I have created a test container using the latest gitlab/gitlab-runner:latest image. I want to execute Docker commands within this container using the permissions of the gitlab-runner user.
Inside the container:
root@gitlab_runner:/# su gitlab-runner
gitlab-runner@gitlab_runner:/$ id
uid=999(gitlab-runner) gid=999(gitlab-runner) groups=999(gitlab-runner)
Executing docker info results in an error:
gitlab-runner@gitlab_runner:/$ docker info
Client:
Version: 24.0.5
Context: default
Debug Mode: false
Server:
ERROR: permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get "http://%2Fvar%2Frun%2Fdocker.sock/v1.24/info": dial unix /var/run/docker.sock: connect: permission denied
errors pretty printing info
When using root privileges, executing docker info works as expected.
Outside the container:
The UID 999 corresponds to the systemd-coredump user, which is a member of the docker group.
$ id systemd-coredump
uid=999(systemd-coredump) gid=999(systemd-coredump) groups=999(systemd-coredump),135(docker)
Docker socket permissions are as follows:
srw-rw---- 1 root docker 0 Oct 25 13:39 docker.sock=
Is there any additional configuration needed to allow the test container to correctly execute Docker commands with the permissions of the gitlab-runner user? Thank you very much!!
I have confirmed that outside the container, the user with UID 999 is indeed a member of the docker group.
2
Answers
I added
docker:x:135:gitlab-runnerto /etc/group, then I can now run Docker with gitlab-runner!This is because by default docker engine runs as root, actually there is an alternative to run docker containers as non root user ( rootless containers )
learn more : https://docs.docker.com/engine/security/rootless/