How to mount docker socket as volume in docker container with correct group

A bit late, but this might help other users who are struggling with the same problem:

The problem here is that the docker group on your docker host has a different group id from the id of the docker group inside your container. Since the daemon only cares about the id and not about the name of the group your solution will only work if these id's match by accident.

The way to solve this is by either using tcp instead of using a unix socket by using the -H option when starting Docker engine. You should be very careful with this, as this allows anyone who has access to this port to gain root access to your system.

A more secure way of fixing this is making sure that the docker group inside the container ends up having the same group id as the docker group outside of the container. You can do this using build arguments for your docker build:

Dockerfile:

FROM jenkinsciARG DOCKER_GROUP_IDUSER rootRUN curl -o /root/docker.tgz https://get.docker.com/builds/Linux/x86_64/docker-1.12.5.tgz && tar -C /root -xvf /root/docker.tgz && mv /root/docker/docker /usr/local/bin/docker && rm -rf /root/docker*RUN curl -L https://github.com/docker/compose/releases/download/1.7.1/docker-compose-`uname -s`-`uname -m` > /usr/local/bin/docker-compose && chmod +x /usr/local/bin/docker-composeRUN groupadd -g $DOCKER_GROUP_ID docker && gpasswd -a jenkins dockerUSER jenkins

And then building it using

docker build \   --build-arg DOCKER_GROUP_ID=`getent group docker | \   cut -d: -f3` -t my-jenkins-image .

After this you can run your image and have docker access as non-root

docker run \   -v /var/run/docker.sock:/var/run/docker.sock \   -p 8080:8080 \  -ti my-jenkins-image

Because this solution depends on supplying the correct group id to the docker daemon when the image is being built, this image would need to be built on the machine(s) where it is being used. If you build the image, push it and someone else pulls it on their machine, chances are that the group id's won't match again.

I used your dockerfile but did a small edit:

FROM jenkinsCOPY plugins.txt /usr/share/jenkins/plugins.txtRUN /usr/local/bin/plugins.sh /usr/share/jenkins/plugins.txtUSER rootRUN apt-get updateRUN groupadd docker && gpasswd -a jenkins dockerUSER jenkins

After building the image I can start it using (I'm on centos7):

docker run -d \-v /var/run/docker.sock:/var/run/docker.sock \     -v $(which docker):/usr/bin/docker:ro \     -v /lib64/libdevmapper.so.1.02:/usr/lib/x86_64-linux-gnu/libdevmapper.so.1.02 \     -v /lib64/libudev.so.0:/usr/lib/x86_64-linux-gnu/libudev.so.0 \     -p 8080:8080 \     --name jenkins \     --privileged=true -t -i \test/jenkins

You tried to install the package docker.io inside your image. But this package is also on your host (otherwise it's not possible to run docker containers on it). So It's recommended to mount this to your container instead of installing it in your docker file. I think the mounted /lib64/... is specific for Centos 7.

$ docker exec -it 9fc27d5fcec1 bashjenkins@9fc27d5fcec1:/$ whoami jenkinsjenkins@9fc27d5fcec1:/$ docker psCONTAINER ID        IMAGE               COMMAND                  CREATED             STATUS              PORTS                               NAMES9fc27d5fcec1        test                "/bin/tini -- /usr/lo"   6 minutes ago       Up 6 minutes        0.0.0.0:8080->8080/tcp, 50000/tcp   jenkins