1

We have been tasked with setting up a container-based Jenkins deployment, and there is strong pressure to do this in AKS. Our Jenkins needs to be able to build other containers. Normally I'd handle this with a docker-in-docker approach by mounting /var/run/docker.sock & /usr/bin/docker into my running container.

I do not know if this is possible in AKS or not. Some forum posts on GitHub suggest that host-mounting is possible but broken in the latest AKS relase. My limited experimentation with a Helm chart was met with this error:

Error: release jenkins4 failed: Deployment.apps "jenkins" is invalid:
[spec.template.spec.initContainers[0].volumeMounts[0].name: Required 
value, spec.template.spec.initContainers[0].volumeMounts[0].name: Not 
found: ""]

The change I made was to update the volumeMounts: section of jenkins-master-deployment.yaml and include the following:

  -
  type: HostPath
  hostPath: /var/run/docker.sock
  mountPath: /var/run/docker.sock

Is what I'm trying to do even possible based on AKS security settings, or did I just mess up my chart?

If it's not possible to mount the docker socket into a container in AKS, that's fine, I just need a definitive answer.

Thanks,

Karishma Tiwari - MSFT
  • 1,455
  • 9
  • 16
W. Kokolis
  • 11
  • 4

2 Answers2

1

Well, we did this a while back for VSTS (cloud TFS, now called Azure DevOps) build agents, so it should be possible. The way we did it is also with mounting the docker.sock

The relevant part for us was:

    ... container spec ...
    volumeMounts:
    - mountPath: /var/run/docker.sock
      name: docker-volume
  volumes:
  - name: docker-volume
    hostPath:
      path: /var/run/docker.sock
Denis Biondic
  • 7,943
  • 5
  • 48
  • 79
  • I think right now AKS is not allowing mounting of docker.sock as they are deprecating docker and using only containerd for management of container runtime. Currently I do not see a way to run Jenkins in AKS and build docker containers (docker-in-docker) but perhaps someone has a hint on how to accomplish this? – Dex Nov 16 '21 at 10:25
1

I have achieved the requirement using following manifests.

Our k8s manifest file carries this securityContext under pod definition.

securityContext:
 privileged: true

In our Dockerfile we were installing Docker-inside-Docker like this way

FROM ubuntu:18.04
RUN apt-get update
RUN apt-get install curl wget -y
RUN apt-get install \
    ca-certificates \
    curl \
    gnupg \
    lsb-release -y
RUN mkdir -p /etc/apt/keyrings
RUN curl -fsSL https://download.docker.com/linux/ubuntu/gpg |  gpg --dearmor -o /etc/apt/keyrings/docker.gpg

RUN echo \
  "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu \
  $(lsb_release -cs) stable" |  tee /etc/apt/sources.list.d/docker.list > /dev/null

RUN apt-get update
RUN apt-get install docker-ce docker-ce-cli containerd.io docker-compose-plugin -y
# last two lines of Dockerfile
COPY ./agent_startup.sh .
RUN chmod +x /agent_startup.sh
CMD ["/usr/sbin/init"]
CMD ["./agent_startup.sh"]

Content of agent_startup.sh file

#!/bin/bash
echo "DOCKER STARTS HERE"
service --status-all 
service docker start
service docker start
docker version
docker ps
echo "DOCKER ENDS HERE"
sleep 100000

Sample k8s file:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: build-agent
  labels:
    app: build-agent
spec:
  replicas: 1
  selector:
    matchLabels:
      app: build-agent
  template:
    metadata:
      labels:
        app: build-agent
    spec:
      nodeSelector:
        kubernetes.io/os: linux
      containers:
        - name: build-agent
          image: myecr-repo.azurecr.io/buildagent
          securityContext:
            privileged: true

When Dockerized agent pool was up, docker daemon was running inside docker container.

My Kubectl version

PS D:\Temp\temp> kubectl.exe version --short
Flag --short has been deprecated, and will be removed in the future. The --short output will become the default.
Client Version: v1.25.2
Kustomize Version: v4.5.7
Server Version: v1.22.6
WARNING: version difference between client (1.25) and server (1.22) exceeds the supported minor version skew of +/-1

pod shell output:

root@**********-bcd967987-52wrv:/# docker ps
CONTAINER ID   IMAGE     COMMAND   CREATED   STATUS    PORTS     NAMES

