jenkins 'execute script' build step Error: /bin/docker: Permission denied

4
votes

Im trying to build a simple pipeline on my personal pc. I have Jenkins ver. 2.32.2 installed and running. Below is the job dsl for my pipeline:

node {
    stage('Github Checkout') {
        checkout([$class: 'GitSCM', branches: [[name: '*/master']], doGenerateSubmoduleConfigurations: false, extensions: [], submoduleCfg: [], userRemoteConfigs: [[credentialsId: '921fd840-1d71-4b06-bf5e-1c6f3141f669', url: '[email protected]:justinsr20/tdd_django.git']]])
    }
    stage('Build container image') {
        sh 'whoami'
    }
    stage('Build container image') {
        sh 'pwd'
    }
    stage('Build container image') {
        sh 'ls -l'
    }

    stage('Build container image') {
        sh 'docker build -t jenkins/django:v1 -t jenkins/django:latest .'
    }
}

I have docker installed and I have the jenkins user in the docker group:

[root@localhost bin]# grep 'docker' /etc/group
docker:x:977:judd,jenkins

The weird thing is that jenkins gives me the below permission error when trying to run the docker build command in my defined pipeline above:

[workspace] Running shell script
+ whoami
jenkins
[Pipeline] }
[Pipeline] // stage
[Pipeline] stage
[Pipeline] { (Build container image)
[Pipeline] sh
[workspace] Running shell script
+ pwd
/var/lib/jenkins/jobs/tdd_django/workspace
[Pipeline] }
[Pipeline] // stage
[Pipeline] stage
[Pipeline] { (Build container image)
[Pipeline] sh
[workspace] Running shell script
+ ls -l
total 20
drwxr-xr-x. 3 jenkins jenkins 4096 Feb 10 11:11 django_app
-rw-r--r--. 1 jenkins jenkins   97 Feb 10 12:37 Dockerfile
-rw-r--r--. 1 jenkins jenkins   15 Feb 10 11:11 requirements.txt
-rw-r--r--. 1 jenkins jenkins   66 Feb 10 11:11 run_tests.sh
-rwxr-xr-x. 1 jenkins jenkins   69 Feb 10 12:48 script.sh
[Pipeline] }
[Pipeline] // stage
[Pipeline] stage
[Pipeline] { (Build container image)
[Pipeline] sh
[workspace] Running shell script
+ docker build -t jenkins/django:v1 -t jenkins/django:latest .
/var/lib/jenkins/jobs/tdd_django/workspace@tmp/durable-77854956/script.sh: line 2: /bin/docker: Permission denied

my docker permissions:

bash-4.3$ which docker
/bin/docker
bash-4.3$ ls -la /bin/docker
-rwxr-xr-x. 1 root root 12056512 Feb  8 16:44 /bin/docker

but when i open a shell session as the jenkins user I can run the command no problems:

[root@localhost bin]# sudo su -s /bin/bash jenkins
bash-4.3$ cd /var/lib/jenkins/jobs/tdd_django/workspace
bash-4.3$ ls
django_app  Dockerfile  requirements.txt  run_tests.sh  script.sh
bash-4.3$ docker build -t jenkins/django:v1 -t jenkins/django:latest .
Sending build context to Docker daemon  76.8 kB
Step 1/3 : FROM python:2.7-onbuild
# Executing 3 build triggers...
Step 1/1 : COPY requirements.txt /usr/src/app/
 ---> Using cache
Step 1/1 : RUN pip install --no-cache-dir -r requirements.txt
 ---> Using cache
Step 1/1 : COPY . /usr/src/app
 ---> Using cache
 ---> fb9aa7078336
Step 2/3 : LABEL maintainer "CMI Industries"
 ---> Using cache
 ---> c1888038ffa2
Step 3/3 : RUN chmod +x /usr/src/app/run_tests.sh
 ---> Using cache
 ---> 8e61860e0567
Successfully built 8e61860e0567

any help would be greatly appreciated.

EDIT update:

so if issues.jenkins-ci.org/browse/JENKINS-24338 is related I need to modify how the docker service is started. I start my docker service using:

systemctl start docker

to find the config files for this command I used:

[root@localhost system]# systemctl show --property=FragmentPath docker
FragmentPath=/usr/lib/systemd/system/docker.service

and the contents of this file:

[Unit]
Description=Docker Application Container Engine
Documentation=https://docs.docker.com
After=network.target firewalld.service

[Service]
Type=notify
# the default is not to use systemd for cgroups because the delegate issues still
# exists and systemd currently does not support the cgroup feature set required
# for containers run by docker
ExecStart=/usr/bin/dockerd
ExecReload=/bin/kill -s HUP $MAINPID
# Having non-zero Limit*s causes performance problems due to accounting overhead
# in the kernel. We recommend using cgroups to do container-local accounting.
LimitNOFILE=infinity
LimitNPROC=infinity
LimitCORE=infinity
# Uncomment TasksMax if your systemd version supports it.
# Only systemd 226 and above support this version.
#TasksMax=infinity
TimeoutStartSec=0
# set delegate yes so that systemd does not reset the cgroups of docker containers
Delegate=yes
# kill only the docker process, not all processes in the cgroup
KillMode=process

[Install]
WantedBy=multi-user.target

Im not sure how i need to modify this file so that I "configure docker service to apply 'jenkins' group ownership to the socket, rather than adding jenkins user to the default-used 'docker' group" as explained in issues.jenkins-ci.org/browse/JENKINS-24338

1
jenkinsdocker
What if you use sh instead of bash in your sudo test? - BMitch
[root@localhost bin]# sudo su -s /bin/sh jenkins sh-4.3$ type docker docker is /bin/docker - Justin S
You've checked all the obvious things and it should work. I'm seeing an selinux bit set on the directory listing, if it's not disabled, I'd try that next. - BMitch
Related? issues.jenkins-ci.org/browse/JENKINS-24338 - Nehal J Wani
Hey Nehal I think you might be on to something with that post. Im just note sure how to modify /usr/lib/systemd/system/docker.service for fedora. As the last comment mentions it for centos but I don't have a SocketGroup setting in that file. I have edited the main post - Justin S

1 Answers

1
votes

Seems like you ran into selinux. running the command sestatus will let you know what mode it is in. In your case that would be enforcing

In order to gain more information on what rules you would need to add to make selinux happy, I would suggest you set selinux to permissive by editing this file: /etc/sysconfig/selinux then rebooting. I believe that there also is a way to change mode without reboot (although it's not permanent).

Once selinux is in permissive mode (it will only log and not block), you can tail the logs in /var/log/audit/audit.log while you run your jenkins job. This should give you an idea of what permissions it requires.