How To Run Rootless Docker in Dockerized Jenkins


Jenkins is an essential tool in the DevOps world, and countless organizations use it for their CI/CD pipeline needs. However, security concerns can arise when running Jenkins, especially when attempting to mount the /var/run/docker.sock from the host to the dockerized Jenkins pod. By default, the image provided by Jenkins does not run as root, which is a positive from a security standpoint. However, this can lead to issues such as receiving a “permission denied” warning when building a Docker image or executing basic Docker commands. This guide will provide you with a step-by-step approach to running rootless Docker in Dockerized Jenkins, ensuring your security and stability concerns are addressed.

Technical Explanation

First, it’s important to understand the technical processes at play.

When the Jenkins pod initiates a job, it communicates with the Docker Daemon using the mounted Unix /var/run/docker.sock socket. However, the Jenkins pod runs under the user “jenkins,” which has default permissions of UID=1000 and GUI=1000. This can result in a “permission denied” warning when attempting to access the socket. By examining the socket permissions on the host, we can see that it runs under UID=0 and GUI=1001 (Docker), as revealed by executing the stat /var/run/docker.sock command:

$ stat /var/run/docker.sock
  File: /var/run/docker.sock
  Size: 0               Blocks: 0          IO Block: 4096   socket
Device: 17h/23d Inode: 22031       Links: 1
Access: (0660/srw-rw----)  Uid: (    0/    root)   Gid: ( 1001/  docker)
Access: 2021-02-04 14:03:26.650000000 +0200
Modify: 2021-02-04 14:03:26.650000000 +0200
Change: 2021-02-04 14:03:26.650000000 +0200
 Birth: -

This technical issue can create security vulnerabilities and instability in the system, so it’s essential to take the necessary steps to address it.

To automatically retrieve the GID, you can run the following command:

$ stat /var/run/docker.sock | awk '{print $9}' | sed -E '/^$/d' | tr -d '/'

As we mount the Unix socket docker from the host to the container file system, the Docker engine inherits the host permissions to the container. However, this creates a permission denied warning when the user Jenkins (UID=1000 and GUI=1000) attempts to connect. This technical issue can pose security risks and impact system stability, which is why it’s crucial to take appropriate steps to resolve it.


To resolve this issue, we can create a Dockerfile that removes the pre-existing Jenkins user and recreates it with the desired permissions. We can then add the user “jenkins” to the Docker User Group and delete the shadow package to reduce the image size. The complete Linux Alpine Dockerfile is provided below.

FROM jenkins/jenkins:lts-alpine

USER root

ARG DOCKER_HOST_GID=1001 #Replace with your own docker.sock GID


RUN set -eux \
&& apk --no-cache update \
&& apk --no-cache upgrade --available \
&& apk --no-cache add shadow \
&& apk --no-cache add docker curl --repository \
&& deluser --remove-home jenkins \
&& addgroup -S jenkins -g $DOCKER_HOST_GID \
&& adduser -S -G jenkins -u $DOCKER_HOST_GID jenkins \
&& usermod -aG docker jenkins \
&& apk del shadow

USER jenkins

In the Dockerfile, we set the DOCKER_HOST_GID as an environment variable with the default setting of 1001, which is the same as the GID of the Docker User on the Host Machine. By using a Docker-Compose file with a .env file, we can modify this setting automatically without any additional intervention. This approach helps to mitigate security risks and ensure system stability when running Dockerized Jenkins.

Docker-Compose File

The relevant Docker-Compose.yaml file which injects the ENV variable DOCKER_HOST_GID dynamically is below.

version: '3.3'

    image: jenkins_master
    container_name: jenkins_master
    hostname: jenkins_master
    restart: unless-stopped
      - docker.env
      context: .
    cpus: 2
    mem_limit: 1024m
    mem_reservation: 800M
      - 8090:8080
      - 50010:50000
      - 2375:2376
      - ./jenkins_data:/var/jenkins_home
      - /var/run/docker.sock:/var/run/docker.sock
      - default

  jenkins_data: {}
    driver: bridge

And the actual env file docker.env holding our variables.

DOCKER_HOST_GID=1001 #Replace with your own docker.sock GID

The only thing that you need to do is to recreate the image with the command:

$ docker build . -t your-image-tag 

Or even easier would be to just use the Docker-Compose file above that already contains the build command (The image will only build if it doesn’t exist).

$ docker-compose up -d

For the time being, the variables are correctly updated. However, to modify the permissions of the mounted socket, we must elevate our permissions to root and then de-escalate back to the Jenkins user. This means that building the image yourself is necessary to ensure that it functions correctly with your own $DOCKER_HOST_GID variable. By doing so, we can enhance the security and stability of the system while running Dockerized Jenkins.

The same code can be found also on Github.

External resources for further reading:

The resources below provide detailed information on Docker and Jenkins security, best practices, and Dockerfile usage. They can be useful in understanding how to configure and secure Jenkins in a Docker environment.

  1. Docker Security:
  2. Jenkins Documentation:
  3. Dockerizing Jenkins:
  4. Jenkins Security Best Practices:
  5. Dockerfile reference: