How to Fix Jenkins Docker Socket Permission Denied Error When Running Builds


4 views

When integrating Jenkins with Docker on Linux systems, a common roadblock occurs where Jenkins jobs fail to access the Docker Unix socket despite proper group permissions. The root cause typically involves one of these scenarios:

# Typical error message
Post http:///var/run/docker.sock/v1.15/build: dial unix /var/run/docker.sock: permission denied

First, verify the current permissions and group membership:

# Check socket permissions
ls -la /var/run/docker.sock

# Verify group membership
getent group docker

# Check effective user during builds
whoami && id -Gn

Modern Linux distributions using systemd may require additional configuration. The docker.socket unit might need adjustment:

# Edit socket unit (Ubuntu/Debian)
sudo systemctl edit docker.socket

[Socket]
SocketMode=0660
SocketGroup=docker

Jenkins often runs as a service that loads group membership at startup. Try these solutions:

  1. Restart the Jenkins service after adding to docker group: 
    sudo systemctl restart jenkins
  2. Alternatively, modify the service file to explicitly set supplementary groups: 
    # Edit jenkins service unit
[Service]
SupplementaryGroups=docker

For more secure setups, consider configuring Docker contexts:

# Create dedicated context
docker context create jenkins \
  --docker "host=unix:///path/to/custom.sock"

# Use in Jenkinsfile
docker.withContext('jenkins') {
  sh 'docker build .'
}

Here's a working pipeline implementation:

pipeline {
  agent any
  environment {
    DOCKER_HOST = 'unix:///var/run/docker.sock'
  }
  stages {
    stage('Build') {
      steps {
        script {
          docker.build("my-image:${env.BUILD_ID}")
        }
      }
    }
  }
}

When debugging permission issues, auditd can help track access attempts:

# Add audit rule
sudo auditctl -w /var/run/docker.sock -p rwxa -k docker-sock-access

# View denied attempts
sudo ausearch -k docker-sock-access -ts today

When integrating Jenkins with Docker on Ubuntu systems, a common pitfall occurs where Jenkins jobs fail with permission errors despite the jenkins user being added to the docker group. The typical error message looks like:

Post http:///var/run/docker.sock/v1.15/build: dial unix /var/run/docker.sock: permission denied

After adding the Jenkins user to the docker group (sudo usermod -aG docker jenkins), you might expect immediate access. However, Linux group membership changes require either:

  1. A fresh login session for the user
  2. Restarting the service that runs as the user

Here's how to verify proper group membership:

# Check effective group membership
groups jenkins

# Verify docker.sock permissions
ls -l /var/run/docker.sock

Option 1: Restart Jenkins Service

sudo systemctl restart jenkins
# Or for older systems:
sudo service jenkins restart

Option 2: Set Docker Socket Permissions (Temporary Fix)

sudo chmod 666 /var/run/docker.sock
# Warning: This lowers security temporarily

Option 3: Permanent Permission Configuration

Create a systemd drop-in file to ensure proper permissions at startup:

sudo mkdir -p /etc/systemd/system/docker.service.d
sudo tee /etc/systemd/system/docker.service.d/override.conf <<EOF
[Service]
ExecStart=
ExecStart=/usr/bin/dockerd -H fd:// -H tcp://127.0.0.1:2375 --group docker
EOF

sudo systemctl daemon-reload
sudo systemctl restart docker

For systems where the above doesn't work, check these additional factors:

# Verify Jenkins process environment
ps aux | grep jenkins

# Check for AppArmor/SELinux restrictions
sudo aa-status
getenforce

# Alternative: Use docker.sock proxy
socat TCP-LISTEN:2375,reuseaddr,fork UNIX-CLIENT:/var/run/docker.sock &
export DOCKER_HOST=tcp://localhost:2375

Remember that security considerations are paramount when dealing with Docker socket access. Always prefer the group-based solution over global permissions where possible.