Docker container - How to set GID of socket file to groupID 130?

Question

This is docker in docker scenario.

Below is the corresponding code in Dockerfile that has docker client installed:

FROM jenkins/jenkins:2.190.2

ENV DEBIAN_FRONTEND=noninteractive

# Official Jenkins image does not include sudo, change to root user
USER root

# Used to set the docker group ID
# Set to 497 by default, which is the groupID used by AWS Linux ECS instance
ARG DOCKER_GID=497

# Create Docker Group with GID
# Set default value of 497 if DOCKER_GID set to blank string by Docker compose
RUN groupadd -g ${DOCKER_GID:-497} docker

# Install base packages for docker, docker-compose & ansible
# apt-key adv --keyserver keyserver.ubuntu.com --recv-keys AA8E81B4331F7F50 && \
RUN apt-get update -y && \
    apt-get -y install bc \
                    gawk \
                    libffi-dev \
                    musl-dev \
                    apt-transport-https \
                    curl \
                    python3 \
                    python3-dev \
                    python3-setuptools \
                    gcc \
                    make \
                    libssl-dev \
                    python3-pip 

# Used at build time but not runtime
ARG DOCKER_VERSION=5:19.03.4~3-0~debian-stretch

# Install the latest Docker CE binaries and add user `jenkins` to the docker group
RUN apt-get update && \
    apt-get -y install apt-transport-https \
    ca-certificates \
    curl \
    gnupg-agent \
    software-properties-common && \
    curl -fsSL https://download.docker.com/linux/$(. /etc/os-release; echo "$ID")/gpg > /tmp/dkey; apt-key add /tmp/dkey && \
    add-apt-repository \
      "deb [arch=amd64] https://download.docker.com/linux/$(. /etc/os-release; echo "$ID") \
      $(lsb_release -cs) \
      stable" && \
    apt-get update && \
    apt-get -y install docker-ce=${DOCKER_VERSION:-5:19.03.4~3-0~debian-stretch}  \
        docker-ce-cli=${DOCKER_VERSION:-5:19.03.4~3-0~debian-stretch} \
        containerd.io && \
    usermod -aG docker jenkins


ARG DOCKER_COMPOSE=1.24.1

# Install docker compose
RUN curl -L "https://github.com/docker/compose/releases/download/${DOCKER_COMPOSE:-1.24.1}/docker-compose-$(uname -s)-$(uname -m)" \
    -o /usr/local/bin/docker-compose && \
    chmod +x /usr/local/bin/docker-compose && \
    pip3 install ansible boto3

# Change to jenkins user
USER jenkins

# Add jenkins plugin
COPY plugins.txt /usr/share/jenkins/plugins.txt
RUN /usr/local/bin/install-plugins.sh < /usr/share/jenkins/plugins.txt

---

docker-compose.yml creates mount point(/var/run/docker.sock) during launch of docker container, that maps to docker host's socket file:

version: '2'

volumes:
  jenkins_home:
    external: true

services:
  jenkins:
    build:
      context: .
      args:
        DOCKER_GID: ${DOCKER_GID}
        DOCKER_VERSION: ${DOCKER_VERSION}
        DOCKER_COMPOSE: ${DOCKER_COMPOSE}
    volumes:
      - jenkins_home:/var/jenkins_home
      - /var/run/docker.sock:/var/run/docker.sock
    ports:
      - "8080:8080"

---

after running command DOCKER_GID=130 docker-compose up -d

But the userid & groupid of /var/run/docker.sock in docker container is as shown below:

In docker host(laptop), the group id of docker group is 130

todobackend$ ls -l /var/run/docker.sock
srw-rw---- 1 root docker 0 Nov 24 21:04 /var/run/docker.sock
todobackend$ cat /etc/group | grep docker
docker:x:130:user
todobackend$ 
todobackend$ uname -a
Linux mohet01-ubuntu 4.15.0-70-generic #79-Ubuntu SMP Tue Nov 12 10:36:11 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
todobackend$

In container, the group id of docker group is 130

todobackend$ 
todobackend$ docker exec -it 1bb8eedbf59e bash
jenkins@1bb8eedbf59e:/$
jenkins@1bb8eedbf59e:/$ ls -l /var/run/docker.sock
srw-rw---- 1 nobody nogroup 0 Nov 25 03:04 /var/run/docker.sock
jenkins@1bb8eedbf59e:/$
jenkins@1bb8eedbf59e:/$ cat /etc/group | grep nogroup
nogroup:x:65534:
jenkins@1bb8eedbf59e:/$ cat /etc/passwd | grep nobody
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
jenkins@1bb8eedbf59e:/$ cat /etc/group | grep docker
docker:x:130:jenkins
jenkins@1bb8eedbf59e:/$
jenkins@1bb8eedbf59e:/$ docker info
Client:
 Debug Mode: false

Server:
ERROR: Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get http://%2Fvar%2Frun%2Fdocker.sock/v1.40/info: dial unix /var/run/docker.sock: connect: permission denied
errors pretty printing info
jenkins@1bb8eedbf59e:/$

But mount point(/var/run/docker.sock) in docker container, is not part of group id 130, so, docker client from jenkins container is unable to resolve below error from jenkins pipeline, which is expected:

[1;33m=> Creating cache volume...
[0mGot permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Post http://%2Fvar%2Frun%2Fdocker.sock/v1.40/volumes/create: dial unix /var/run/docker.sock: connect: permission denied
Makefile:43: recipe for target 'test' failed

---

How to set group id 130 as group owner to this mount point(/var/run/docker.sock) in docker container?

Answer 1

It seems like this would be difficult with docker compose. A workaround that might apply for users of docker run is to get the docker group ID from the host:

docker_group_id=$(getent group docker | cut -d: -f3)

Then add arguments to mount /etc/passwd and /etc/group:

  -u "$(id -u):$docker_group_id" \
  -v /etc/passwd:/etc/passwd \
  -v /etc/group:/etc/group \