Jenkins setup: I refer you to this recent post I made, the details are at the top:
As you know, the default permissions for docker.sock are:
srw-rw---- 1 root docker 0 May 7 07:28 /var/run/docker.sock
My dockerized jenkins controller and its Docker agent are both USER jenkins, not USER root.
If I change the permissions for docker.sock on my main system to:
srw-rw-rw- 1 root docker 0 May 7 07:28 /var/run/docker.sock
… granting permission to everyone, my jenkinsfile and application run successfully. But this is not secure, and the jenkins Docker image comes with a user named “jenkins”.
I have been unable to get group permissions to work for the controller and agent.
On my main system (a debian-derived linux distro) ‘groups jenkins’ returns:
jenkins : jenkins docker
And ‘cat /etc/group’ includes this line:
docker:x:986:ra,jenkins
So far so good. My main system has added “jenkins” to the group “docker”, thus granting permission to the user “jenkins” in DooD.
I instantiate the dockerized jenkins controller with:
########################################################
docker run -d \
--name mvn-jenkins \
--group-add "$(getent group docker | cut -d: -f3)" \
--restart unless-stopped \
-p 8082:8080 \
-p 50002:50000 \
-v jenkins_home:/var/jenkins_home \
-v $(which docker):/usr/bin/docker \
-v /home/ra/.ssh:/var/jenkins_home/.ssh \
-v /var/run/docker.sock:/var/run/docker.sock \
jenkins-with-maven-docker
The group ID is passed to the controller with:
–group-add “$(getent group docker | cut -d: -f3)”
‘groups’ on the controller Docker container returns:
jenkins groups: cannot find name for group ID 986
986
‘groups jenkins’ on the controller Docker container only returns:
jenkins : jenkins
‘ls -la /var/run/docker.sock’ on the controller Docker container returns:
srw-rw---- 1 root 986 0 May 7 07:28 /var/run/docker.sock
The controller does not seem to associate group ‘986’ with group ‘docker’
Below is my Jenkins pipeline script:
########################################################
// must have docker pipeline and docker-buildx plugins installed
pipeline {
// must first manually extend permissions
// for /run/docker.sock on main system to 'other':
// sudo chmod a+rw /run/docker.sock
agent {
docker {
image 'maven-docker-agent'
args '''
-v /var/run/docker.sock:/var/run/docker.sock
'''
}
// sh 'echo "maven-docker-agent built"'
}
environment {
IMAGE_NAME = 'java-hello:local'
CONTAINER_NAME = 'java-hello'
}
stages {
stage('Debug socket') {
steps {
sh '''
ls -l /var/run/docker.sock || echo "socket missing"
id
groups
'''
}
}
stage('Remove old Maven project') {
steps {
deleteDir()
}
}
stage('Generate new Maven project') {
steps {
sh '''
mvn archetype:generate \
-DgroupId=com.mycompany.app \
-DartifactId=my-app \
-DarchetypeArtifactId=maven-archetype-quickstart \
-DarchetypeVersion=1.5 \
-DinteractiveMode=false
echo "completed mvn archetype:generate"
'''
}
}
stage('Build JAR') {
steps {
dir('my-app') {
sh '''
mvn -B -DskipTests clean package
echo "built JAR"
'''
}
}
}
// when using EOF in groovy, put all lines up against left margin
// to eliminate whitespace (see below)
stage(‘Prepare Docker context’) {
steps {
dir(‘my-app’) {
sh ‘’’
cat > Dockerfile <<‘EOF’
FROM eclipse-temurin:25-jre-ubi10-minimal
WORKDIR /app
COPY target/my-app-1.0-SNAPSHOT.jar /app/app.jar
ENTRYPOINT [“java”,“-cp”,“/app/app.jar”,“com.mycompany.app.App”]
EOF
echo “built Dockerfile”
cat > .dockerignore <<‘EOF’
target/*
!target/my-app-1.0-SNAPSHOT.jar
.git
.gitignore
EOF
echo “built .dockerignore”
‘’’
}
}
}
stage(‘Build Docker image’) {
steps {
dir(‘my-app’) {
sh ‘’’
build -t ${IMAGE_NAME} .
