How to run docker with sudo inside a "circleci build" command?

eschen42 · August 27, 2018, 6:25pm

For security, I want to authorize with my password any communications with the Docker socket.
Thus, I do not add myself to the docker group so that I will be challenged for a password when I try to communicate with the docker socket via sudo.

When I run the command circleci build I get the response

Downloading latest CircleCI build agent...
Error: Could not find picard image: failed to pull latest docker image: exit status 1

notwithstanding that I already did

sudo docker pull circleci/picard

Is my guess that the circleci build assumes that I can invokes docker without sudo, and, if so, how do I change the configuration so that circleci will use sudo for the docker command?

halfer · August 27, 2018, 6:24pm

Could you just do sudo circleci build? I’d assume any Docker commands within will just inherit sudo privs.

eschen42 · August 27, 2018, 6:31pm

Thank you for the suggestion. The issue is then it runs everything a root, not just the docker commands. Any files created are owned as root, plus I’m giving more administrative privilege to circleci than just the ability to run docker commands.

halfer · August 27, 2018, 6:34pm

Hmm, true. The alternative is you could find out where Docker lives, and then rename it:

$ which docker
/usr/bin/docker
$ mv /usr/bin/docker /usr/bin/my-docker

Then you can create a custom /usr/bin/docker command that calls sudo /usr/bin/my-docker with the same parameters. That might work, depending on whether the circleci binary calls Docker via the console, or whether it calls the API.

halfer · August 27, 2018, 6:44pm

Another (easier) approach is to use sudo circleci as I have suggested, but do this inside a clean VM or another Docker container, so that it no longer matters if you do not trust the binary - no damage can be done, no data to steal.

(Of course, you have to trust CircleCI to some degree, since you are giving them access to your repo and possibly also your deploy systems).

eschen42 · August 27, 2018, 6:41pm

points taken. Here’s what I came up with for my substitute docker bash script:

#!/bin/bash
sudo path/to/my/bin/docker $*

This has given me access to docker. Now on to see how it all works. Thank you.

system · November 25, 2018, 6:46pm

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.