使用docker.sock在Kubernetes上托管Jenkins

时间:2017-12-19 17:49:14

标签: docker jenkins kubernetes

我试图在GKE上托管Jenkins图像来运行构建。大多数情况下,我跟着Google's tutorial for setting up Jenkins in Kubernetes。我有一个相当基本的设置,其中有一个主节点运行构建。

我也希望能够在Jenkins环境中使用Docker,所以我已经进入了Jenkins'全局工具配置并添加了一个Docker实例。我还在我的部署文件中映射了docker.sock以绕过"无法连接到unix:///var/run/docker.sock上的Docker守护程序。 docker守护程序是否正在运行?"问题

我目前的部署如下:

apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: jenkins
  namespace: jenkins
spec:
  replicas: 1
  template:
    metadata:
      labels:
        app: master
    spec:
      containers:
      - name: master
        image: jenkins/jenkins:2.95
        ports:
        - containerPort: 8080
        - containerPort: 50000
        readinessProbe:
          httpGet:
            path: /login
            port: 8080
          periodSeconds: 10
          timeoutSeconds: 5
          successThreshold: 2
          failureThreshold: 5
        env:
        - name: JENKINS_OPTS
          valueFrom:
            secretKeyRef:
              name: jenkins
              key: options
        - name: JAVA_OPTS
          value: '-Xmx1400m'
        volumeMounts:
        - mountPath: /var/jenkins_home
          name: jenkins-home
        - mountPath: /var/run/docker.sock
          name: docker-socket
        securityContext:
          privileged: true
        resources:
          limits:
            cpu: 500m
            memory: 1500Mi
          requests:
            cpu: 500m
            memory: 1500Mi
      volumes:
      - name: jenkins-home
        gcePersistentDisk:
          pdName: jenkins-home
          fsType: ext4
          partition: 1
      - name: docker-socket
        hostPath:
          path: /var/run/docker.sock

不幸的是,任何构建都会因以下错误而失败:

Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: 
....
dial unix /var/run/docker.sock: connect: permission denied

大多数涉及此错误的Google搜索似乎与Kubernetes无关。

我错过了什么?

更新:在某种程度上,如果我使用此配置,效果会更好:

spec:
  replicas: 1
  template:
    metadata:
      labels:
        app: master
    spec:
      securityContext:
        runAsUser: 0
      containers:

基本上以root身份运行Jenkins。不幸的是,这会对管道管理身份验证凭据的方式产生一些影响。当我尝试使用" withRepository(repoName,credentialId)"时,管道会向/var/jenkins_home/.dockercfg添加一个条目,但后来的docker push步骤似乎无法找到那些凭据(我认为后面的步骤最终会查找/root/.dockercfg/root/.docker/config.json)。

3 个答案:

答案 0 :(得分:3)

您可能希望尝试将其作为1000用户运行:

...
spec:
  ...
  securityContext:
    # Specify fsGroup for pod, so that the persistent volume is writable for the non-privileged uid/gid 1000
    runAsUser: 1000
    fsGroup: 1000
  ...

您可能还会发现this Helm chart有用。

答案 1 :(得分:1)

volumes:  
- name: docker-sock-volume
          hostPath:
            path: /var/run/docker.sock
            type: File

尝试指定类型:文件

答案 2 :(得分:1)

我希望这可以帮助遇到此问题并将卷类型更改为runAsUser文件的人无法正常工作。

对我来说,设置// test if we overlap the previous entry. // Note that we are making an assumption that we need to only look back // one TextPosition to find what we are overlapping. // This may not always be true. */ TextPosition previousTextPosition = textList.get(textList.size() - 1); if (text.isDiacritic() && previousTextPosition.contains(text)) { previousTextPosition.mergeDiacritic(text); } // If the previous TextPosition was the diacritic, merge it into this // one and remove it from the list. else if (previousTextPosition.isDiacritic() && text.contains(previousTextPosition)) { text.mergeDiacritic(previousTextPosition); textList.remove(textList.size() - 1); textList.add(text); } else { textList.add(text); } 为我工作。

我不确定是否根据this post提出建议。但是你可以尝试设置DOCKE_HOST env变量并检查它是否也适合你。

相关问题
最新问题