以非root用户身份在docker-container中以jenkins-agent身份运行Docker

您已将docker组添加到了容器内的Jenkins用户.但是，这不一定可行，因为主机和容器之间用户和组到uid和gid的映射可能不同.通常这不是问题，但是在主机卷和其他绑定装入容器的情况下，文件将使用相同的uid/gid以及权限进行映射.因此，在容器内部，除非两个环境之间的gid完全相同，否则docker组将无法访问docker套接字.

You've added the docker group to the Jenkins user inside the container. However, that will not necessarily work because the mapping of users and groups to uids and gids can be different between the host and container. That's normally not an issue, but with host volumes and other bind mounts into the container, the files are mapped with the same uid/gid along with the permissions. Therefore, inside the container, the docker group will not have access to the docker socket unless the gid happens to be identical between the two environments.

有几种解决方案，包括手动传递主机gid作为在容器内部使用的gid.或者，您可以得到主机的指导，并使用硬编码的值构建映像.

There are several solutions, including manually passing the host gid as the gid to use inside the container. Or you can get the gid of the host and build the image with that value hard coded in.

我的首选解决方案是以root用户身份启动入口点，修复容器内的docker组以匹配已安装的docker套接字的gid，然后切换到Jenkins用户以启动应用程序.这在可能难以控制uid/gids的开发环境中特别有效.所有的步骤/脚本都在我的仓库中: https://github.com/sudo- bmitch/jenkins-docker

My preferred solution is to start an entrypoint as root, fix the docker group inside the container to match the gid of the mounted docker socket, and then switch to the Jenkins user to launch the app. This works especially well in development environments where control of uid/gids may be difficult. All the steps/scripts for this are in my repo: https://github.com/sudo-bmitch/jenkins-docker

对于受控环境中的生产，我尝试在主机和容器中获取用于装入主机卷的任何内容的标准化uid/gid值.然后，我可以运行没有根入口点步骤的容器.

For production in a controlled environment, I try to get standardized uid/gid values, both on the host and in containers, for anything that mounts host volumes. Then I can run the container without the root entrypoint steps.