In this blog post, we are using “Docker out of Docker” approach to build Docker images in our containerized Jenkins slaves. We look into a problem usually encountered in that approach, especially when reusing a Docker image for another Kubernetes cluster.
We got the following error when running Docker inside a Jenkins slave container.
In summary, for “Docker out of Docker” approach, the basic requirements to enable building Docker images in a containerized Jenkins slave is:
- You’ll need to mount “/var/run/docker.sock” as a volume at “/var/run/docker.sock”.
dockerCLI installed in the containerized Jenkins slave.
- Make sure “/var/run/docker.sock” has the right permission inside the Jenkins slave container: readable for the current user (e.g., user
jenkins) or in “docker” group.
The direct cause of the above error message “Cannot connect to the Docker daemon” is that the socket “/var/run/docker.sock” to
docker daemon on that Jenkins slave does not have the right permission for the current user (
jenkins in the example).
By convention, the read permission to that Unix domain socket “/var/run/docker.sock” is given to
root user or users in
The following commands verify that it is not:
1 2 3 4 5 6
The expected output of the above
ls command is as follows:
The root cause of the problem is that the Docker image of Jenkins slave is built inside another Kubernetes cluster (see example Dockerfile below).
docker happens to have the group ID 999 on that Kubernetes cluster.
1 2 3 4 5 6 7 8 9 10 11 12
For illustration, the Docker installation steps in Ubuntu are similar:
1 2 3 4 5 6 7 8
The last step
usermod comes from Docker documentation itself: “If you would like to use Docker as a non-root user, you should now consider adding your user to the "docker” group".
To resolve the problem, simply entering the Docker image, update its
/etc/group file with the correct GID for
In the example above, the line “docker:x:999:jenkins” should be updated to “docker:x:992:jenkins” to make it work.
It’s recommended to run
docker commit to save the modified container as a new Docker image and push it to Docker registry (similar process in this post).