jenkins'执行脚本'构build步骤错误:/ bin / docker:权限被拒绝

我试图build立一个简单的pipe道在我的个人电脑上。 我有Jenkins ver。 2.32.2安装并运行。 以下是我的pipe道的工作dsl: 

node { stage('Github Checkout') { checkout([$class: 'GitSCM', branches: [[name: '*/master']], doGenerateSubmoduleConfigurations: false, extensions: [], submoduleCfg: [], userRemoteConfigs: [[credentialsId: '921fd840-1d71-4b06-bf5e-1c6f3141f669', url: 'git@github.com:justinsr20/tdd_django.git']]]) } stage('Build containter image') { sh 'whoami' } stage('Build containter image') { sh 'pwd' } stage('Build containter image') { sh 'ls -l' } stage('Build containter image') { sh 'docker build -t jenkins/django:v1 -t jenkins/django:latest .' } }

我有docker安装,我有docker组中的jenkins用户: 

 [root@localhost bin]# grep 'docker' /etc/group docker:x:977:judd,jenkins

奇怪的是,当我试图在上面定义的pipe道中运行docker build命令时,jenkins给了我下面的权限错误: 

 [workspace] Running shell script + whoami jenkins [Pipeline] } [Pipeline] // stage [Pipeline] stage [Pipeline] { (Build containter image) [Pipeline] sh [workspace] Running shell script + pwd /var/lib/jenkins/jobs/tdd_django/workspace [Pipeline] } [Pipeline] // stage [Pipeline] stage [Pipeline] { (Build containter image) [Pipeline] sh [workspace] Running shell script + ls -l total 20 drwxr-xr-x. 3 jenkins jenkins 4096 Feb 10 11:11 django_app -rw-r--r--. 1 jenkins jenkins 97 Feb 10 12:37 Dockerfile -rw-r--r--. 1 jenkins jenkins 15 Feb 10 11:11 requirements.txt -rw-r--r--. 1 jenkins jenkins 66 Feb 10 11:11 run_tests.sh -rwxr-xr-x. 1 jenkins jenkins 69 Feb 10 12:48 script.sh [Pipeline] } [Pipeline] // stage [Pipeline] stage [Pipeline] { (Build containter image) [Pipeline] sh [workspace] Running shell script + docker build -t jenkins/django:v1 -t jenkins/django:latest . /var/lib/jenkins/jobs/tdd_django/workspace@tmp/durable-77854956/script.sh: line 2: /bin/docker: Permission denied

我的docker权限: 

 bash-4.3$ which docker /bin/docker bash-4.3$ ls -la /bin/docker -rwxr-xr-x. 1 root root 12056512 Feb 8 16:44 /bin/docker

但是当我打开一个shell会话作为jenkins用户我可以运行命令没有问题: 

 [root@localhost bin]# sudo su -s /bin/bash jenkins bash-4.3$ cd /var/lib/jenkins/jobs/tdd_django/workspace bash-4.3$ ls django_app Dockerfile requirements.txt run_tests.sh script.sh bash-4.3$ docker build -t jenkins/django:v1 -t jenkins/django:latest . Sending build context to Docker daemon 76.8 kB Step 1/3 : FROM python:2.7-onbuild # Executing 3 build triggers... Step 1/1 : COPY requirements.txt /usr/src/app/ ---> Using cache Step 1/1 : RUN pip install --no-cache-dir -r requirements.txt ---> Using cache Step 1/1 : COPY . /usr/src/app ---> Using cache ---> fb9aa7078336 Step 2/3 : LABEL maintainer "CMI Industries" ---> Using cache ---> c1888038ffa2 Step 3/3 : RUN chmod +x /usr/src/app/run_tests.sh ---> Using cache ---> 8e61860e0567 Successfully built 8e61860e0567

任何帮助将不胜感激。

编辑更新:

所以如果issues.jenkins-ci.org/browse/JENKINS-24338是相关的我需要修改如何启动docker服务。 我开始我的docker服务使用: 

 systemctl start docker

find我使用的这个命令的configuration文件: 

 [root@localhost system]# systemctl show --property=FragmentPath docker FragmentPath=/usr/lib/systemd/system/docker.service

和这个文件的内容: 

 [Unit] Description=Docker Application Container Engine Documentation=https://docs.docker.com After=network.target firewalld.service [Service] Type=notify # the default is not to use systemd for cgroups because the delegate issues still # exists and systemd currently does not support the cgroup feature set required # for containers run by docker ExecStart=/usr/bin/dockerd ExecReload=/bin/kill -s HUP $MAINPID # Having non-zero Limit*s causes performance problems due to accounting overhead # in the kernel. We recommend using cgroups to do container-local accounting. LimitNOFILE=infinity LimitNPROC=infinity LimitCORE=infinity # Uncomment TasksMax if your systemd version supports it. # Only systemd 226 and above support this version. #TasksMax=infinity TimeoutStartSec=0 # set delegate yes so that systemd does not reset the cgroups of docker containers Delegate=yes # kill only the docker process, not all processes in the cgroup KillMode=process [Install] WantedBy=multi-user.target

我不知道我需要如何修改这个文件,所以我“configurationdocker服务申请'jenkins'组所有权的套接字,而不是添加jenkins用户默认使用的'docker'组”,如解释在issues.jenkins- ci.org/browse/JENKINS-24338

好像你碰到了selinux 。 运行命令sestatus会让你知道它是在什么模式。在你的情况下,将enforcing

为了获得更多关于selinux需要添加的规则的信息,我build议你通过编辑这个文件来设置selinux以permissive/etc/sysconfig/selinux然后重新启动。 我相信还有一种方法来改变模式而不用重新启动(尽pipe这不是永久性的)。

一旦selinux处于permissive模式(它只会logging而不是阻塞),您可以在运行jenkins作业时在/var/log/audit/audit.loglogging日志。 这应该让你知道它需要什么权限。

Interesting Posts

Azure Docker Container – 如何将启动命令传递给docker run?

Docker中心/registry自动构build从github构build详细信息日志

你如何设置一个有多个主节点的Docker组成的弹性search集群?

Rancher服务器中的集中式日志logging和容器生产监控

如何使用`docker-machine create`来让docker引擎监听一个自定义的端口?

克洛诺斯在docker工人 – 作为“排队”

为桌面环境分配Docker容器应用程序

Laravel在Mac OS X上的Docker上

在部署上将静态文件复制到卷上?

为什么docker容器中的shell会显示来自主机的dmesg内容?