Can Docker client(within container) talk to docker daemon on EC2 using UNIX socket?

Question

As part of Jenkins docker image,

am supposed to install docker client(only),

that can talk to docker daemon installed on underlying EC2 instance.

UNIX socket, I mean socket(AF_UNIX,,)

Background

As per the instruction, given here,

I do not see the necessity to install docker daemon withink jenkins image,

because the author is using UNIX socket to talk to underlying docker daemon running in EC2 instance, as shown here.

My understanding is, installing docker client installation(only) within jenkins image, would suffice to talk to docker daemon running on EC2 instance, using UNIX socket(/var/run/docker.sock)

1)

Can docker client running in jenkins image communicate to docker daemon running in underlying EC2 instance? with below mapping...

volumes:
    - /var/run/docker.sock:/var/run/docker.sock

2)

How to install docker client only in below jenkins image?

FROM jenkins:1.642.1


# Suppress apt installation warnings
ENV DEBIAN_FRONTEND=noninteractive

# Official Jenkins image does not include sudo, change to root user
USER root

# Used to set the docker group ID
# Set to 497 by default, which is the groupID used by AWS Linux ECS instance
ARG DOCKER_GID=497

# Create Docker Group with GID
# Set default value of 497 if DOCKER_GID set to blank string by Docker compose
RUN groupadd -g ${DOCKER_GID:-497} docker

The Jenkins documentation has [instructions for making use of Docker](https://jenkins.io/doc/book/installing/#docker). The bind mount you show is correct, but hard-coding a host group ID in a Dockerfile is not. The `docker` binary contains both the client and the daemon; it is not strictly necessary to interact with the host Docker, but at the least any `sh 'docker ...'` command will require it, and I'd suggest just installing it. — David Maze, Nov 01 '19 at 10:29
Does this answer your question? [Jenkins Docker Container can't access docker.sock](https://stackoverflow.com/questions/41875503/jenkins-docker-container-cant-access-docker-sock) — masseyb, Nov 01 '19 at 11:18
@DavidMaze In this syntax: `-v /var/run/docker.sock:/var/run/docker.sock` first socket file belongs to ec2, second socket file belongs to container (mount point)... For this volume binding... does install of `docker-ce-cli` in jenkins image would not suffice? — overexchange, Nov 01 '19 at 14:22
You explicitly need the `-v` mount. (Remember, having access to that socket lets you trivially take over the host; it is not available by default.) Just installing the package would be the equivalent of, say, installing `mysql-client` but not having a running database anywhere; the program would start but couldn't connect to anything. — David Maze, Nov 01 '19 at 14:25
@DavidMaze docker daemon is already running on ec2 host... my understanding is, first socket file in that binding syntax belongs to docker daemon running on ec2 host... Isn't it? — overexchange, Nov 01 '19 at 15:02
@DavidMaze My question is... Why do we need to install docker daemon in jenkins image, when it is already running in ec2 host? In my query.. this the code I shared from github — overexchange, Nov 01 '19 at 15:57
You don't specifically need to install the Docker daemon, except that the `docker` daemon and CLI client are the same binary. — David Maze, Nov 01 '19 at 15:59

score 1 · Answer 1 · 2019-11-01T21:14:12.977

1

To use Docker in Jenkins, Jenkins must have access to the docker.sock.

What you are proposing here is a docker in docker approach, by installing docker inside the jenkins container, but actually this is not necessary. You only need a valid docker daemon, and for that reason, the usual approach is to map /var/run/docker.sock from the host to the container.

Have a look at this amazing post https://jpetazzo.github.io/2015/09/03/do-not-use-docker-in-docker-for-ci/

edited Nov 01 '19 at 21:14

answered Nov 01 '19 at 16:40

1) In `jenkins/jenkins:2.190.1` image, Is docker daemon installed? 2) what does anonymous volume created on ec2 for container's mount point(`/var/run/docker.sock`) mean? In your code.. – overexchange Nov 01 '19 at 17:44
Can we have private chat room discussion about your production code? I am confused with volume usage for socket file...in your code – overexchange Nov 01 '19 at 17:49
Can you elaborate on behind-the-scene working/usage of `- /var/run/docker.sock`? When you say docker plugin, is it docker client? How does anonymous volume created in ec2(docker host) be used? – overexchange Nov 01 '19 at 17:58
@overexchange I just noticed that this instance of jenkins is actually the master and doesn't run any container. In fact, as you are wondering, that volume isn't even doing anything because is wrongly mapped... so yes, you need to map it. Editing the answer. – Nov 01 '19 at 21:06

masseyb · Answer 2 · 2019-11-01T11:24:31.480

You need to install docker inside the jenkins image then bind mount the /var/run/docker.sock so that you can run side car containers as explained in Jérôme Petazzoni's blog post on the subject. This is my jenkins Dockerfile:

FROM jenkins/jenkins:lts

USER root
RUN apt-get update && \
    apt-get install -y \
        maven \
        apt-transport-https \
        ca-certificates \
        curl \
        gnupg-agent \
        lsb-release \
        software-properties-common

RUN curl -fsSL https://download.docker.com/linux/ubuntu/gpg | apt-key add -

RUN add-apt-repository \
    "deb [arch=amd64] https://download.docker.com/linux/debian \
    $(lsb_release -cs) \
    stable"

RUN apt-get update && \
    apt-get install -y \
        docker-ce \
        docker-ce-cli \
        containerd.io

RUN usermod -a -G docker jenkins

COPY plugins.txt /usr/share/jenkins/plugins.txt
RUN /usr/local/bin/install-plugins.sh < /usr/share/jenkins/plugins.txt

USER jenkins
WORKDIR /var/jenkins_home

Note: you can install your plugins during the build using the plugins.sh as explained here.

Build the jenkins image i.e.: docker build --rm -t so:58652650 .

Run the container mounting /var/run/docker.sock i.e.: docker run --rm -it -v /var/run/docker.sock:/var/run/docker.sock --entrypoint bash so:58652650

Inside the image as the jenkins user the docker commands should work as expected:

Why are you installing `docker-ce`? Jenkins image just need docker client (`docker-ce-cli`)... Isn't it? — overexchange, Nov 01 '19 at 14:05
In this syntax: `-v /var/run/docker.sock:/var/run/docker.sock` first socket file belongs to ec2, second socket file belongs to container (mount point)... For this volume binding... does install of `docker-ce-cli` would not suffice? — overexchange, Nov 01 '19 at 14:14
The `docker` group is created during the `docker-ce` installation, the `RUN usermod -a -G docker jenkins` will fail if the package is not installed. You don't need to run the `docker` daemon inside the container. — masseyb, Nov 03 '19 at 11:07

Can Docker client(within container) talk to docker daemon on EC2 using UNIX socket?

Background

2 Answers2