Jenkins代理(Jnlp)被拒绝了/var/run/docker.sock对kubernetes的许可

Question

我通过Helm图表(jenkins-helm:3.11.4)将Jenkins部署在本地Kubernetes集群(牧场主桌面)上。我在jenkins/inbound-agent映像上安装了对接器，因为它不包括在我使用默认Jenkins-控制器映像的地方。当我在本地管道中运行docker命令时，将得到一个权限错误，如下所示。

我知道，问题是对/var/run/.docker.sock文件夹的权限，但是我无法修复它，而且真的被卡住了。我试图将command:["sh","-c","chmod 777 /var/run/.docker.sock ]添加到values.yaml中的代理中，但这次jenkins没有正常启动和运行。我试图将RUN usermod -aG docker jenkins添加到Dockerfile中，但仍然一样。

jenkins@default-cnmq7:~/agent$ id
uid=1000(jenkins) gid=1000(jenkins) groups=1000(jenkins),0(root)
jenkins@default-cnmq7:~/agent$ grep docker /etc/group
docker:x:107:

那么，如何通过Jenkins代理pod的舵图授予该文件夹的权限呢？或者解决这个问题的正确解决方案是什么。

node {
  stage('SCM') {
    checkout(scm)
  }
  stage('Build') {
    echo 'Building Project'
    sh """
      docker pull alpine
    """
  }
}

 [Pipeline] sh
    + docker pull alpine
    Using default tag: latest
    Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Post "http://%2Fvar%2Frun%2Fdocker.sock/v1.24/images/create?fromImage=alpine&tag=latest": dial unix /var/run/docker.sock: connect: permission denied

values.yaml

    controller:
      componentName: "jenkins-controller"
      image: "jenkins"
      # tag: "2.319.3-jdk11"
      tagLabel: jdk11
      imagePullPolicy: "Always"
      imagePullSecretName:
      javaOpts: "-Xms512m -Xmx2048m" 
      jenkinsUrl: "http://localhost:8080"
    agent:
      enabled: true
      defaultsProviderTemplate: ""
      # URL for connecting to the Jenkins contoller
      jenkinsUrl:
      jenkinsTunnel:
      image: "jenkins/inbound-agent"
      tag: "4.11.2-5"
      workingDir: "/home/jenkins/agent"
      nodeUsageMode: "NORMAL"
      componentName: "jenkins-agent"
      websocket: false
      privileged: true
      runAsUser: 
      runAsGroup:
      alwaysPullImage: true
      podRetention: "Never"
      volumes:
      - type: HostPath
        hostPath: /Users/username/workspace
        mountPath: /Users/username/workspace
      - type: HostPath
        hostPath: /var/run/docker.sock
        mountPath: /var/run/docker.sock
      command:
      args: "${computer.jnlpmac} ${computer.name}"

jenkins代理的Dockerfile

FROM jenkins/inbound-agent:4.11.2-4
USER root
RUN set -eux && \
    apt-get update && \
    apt-get install -y curl sudo docker.io docker-compose && \
    curl -sS https://raw.githubusercontent.com/HariSekhon/bash-tools/master/clean_caches.sh | sh
RUN usermod -aG docker jenkins
USER jenkins

Answer 1

首先从主机处找到停靠者的组号

$ grep docker /etc/group
docker:x:999:

然后在Dockerfile中创建一个用户，它的组与docker组id相同。

RUN groupadd -g 999 tech
RUN useradd -g tech tech
USER tech