we have a common group id when the image is first built, the group id should be assigned at runtime using your docker-entrypoint.sh
file.
My personal goal is to get this runtime user of 'go' for a GO CD go-agent, but one could substitute this approach for jenkins or any other runtime user.
As the dind & go-agent are both based off alpine linux, the following will work for alpine-linux:
#setup docker group based on hosts mount gidecho "Adding hosts GID to docker system group"# this only works if the docker group does not already existDOCKER_SOCKET=/var/run/docker.sockDOCKER_GROUP=dockerBUILD_USER=goif [ -S ${DOCKER_SOCKET} ]; then DOCKER_GID=$(stat -c '%g' ${DOCKER_SOCKET}) #addgroup is distribution specific addgroup -S -g ${DOCKER_GID} ${DOCKER_GROUP} addgroup ${BUILD_USER} ${DOCKER_GROUP}fi
If you exec into the container, and cat your /etc/group file, you should see the following:
docker:x:993:go
In order to allow other users to access Docker you need to:
sudo groupadd dockersudo usermod -aG docker go
If you are running this command as the go
user, you need to logout and login after performing above task.