docker buildx build -t ${IMAGE_NAME} --load .
echo “built Docker image ${IMAGE_NAME}”
‘’’
}
}
}
stage(‘Run container’) {
steps {
sh ‘’’
echo “— Container output below —”
docker run --rm --name
{IMAGE_NAME}
‘’’
}
}
}
}
########################################################
I get the error at this stage:
[Pipeline] { (Build Docker image)
[Pipeline] dir (hide)
Running in /var/jenkins_home/workspace/maven-job/my-app
[Pipeline] {
[Pipeline] sh
docker buildx build -t java-hello:local --load .
ERROR: permission denied while trying to connect to the docker API at unix:///var/run/docker.sock
########################################################
The Dockerfile for the dockerized jenkins controller:
########################################################
#Custom Jenkins controller with Maven + Docker CLI (DooD)
#docker buildx build -t jenkins-with-maven-docker .
#OR
#docker build -t jenkins-with-maven-docker .
FROM jenkins/jenkins:2.563-slim-jdk21
USER root
#Install Maven + basic tools
RUN apt-get update &&
apt-get install -y --no-install-recommends
maven
ca-certificates
curl
gnupg &&
rm -rf /var/lib/apt/lists/*
#Install Docker CLI only (no daemon)
RUN install -m 0755 -d /etc/apt/keyrings &&
curl -fsSL https://download.docker.com/linux/debian/gpg
-o /etc/apt/keyrings/docker.asc &&
chmod a+r /etc/apt/keyrings/docker.asc &&
echo “deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc]
$(. /etc/os-release && echo "$VERSION_CODENAME") stable”
> /etc/apt/sources.list.d/docker.list &&
apt-get update &&
apt-get install -y --no-install-recommends docker-ce-cli &&
apt-get install -y --no-install-recommends docker-buildx-plugin &&
rm -rf /var/lib/apt/lists/*
#Ensure Jenkins home exists and is owned correctly
RUN mkdir -p /var/jenkins_home &&
chown -R jenkins:jenkins /var/jenkins_home
#Drop privileges
USER jenkins
#Jenkins home is already the default WORKDIR
########################################################
The Dockerfile for the Docker agent:
########################################################
# creates the Docker image for the maven-docker-agent
# before running the Jenkinsfile,
# build the maven-docker-agent container manually,
# from same directory as this Dockerfile:
# docker buildx build --load -t maven-docker-agent .
# to examine this Docker image independent of jenkins:
# docker run -d --name mda --group-add "$(getent group docker | cut -d: -f3)" -v /var/run/docker.sock:/var/run/docker.sock maven-docker-agent
# docker exec -it mda bash
# Maven + JDK base
# debian linux will allow us to use
# many more bash commands inside the container
FROM maven:3.9.15-amazoncorretto-21-debian
USER root
# Install Docker CLI only (no daemon)
RUN apt-get update && \
apt-get install -y --no-install-recommends \
ca-certificates \
curl \
gnupg && \
rm -rf /var/lib/apt/lists/* && \
install -m 0755 -d /etc/apt/keyrings && \
curl -fsSL https://download.docker.com/linux/debian/gpg \
-o /etc/apt/keyrings/docker.asc && \
chmod a+r /etc/apt/keyrings/docker.asc && \
echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] \
https://download.docker.com/linux/debian \
$(. /etc/os-release && echo \"$VERSION_CODENAME\") stable" \
> /etc/apt/sources.list.d/docker.list && \
apt-get update && \
apt-get install -y --no-install-recommends docker-ce-cli && \
apt-get install -y --no-install-recommends docker-buildx-plugin && \
rm -rf /var/lib/apt/lists/*
# Create non-root Jenkins user (UID 1000)
RUN useradd -u 1000 -m jenkins
# Do NOT create docker group here — host GID is injected at runtime
USER jenkins
WORKDIR /home/jenkins
# Keep container alive only when manually run for debugging
CMD ["sleep", "infinity"]