存在docker.sock且在docker容器中运行权限时无法连接到docker.sock
[英]Unable to connect to docker.sock when it exist with permissions running inside docker container
问题描述
I'm setting up a base image that has docker installed and configured so when I run my jenkins pipeline I can do anchore scanning. 
我正在设置一个已安装并配置了docker的基本映像,因此当我运行jenkins管道时,可以进行锚点扫描。 I have to pull the anchore image inside the docker image because my pipeline is running on a docker agent. 我必须将锚定映像拉入docker映像内,因为我的管道正在docker代理上运行。 However, even running locally trying to build a docker image and just run a simple hello-world docker container or do a docker pull fails to connect to the docker socket. 但是,即使在本地运行以尝试构建docker映像并仅运行一个简单的hello-world docker容器或执行docker pull都无法连接到docker套接字。 I added the root user to the docker group, I even chmod 777 and a+xX to the docker.sock. 我将root用户添加到docker组,甚至将chmod 777和a + xX添加到docker.sock。 For some reason its in both /run/docker.sock and /var/run/docker.sock it seems it gets symlinked. 由于某些原因,它在/run/docker.sock和/var/run/docker.sock中似乎都被符号链接了。 I'm using ubuntu:18.04-bionic release to build from and installing from the ubuntu repository. 我正在使用ubuntu:18.04-bionic版本从ubuntu信息库构建和安装。 The Ubuntu image doesn't have systemd installed and when I install systemd it says it wasn't started with boot which means it has to be installed on boot when the image starts up. Ubuntu映像没有安装systemd,当我安装systemd时说它不是从启动启动的,这意味着在映像启动时必须在启动时安装它。 I start it with service docker start. 我从服务docker start开始。
Processing triggers for libc-bin (2.27-3ubuntu1) ...
Processing triggers for dbus (1.12.2-1ubuntu1) ...
/usr/bin/docker
/usr/share/bash-completion/completions/docker
/etc/init.d/docker
/etc/default/docker
/etc/docker
* Starting Docker: docker
...done.
/run/docker.sock
total 32K
drwxr-xr-x 1 root root 4.0K Oct 31 17:49 .
drwxr-xr-x 1 root root 4.0K Oct 31 17:49 ..
drwxr-xr-x 2 dnsmasq nogroup 4.0K Oct 31 17:49 dnsmasq
drwx------ 4 root root 4.0K Oct 31 17:49 docker
-rw-r--r-- 1 root root 6 Oct 31 17:49 docker-ssd.pid
srwxrwxrwx 1 root docker 0 Oct 31 17:49 docker.sock
drwxrwxrwt 2 root root 4.0K Oct 18 21:02 lock
drwxr-xr-x 2 root root 4.0K Oct 18 21:02 mount
drwxr-xr-x 2 root root 4.0K Oct 19 00:47 systemd
-rw-rw-r-- 1 root utmp 0 Oct 18 21:02 utmp
total 32K
drwxr-xr-x 1 root root 4.0K Oct 31 17:49 .
drwxr-xr-x 1 root root 4.0K Oct 31 17:49 ..
drwxr-xr-x 2 dnsmasq nogroup 4.0K Oct 31 17:49 dnsmasq
drwx------ 4 root root 4.0K Oct 31 17:49 docker
-rw-r--r-- 1 root root 6 Oct 31 17:49 docker-ssd.pid
srwxrwxrwx 1 root docker 0 Oct 31 17:49 docker.sock
drwxrwxrwt 2 root root 4.0K Oct 18 21:02 lock
drwxr-xr-x 2 root root 4.0K Oct 18 21:02 mount
drwxr-xr-x 2 root root 4.0K Oct 19 00:47 systemd
-rw-rw-r-- 1 root utmp 0 Oct 18 21:02 utmp
docker: Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running?.
See 'docker run --help'.
