search

JetBrains / teamcity-docker-agent

TeamCity agent docker image sources
https://hub.docker.com/r/jetbrains/teamcity-agent/
Apache License 2.0
77 stars 64 forks source link

Docker does not start anymore with version 2020.1 #66

Closed Tijs-2 closed 4 years ago

Tijs-2 commented 4 years ago

On the previous version we could start docker with the environment settings "DOCKER_IN_DOCKER" = True For the new version (2020.1) it does not work anymore and we get the message " * Docker must be run as root" So I think it has to do with the change that things are not started as root anymore and it tries to start Docker as a non root account.

Maybe it needs sudo rights to start the docker service?

Tijs-2 commented 4 years ago

I made a fix for my image by adding this to my docker file:

COPY run-docker.sh /services/run-docker.sh
RUN echo 'buildagent ALL=(ALL) NOPASSWD: /usr/sbin/service docker start' >> /etc/sudoers \
 && chown -R buildagent:buildagent /services

And the run-docker.sh file I changed to

#!/bin/bash

if [ "$DOCKER_IN_DOCKER" = "start" ] ; then
 rm /var/run/docker.pid 2>/dev/null
 sudo /usr/sbin/service docker start
 echo "Docker daemon started"
fi
kir commented 4 years ago

Hi,

The solution is to pass -u 0 parameter for docker run command. Previously docker agent image was running as root by default, it is not the case anymore.

Hope this helps,

Tijs-2 commented 4 years ago

Not sure, because I use it in k8s, but does that mean the image runs as root again? And does everything everything run in root again or only the docker part?

paksv commented 4 years ago

Hi @Tijs-2, if you start your container with runAsUser: 0, the whole container will run as root, not just the docker part.

Looks like your solution is the least harming possible at the moment (please also note that teamcity agent image is based on ubuntu which doesn't include sudo by default and the fact it's there is just because we forgot to drop it from our Dockerfile script :)).

We are watching for rootless-dind status and as soon as it comes out of experimental state, we can add that possibility to the image.

In addition for k8s we are going to introduce a possibility to spawn pods outside of the agent pod.

paksv commented 4 years ago

Actually, we are considering adding one more tag with sudo allowed (i.e. pretty much equal to your changes). Hopefully, that will solve the your problems for now

Tijs-2 commented 4 years ago

Well rootless-dind would probably be a nice solution. But also if there is a new tag with sudo allowed I will try it and see if it can replace my own image. It would be nice because the less custom work there is on the image the better :)

Tijs

paksv commented 4 years ago

https://youtrack.jetbrains.com/issue/TW-66322