无法连接到 jenkins docker 容器内的 docker 容器 MacOS

Question

After two full days reading and trying thing, I humbling come here to ask how to make this work, because nothing from the other answers helped me to make this work.

I'm on a macos 10.13.6 (High Sierra)

Running Docker Desktop for mac 2.2.0.5 (43884)

Engine: 19.03.8
Compose 1.25.4

I want to run jenkins to study some pipeline stuff, so this is my ´docker-compose.yml´

version: "3.2"

services:
  jenkins:

    build: 
      dockerfile: dockerfile
      context: ./build

    ports:
      - "8080:8080"
      - "50000:50000"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - ./data:/var/jenkins_home

First problem is that the image that i'm using jenkins/jenkins:lts does not have a docker client installed, so even mapping the socket through volumes I can't use docker version the output of this command is bash: docker: command not found .

This is my pipeline just for test (from jenkins documentation):

pipeline {
    agent { docker { image 'node:6.3' } }
    stages {
        stage('build') {
            steps {
                sh 'npm --version'
            }
        }
    }
}

So through this plugin https://plugins.jenkins.io/docker-plugin/ I can go to "Manage Jenkins > Manage Nodes and Clouds > Configure Clouds > Add a new cloud" and on "Docker Cloud details..."

I have the Host URI where I can put "unix:///var/run/docker.sock" that it will use the docker from my host macos to do what jenkins need to do.

I tried all the suggestion from the internet, from create the jenkins user, docker user, put jenkins user on docker group e other stuff but none of them work on the mac.

The big majority of the asked questions is for linux and all of them seems to have solved the problem, but when I try to replicate on the macos it just don't work.

Maybe there is some step that I'm missing, or people already know that they have to do in some of the steps, but i'm failing miserably.

Some of the steps that I tried:

create use user and group jenkins:

sudo dscl . create /Users/jenkins UniqueID 1000 PrimaryGroupID 1000
sudo dscl . create /Groups/jenkins gid 1000

created the group docker:

sudo dscl . create /Groups/docker gid 1001

Added the jenkins user to the docker group

sudo dscl . append /Groups/docker GroupMembership jenkins

Checked if the user really is on the group

$ dsmemberutil checkmembership -u 1000 -g 1001
user is a member of the group

Tried to change the owner of the socket from inside the jenkins container (that's why I was building the image, but it didn't work)

Tried to changer the ownership of the socket on the host macos but it just don't change. The socket is always with those permissions.

lrwxr-xr-x 1 root daemon 68B Apr 28 10:14 docker.sock -> /Users/metasix/Library/Containers/com.docker.docker/Data/docker.sock

Answer 1

For jenkins, the best is to have agents that will run all jobs and the master that will only do the orchestration jobs.

Some years ago, I build an JNLP agent that register itself to jenkins master, you can check my repo here: https://github.com/jmaitrehenry/docker-jenkins-jnlp As I say, I made it like 3 years ago and may be a bit outdated.

About your problem, you need to know that Docker for Mac run containers inside a little VM, so when you add a user on MacOS, the VM doesn't have it. And Docker for Mac do a lot a magic to map uid inside your mac with some uid inside containers.

You can try to add the docker client inside your Dockerfile, for that, try to add those steps:

FROM jenkins/jenkins:lts
[...]

# Switch to root as the base image switch to jenkins user
USER root

# Download docker-cli and install it
RUN curl -o docker-ce-cli.deb https://download.docker.com/linux/debian/dists/stretch/pool/stable/amd64/docker-ce-cli_19.03.8~3-0~debian-stretch_amd64.deb && \
    dpkg -i docker-ce-cli.deb && \
    rm docker-ce-cli.deb

# Switch back to jenkins user
USER jenkins

Answer 2

You need to enable host mode networking by adding network: host to your compose file:

services:
  jenkins:

    build: 
      dockerfile: dockerfile
      context: ./build
      network: host

    ports:
      - "8080:8080"
      - "50000:50000"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - ./data:/var/jenkins_home

This will allow your guest docker container to see the hosts network. The problem is that Docker Desktop for MacOS doesn't support listening over the TCP port. There is a known workaround by using socat. https://www.ivankrizsan.se/2016/05/21/docker-api-over-http-on-mac-os-x-with-docker-for-mac-beta/ . Once you have socat set up to route from the docker.socker to TCP 2376 set your Host URI to tcp://0.0.0.0:2376. And of course you will need to create a new Dockerfile to extend the jenkins/jenkins:lts one with FROM jenkins/jenkins:lts and add Docker to the container as suggested in another answer

Answer 3

I ran into the same issue. jenkins user was not able to run docker commands even after adding the user to docker group.

When I checked the permissions on the host machine (MacOS), docker.sock file was owned by root:daemon .

ls -lart /var/run/docker.sock
lrwxr-x--x  1 root  daemon  37 Feb  1 14:56 /var/run/docker.sock -> /Users/....

I updated the permissions to 755 and it started working. I am able to run the docker commands on the container as jenkins user.

Please change the host file permissions only for development environment.