My Dockerfile 我的Dockerfile
FROM ubuntu:bionic
#requirements
#docker
#kubectl
#terraform
#kops
#mysql
#systemd
ENV DEBIAN_FRONTEND=noninteractive \
NVM_VERSION=0.33.11 \
NODE_VERSION=9.11.1
RUN set -e && \
echo "NODE_VERSION: $NODE_VERSION" && \
apt-get update --yes && \
apt-get install git \
gnupg \
wget \
curl \
apt-utils \
gcc \
g++ \
make \
build-essential \
nginx \
python \
vim \
gnupg \
gnupg2 \
net-tools \
software-properties-common \
npm \
curl \
libxss1 \
libappindicator1 \
libindicator7 \
apt-utils \
fonts-liberation \
xfonts-cyrillic \
xfonts-100dpi \
xfonts-75dpi \
xfonts-base \
xfonts-scalable \
libappindicator3-1 \
libasound2 \
libatk-bridge2.0-0 \
libgtk-3-0 \
libnspr4 \
libnss3 \
libx11-xcb1 \
libxtst6 \
xdg-utils \
lsb-release \
xvfb \
python-pip \
default-jre \
gtk2-engines-pixbuf -y && \
wget https://dl.google.com/linux/direct/google-chrome-stable_current_amd64.deb && \
dpkg -i google-chrome*.deb && \
NVM_DIR="$HOME/.nvm" && \
PROFILE="$HOME/.profile" && \
git clone --branch "v$NVM_VERSION" --depth 1 https://github.com/creationix/nvm.git "$NVM_DIR" && \
echo >> "$PROFILE" && \
echo 'export NVM_DIR="$HOME/.nvm"' >> "$PROFILE" && \
echo '[ -s "$NVM_DIR/nvm.sh" ] && . "$NVM_DIR/nvm.sh" # This loads nvm' >> "$PROFILE" && \
echo '[ -s "$NVM_DIR/bash_completion" ] && . "$NVM_DIR/bash_completion" # This loads nvm bash_completion' >> "$PROFILE" && \
. $NVM_DIR/nvm.sh && \
nvm install $NODE_VERSION && \
apt-get install npm --yes && \
rm -rf /usr/lib/openssh/ssh-keysign && \
mkdir -p /tmp/nginx && \
pip install awscli && \
wget https://github.com/kubernetes/kops/releases/download/1.10.0/kops-linux-amd64 && \
wget https://storage.googleapis.com/kubernetes-release/release/v1.8.4/bin/linux/amd64/kubectl && \
cp kops-linux-amd64 /usr/local/bin/kops && \
cp kubectl /usr/local/bin/kubectl && \
chmod a+xX /usr/local/bin/kubectl && \
chmod a+xX /usr/local/bin/kops && \
apt install docker.io -y && \
find / -name 'docker' && \
usermod -aG docker root && \
service docker start && \
find / -name 'docker.sock' && \
chmod a+xX /run/docker.sock && \
chmod 777 /run/docker.sock && \
# this doens't work because it exists in var/run as well which doesn't make sense because its not there in the find command. ln -s /run/docker.sock /var/run/docker.sock && \
ls -lah /run/ && \
ls -lah /var/run/ && \
docker run hello-world
RUN npm install --global lerna
EXPOSE 80
Tried everything I can think of. 尝试了所有我能想到的。 Looking for ideas... 寻找想法...
1 个解决方案
解决方案1
0 2018-10-31 18:59:00
If you're just trying to access the Docker daemon on the host, you don't need to also (attempt to) start the daemon inside the container; 如果您只是尝试访问主机上的Docker守护程序,则无需(尝试)启动容器内的守护程序; you just need a compatible /usr/bin/docker , and to use docker run -v to bind-mount the host's Docker socket into the container at startup time. 您只需要一个兼容的/usr/bin/docker ,并使用docker run -v在启动时将主机的Docker套接字绑定安装到容器中。
If you need to do basic Docker operations ( docker pull , docker build , docker push ) then the usual approach is to use the host's Docker daemon and not try to run your own. 如果您需要执行基本的Docker操作( docker pull , docker build , docker push ),那么通常的方法是使用主机的Docker守护进程,而不是尝试自己运行。 There are a couple of old blog posts advising against running Docker inside Docker; 有几篇旧的博客文章建议不要在Docker中运行Docker。 it's theoretically possible but leads to confusing questions about “which Docker am I talking to” and the setup is difficult in any case. 从理论上讲这是可行的,但会导致有关“我正在与哪个Docker交谈”的问题,并且无论如何都很难进行设置。
(All of the following statements are about 80% true: you can't start a background daemon in a Dockerfile; you can't service or systemctl anything inside Docker ever; you can't run the Docker daemon inside a Docker container. Trying to work around these usually isn't a best practice.) (以下所有语句的正确率约为80%:您无法在Dockerfile中启动后台守护程序;您永远无法在Docker内部进行service或systemctl任何操作;您无法在Docker容器内运行Docker守护程序。解决这些问题通常不是最佳做法。)
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.