简体繁体 English

使用在Docker容器内运行的Jenkins构建Docker镜像

[英]Building Docker images with Jenkins that runs inside a Docker container

原文 2016-12-04 16:26:12 4 2 security/ jenkins/ docker

I was reading this article about setting up Jenkins running inside a Docker container in a way that Jenkins is able to build Docker images itself. 我正在阅读这篇关于设置Jenkins在Docker容器内运行的文章，Jenkins能够以自己的方式构建Docker镜像。 Although this solution works, there are some security issues as also pointed out by the author. 虽然这种解决方案有效，但作者也指出了一些安全问题。

The main security problem lies in the fact that Jenkins needs to run Docker commands, which requires a mount of the Docker socket inside the Jenkins container (plus Jenkins need sudo to be able to run Docker commands). 主要的安全问题在于Jenkins需要运行Docker命令，这需要在Jenkins容器内安装Docker套接字（加上Jenkins需要sudo才能运行Docker命令）。 So whoever has access to the Jenkins web interface can run any command with full access to the host system (via running a docker container). 因此，无论谁有权访问Jenkins Web界面，都可以运行任何具有对主机系统的完全访问权限的命令（通过运行docker容器）。

Therefore I'm wondering if I someone has some ideas to make this setup more secure. 因此，我想知道我是否有人想让这个设置更安全。 Not running Jenkins inside a Docker container (but directly on the host system) does not seem more secure to me since Jenkins still needs the be able to execute Docker commands (with sudo) to build new images leaving the Jenkins user still able to start up any arbitrary container. 没有在Docker容器中运行Jenkins（但是直接在主机系统上）对我来说似乎不太安全，因为Jenkins仍然需要能够执行Docker命令（使用sudo）来构建新映像，而Jenkins用户仍然能够启动任意容器。 Using a firewall would be an option to limit the IP's from which Jenkins can be reached, but I was hoping that there might be some other solutions to decrease security risks. 使用防火墙可以选择限制可以访问Jenkins的IP，但我希望可能还有其他一些解决方案可以降低安全风险。

Edit I forgot to mention that Jenkins should also be able to start the (newly created) containers on the same machine. 编辑我忘了提到Jenkins也应该能够在同一台机器上启动（新创建的）容器。

2 个解决方案

Docker remote API exposes various endpoints to deal with images like creation, listing, inspecting etc., Refer https://docs.docker.com/engine/reference/api/docker_remote_api_v1.24/#/images . Docker远程API公开了各种端点来处理创建，列表，检查等图像，请参阅https://docs.docker.com/engine/reference/api/docker_remote_api_v1.24/#/images 。

Invoking the endpoint https://docs.docker.com/engine/reference/api/docker_remote_api_v1.24/#/create-an-image as a build step might help to build an image from a Dockerfile. 调用端点https://docs.docker.com/engine/reference/api/docker_remote_api_v1.24/#/create-an-image作为构建步骤可能有助于从Dockerfile构建映像。

I suppose you are something like this. 我想你是这样的。

You can mount the docker sock while running your images. 您可以在运行图像时安装docker sock。 -v /var/run/docker.sock:/var/run/docker.sock -v $(which docker):/usr/bin/docker and you can access docker inside jenkins container. -v /var/run/docker.sock:/var/run/docker.sock -v $（哪个docker）：/ usr / bin / docker你可以访问jenkins容器里面的docker。

Please follow the below link http://container-solutions.com/running-docker-in-jenkins-in-docker/ 请点击以下链接http://container-solutions.com/running-docker-in-jenkins-in-docker/