**Disclaimer: Our kubernetes cluster version is 1.22 and base image is Ubuntu-18.04 and tested only to check if docker-inside-docker is running and not registered with Azure DevOps. You can modify startup script according to your need **

iamattiq1991
  • 746
  • 9
  • 11
  • Its not working for us, Tried same configuration as you provided. Our AKS version is 1.22 and ubuntu version i used is 18.0.4 – Vowneee Nov 15 '22 at 13:44
  • Can you put the error you are getting here so I can take a look. – iamattiq1991 Nov 15 '22 at 13:56
  • # service docker status * Docker is not running # service docker start * Starting Docker: docker [ OK ] # service docker status * Docker is not running # docker image ls Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running? – Vowneee Nov 15 '22 at 14:01
  • I have posted one question with the files which I tried here. https://stackoverflow.com/questions/74446580/run-docker-inside-docker-container-in-aks – Vowneee Nov 15 '22 at 14:04
  • I have tested changes and they are working for me. Updated my answer with latest changes – iamattiq1991 Nov 15 '22 at 16:07
  • So you made changes only to the agent_startup script? And got worked for u? – Vowneee Nov 15 '22 at 20:39
  • I have not made any major change in agent_startup script. Just added this line service --status-all to check if all services are loaded. You can use the dockerfile provided in answer and give it a try and it hopefully would work. I just tested on AKS and docker-inside-docker is working for me. – iamattiq1991 Nov 15 '22 at 20:51
  • Thanks for clarifying ,I will try this solution. Just to understand here how exactly the docker socket is functioning as the aks node itself doesnt have the docker runtime. Is there any security issues by doing this workaround or its recommended way ? – Vowneee Nov 15 '22 at 21:16
  • I am running pod with priviliged mode. You can read more about security context priviliged mode here. https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ https://learn.microsoft.com/en-us/azure/aks/use-pod-security-policies Also feel free to accept the answer if that solves your problem :) – iamattiq1991 Nov 15 '22 at 21:25
  • Yes.. This workaround worked for me. The Docker service is running inside the container. But when I tried the docker image build inside this agent pod, getting below error, but same is working in another vm agents – Vowneee Nov 16 '22 at 11:31
  • Step 2/19 : MAINTAINER 1 error creating aufs mount to /var/lib/docker/aufs/mnt/xx-init: mount target=/var/lib/docker/aufs/mnt/xx-init data=br:/var/lib/docker/aufs/diff/xx-init=rw:/var/lib/docker/aufs/diff/yvvv=ro+wh:/var/lib/docker/aufs/diff/eeeee=ro+wh:/var/lib/docker/aufs/diff/zzzz=ro+wh:/var/lib/docker/aufs/diff/ddddro+wh:/var/lib/docker/aufs/diff/hh=ro+wh:/var/lib/docker/aufs/diff/ggg=ro+wh,dio,xino=/dev/shm/aufs.xino: invalid argument ##[error]error creating aufs mount to /var/lib/docker/aufs/mnt/xx-init: m -----invalid argument – Vowneee Nov 16 '22 at 11:33
  • Did you try this link. As per comment section it seems the first solution worked for docker-inside-docker https://stackoverflow.com/questions/30984569/error-error-creating-aufs-mount-to-when-building-dockerfile – iamattiq1991 Nov 16 '22 at 19:52
  • Your main problem is solved at the moment. Running docker service inside container – iamattiq1991 Nov 16 '22 at 19:53
  • Yes, I removed the content of /var/lib/docker and no luck.. even though docker is running, its not capable to run the docker image build itself. – Vowneee Nov 16 '22 at 20:20
  • is your issue resolved? – iamattiq1991 Nov 21 '22 at 19:19
  • No Docker is not functioning even build image itself is failing with the above error. Also we have the requirement to run maven plugin build steps, where existing pipelines used docker compose to create intermediate containers to fetch the data. Currently we are getting below errors.Failed to execute goal com.dkanejs.maven.plugins:docker-compose-maven-plugin:4.0.0:up (up) on project acceptance-tests: Cannot run program "docker-compose": error=2, No such file or directory -> [Help 1] – Vowneee Nov 21 '22 at 20:33
  • 2022-11-21T05:17:35.495+0000 [main] WARN o.t.u.TestcontainersConfiguration Attempted to read Testcontainers configuration file at file:/root/.testcontainers.properties but the file was not found. Exception message: FileNotFoundException: /root/.testcontainers.properties (No such file or directory) 2022-11-21T05:17:37.148+0000 [main] INFO o.t.d.DockerClientProviderStrategy Found Docker environment with local Unix socket (unix:///var/run/docker.sock) 2022-11-21T05:17:37.159+0000 [main] INFO o.testcontainers.DockerClientFactory Docker host IP address is localhost – Vowneee Nov 21 '22 at 20:33
  • 2022-11-21T05:17:37.280+0000 [main] INFO o.t.utility.RegistryAuthLocator Failure when attempting to lookup auth config. Please ignore if you don't have images in an authenticated registry. Details: (dockerImageName: testcontainers/ryuk:latest, configFile: /root/.docker/config.json. Falling back to docker-java default behaviour. Exception message: /root/.docker/config.json (No such file or directory) – Vowneee Nov 21 '22 at 20:36