Dependent pipeline can't use /var/run/docker.sock?

Drone Support
1

Using drone-server 1.7.0 and drone-runner-docker 1.2 set up via docker-compose like this:

---
version: "2"

services:

  drone-runner-docker:
    container_name: drone-runner-docker
    environment:
      DRONE_RPC_HOST: drone-server
      DRONE_RPC_PROTO: http
      DRONE_RPC_SECRET: 1234
      DRONE_RUNNER_CAPACITY: 3
    image: drone/drone-runner-docker:1.2
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock

  drone-server:
    container_name: drone-server
    environment:
      DRONE_AGENTS_ENABLED: "true"
      DRONE_GITEA_SERVER: https://mygitea.com
      DRONE_GIT_ALWAYS_AUTH: "true"
      DRONE_GITEA_CLIENT_ID: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
      DRONE_GITEA_CLIENT_SECRET: abcde
      DRONE_RPC_SECRET: 1234
      DRONE_SERVER_HOST: mydrone.com
      DRONE_SERVER_PROTO: https
      DRONE_USER_CREATE: "username:me,admin:true"
      DRONE_WEBHOOK_SKIP_VERIFY: "true"
    image: drone/drone:1.7.0
    ports:
      - "127.0.0.1:8080:80"
    restart: always
    volumes:
      - drone-server-config:/data

volumes:

  drone-server-config:

I have a drone.yml that looks like this:

---
kind: pipeline
name: Build

steps:
  - name: Build image
    image: docker
    commands:
      - docker build -t bachya/nginx-geoip:$DRONE_COMMIT_SHA .
    volumes:
      - name: docker_sock
        path: /var/run/docker.sock

  - name: Run scan
    image: aquasec/trivy:0.5.3
    commands:
      - "trivy \
         --exit-code 1 \
         --format json \
         --no-progress \
         bachya/nginx-geoip:$DRONE_COMMIT_SHA"

---
kind: pipeline
name: Cleanup

depends_on:
  - Build

steps:
  - name: Remove built image
    image: docker
    commands:
      - "docker rmi $(\
           docker images | grep $DRONE_COMMIT_SHA | tr -s ' ' | cut -d ' ' -f 3\
         )"
    volumes:
      - name: docker_sock
        path: /var/run/docker.sock

volumes:
  - name: docker_sock
    host:
      path: /var/run/docker.sock

The Build image step of the Build pipeline fails with this stacktrace:

latest: Pulling from library/docker
Digest: sha256:afea2876df8334e5430d2427cfd37b39be2ee497db76d3651b2b14d97de4b562
Status: Image is up to date for docker:latest
+ docker build -t bachya/nginx-geoip:$DRONE_COMMIT_SHA .
Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running?

Incidentally, the Remove built image step of the Cleanup pipeline fails with something similar.

If I remove the Cleanup pipeline entirely:

---
kind: pipeline
name: Build

steps:
  - name: Build image
    image: docker
    commands:
      - docker build -t bachya/nginx-geoip:$DRONE_COMMIT_SHA .
    volumes:
      - name: docker_sock
        path: /var/run/docker.sock

  - name: Run scan
    image: aquasec/trivy:0.5.3
    commands:
      - "trivy \
         --exit-code 1 \
         --format json \
         --no-progress \
         bachya/nginx-geoip:$DRONE_COMMIT_SHA"

# ---
# kind: pipeline
# name: Cleanup

# depends_on:
#   - Build

# steps:
#   - name: Remove built image
#     image: docker
#     commands:
#       - "docker rmi $(\
#            docker images | grep $DRONE_COMMIT_SHA | tr -s ' ' | cut -d ' ' -f 3\
#          )"
#     volumes:
#       - name: docker_sock
#         path: /var/run/docker.sock

volumes:
  - name: docker_sock
    host:
      path: /var/run/docker.sock

…the Build image step of the Build pipeline succeeds.

I’m guessing there’s a conflict with multiple pipelines trying to access the docker socket, but shouldn’t the depends_on directive in the Cleanup pipeline wait until the Build pipeline is done before attempting to capture resources?

EDIT: I changed the 2nd pipeline to be ultra simple:

---
kind: pipeline
name: Build

steps:
  - name: Build image
    image: docker
    commands:
      - docker build -t bachya/nginx-geoip:$DRONE_COMMIT_SHA .
    volumes:
      - name: docker_sock
        path: /var/run/docker.sock

  - name: Run scan
    image: aquasec/trivy:0.5.3
    commands:
      - "trivy \
         --exit-code 1 \
         --format json \
         --no-progress \
         bachya/nginx-geoip:$DRONE_COMMIT_SHA"

---
kind: pipeline
name: Cleanup

depends_on:
  - Build

steps:
  - name: Test
    image: alpine:3.10.1
    commands:
      - ls

volumes:
  - name: docker_sock
    host:
      path: /var/run/docker.sock

…and still, the Build image step of the Build pipeline fails merely because of the presence of this 2nd pipline.

EDIT 2: Oof, sorry – I didn’t realize that the volumes directive was unique to each pipeline. When I added it to both pipelines:

---
kind: pipeline
name: Build

steps:
  - name: Build image
    image: docker
    commands:
      - docker build -t bachya/nginx-geoip:$DRONE_COMMIT_SHA .
    volumes:
      - name: docker_sock
        path: /var/run/docker.sock

  - name: Run scan
    image: aquasec/trivy:0.5.3
    commands:
      - "trivy \
         --exit-code 1 \
         --format json \
         --no-progress \
         bachya/nginx-geoip:$DRONE_COMMIT_SHA"

volumes:
  - name: docker_sock
    host:
      path: /var/run/docker.sock

---
kind: pipeline
name: Cleanup

depends_on:
  - Build

steps:
  - name: Remove built image
    image: docker
    commands:
      - "docker rmi $(\
           docker images | grep $DRONE_COMMIT_SHA | tr -s ' ' | cut -d ' ' -f 3\
         )"
    volumes:
      - name: docker_sock
        path: /var/run/docker.sock

volumes:
  - name: docker_sock
    host:
      path: /var/run/docker.sock

…everything worked. :raised_hands:t2:

1 Like
2

Thank you very much for sharing your process and solution. It helped me!

Cheers