Docker socket in the build environment is owned root:root

[ag-TJNII]

Describe the issue This is a feature request.

We have several builds that use a docker-in-docker pattern for container tests, volume mounting in the Docker socket to a control container. The purpose of driving the Docker socket is that the component under test is another Docker test built earlier in the pipeline.

The general flow is:

• A target container is built, using docker build directly in the build environment
• A test control container is built, using docker build directly in the build environment
• The test control container is run with docker run -v /var/run/docker.sock:/var/run/docker.sock
• The test control container performs tests on the target container built in the first step

As general best practice we try and avoid running things as root. In order to make this work the general pattern we use is to add an entrypoint to the test control container that inspects the group of the Docker socket and ensures the test runner user is a member of that group before dropping privileges to a non-root user for test. Basic Linux permissions stuff.

However, in the build environment /var/run/docker.sock is owned root:root:

srw-rw---- 1 root root 0 Aug 9 15:02 /var/run/docker.sock

This requires our user to be UID 0 or GID 0, which means we can't run as non-root and still access the socket.

This seems to be a variance from vanilla Docker installs where there is a Docker group, and the socket is owned root:docker.

It would be useful docker-in-docker users to have the socket be owned by a group other than root, as that will allow access to the socket by non-root users.

To Reproduce ls -l /var/run/docker.sock in a Codebuild pipeline script. Seen on aws/codebuild/standard:4.0 and aws/codebuild/standard:7.0.

Expected behavior The socket should have a non-root Docker group, instead of being owned root:root.

Platform (please complete the following information):

• OS: Linux x86
• OS: Linux ARM

[subinataws]

@ag-TJNII - Could you please try running your builds without the privileged mode being enabled? CodeBuild now supports docker.sock, rather than docker in docker. This is only applicable if aren't using privileged mode or require VPC configuration for your project.

srw-rw---- 1 root 994 0 /var/run/docker.sock

[subinataws]

Do let us know if this didn't address the issue you were facing. Assuming you aren't using VPC configuration for your builds.

[ag-TJNII]

Sorry for the delay. Due to internal changes unrelated to codebuild we've migrated to another CI/CD system, so I am unable to test. We can close this.