+1, having the same issue.

Sorry, I hadn't seen this report earlier.

Are you still trying to use Docker-in-Docker with Jenkins?

If yes, I'd recommend to switch to a different mode: just start the Jenkins container with -v /var/run/docker.sock:/var/run/docker.sock so that it can access the Docker API from inside. That way you won't need Docker-in-Docker and everything will behave much better.

Hi , i had exact same issue, but from another docker thread, someone posted a really useful script to create a loopback device.
I add this script to my Dockerfile too, so after the container comes up with SSHD as PID 1 , and jenkins slave process (using swarm jar file) + docker daemon(which fails due to loopback mounting issue) as subsequent process run , i manually get inside the container and run the following script. After that, run the docker daemon again( remove /var/run/docker.pid if needed) and it worked :)

#!/bin/bash
ensure_loop(){
  num="$1"
  dev="/dev/loop$num"
  if test -b "$dev"; then
    echo "$dev is a usable loop device."
    return 0
  fi

  echo "Attempting to create $dev for docker ..."
  if ! mknod -m660 $dev b 7 $num; then
    echo "Failed to create $dev!" 1>&2
    return 3
  fi

  return 0
}

LOOP_A=$(losetup -f)
LOOP_A=${LOOP_A#/dev/loop}
LOOP_B=$(expr $LOOP_A + 1)

ensure_loop $LOOP_A
ensure_loop $LOOP_B

@jpetazzo with your solution of -v /var/run/docker.sock:/var/run/docker.sock i get this :

----- No docker socket bind mounted in, so lets attempt to wrap it DIND style ----
time="2015-06-18T14:03:42-07:00" level="info" msg="+job serveapi(tcp://0.0.0.0:2375, unix:///var/run/docker.sock)"
time="2015-06-18T14:03:42-07:00" level="info" msg="Listening for HTTP on tcp (0.0.0.0:2375)"
time="2015-06-18T14:03:42-07:00" level="info" msg="/!\\ DON'T BIND ON ANOTHER IP ADDRESS THAN 127.0.0.1 IF YOU DON'T KNOW WHAT YOU'RE DOING /!\\"
time="2015-06-18T14:03:42-07:00" level="info" msg="Listening for HTTP on unix (/var/run/docker.sock)"
device or resource busy
time="2015-06-18T14:03:42-07:00" level="info" msg="-job serveapi(tcp://0.0.0.0:2375, unix:///var/run/docker.sock) = ERR (1)"
time="2015-06-18T14:03:42-07:00" level="fatal" msg="device or resource busy"

are you saying we should not use wrapdocker script when using jenkins and just mount the /var/run/docker.sock , not sure how to proceed with your solution ://

Yes, just mount the socket, and then Jenkins can talk directly talk to it,
without using wrapdocker.

On Thu, Jun 18, 2015 at 2:12 PM, Imran Hayder notifications@github.com
wrote:

@jpetazzo https://github.com/jpetazzo with your solution of -v
/var/run/docker.sock:/var/run/docker.sock i get this :

----- No docker socket bind mounted in, so lets attempt to wrap it DIND style ----
time="2015-06-18T14:03:42-07:00" level="info" msg="+job serveapi(tcp://0.0.0.0:2375, unix:///var/run/docker.sock)"
time="2015-06-18T14:03:42-07:00" level="info" msg="Listening for HTTP on tcp (0.0.0.0:2375)"
time="2015-06-18T14:03:42-07:00" level="info" msg="/!\ DON'T BIND ON ANOTHER IP ADDRESS THAN 127.0.0.1 IF YOU DON'T KNOW WHAT YOU'RE DOING /!"
time="2015-06-18T14:03:42-07:00" level="info" msg="Listening for HTTP on unix (/var/run/docker.sock)"
device or resource busy
time="2015-06-18T14:03:42-07:00" level="info" msg="-job serveapi(tcp://0.0.0.0:2375, unix:///var/run/docker.sock) = ERR (1)"
time="2015-06-18T14:03:42-07:00" level="fatal" msg="device or resource busy"

are you saying we should not use wrapdocker script when using jenkins and
just mount the /var/run/docker.sock , not sure how to proceed with your
solution ://

—
Reply to this email directly or view it on GitHub
#66 (comment).

@jpetazzo https://twitter.com/jpetazzo
"Is it safe to run applications into containers?"
http://www.slideshare.net/jpetazzo/docker-linux-containers-lxc-and-security

Hello all, I have the same kind of need : running Jenkins instances (slaves at first), with docker available.

The idead I want to achieve is to use docker's lightweight isolation to "lightly" isolate docker APIs :

• One slave has to be immutable to be dynamically started from the Jenkins master : Docker Jenkins Plugin seems perfect for that, maybe used with Jenkin's swarm plugin
• This slave has to enable docker commands (Jenkins docker plugin build step for example)
• I don't want a user to see what images or containers are ran by their neighbours on the Jenkins
• I don't need a "strong" isolation. If I have a blackhat, he can jump on another docker and steal all the thing, does not matter :)

So the socket sharing is not a solution for my case, and since I don't have acces to paltform that can be managed by docker-machine, I don't know which path to start with :

• Try to work on dind ?
• Study new stuff like RancherOS that achieve that for me, but make me change my base OS ?
• Use Jenkins to enforce this light isolation thru a plugin and docker namespacing ?
• Try to write a docker-machine provider to launch a docker engine inside an existing one ?
• Another idea ?

Just to let you know : jenkinsci/docker-custom-build-environment-plugin#22

After all that time, I finally could take a few hours to write a blog post about this:

http://jpetazzo.github.io/2015/09/03/do-not-use-docker-in-docker-for-ci/

I'll close the issue here, thanks all!

@jpetazzo I read your article and I completely agree. Sibling containers is just fine and it keeps things much easier. With regards to your suggested solution, do you have it working? I tried making a jenkins slave using your suggestion using volumes for docker and docker.sock, but I am met with

docker: error while loading shared libraries: libdevmapper.so.1.02: cannot open shared object file: No such file or directory

Is that a artifact of my particular install, or is there more details than what was put into the article?

Right, that happened when switching to dynamic binaries...

There is now an official docker:dind image upstream! I invite you to test it, since it is actively maintained. Thank you!

@jpetazzo - thanks for the blog post! Very helpful :)
I also got the error @phillipgreenii mentioned... and fixed it by adding this to the docker run command:

-v /lib64/libdevmapper.so.1.02:/usr/lib/libdevmapper.so.1.02 \
-v /lib64/libsystemd-journal.so.0:/usr/lib/libsystemd-journal.so.0 \
-v /lib64/libsystemd-id128.so.0:/usr/lib/libsystemd-id128.so.0 \

I'm on redhat and installed docker with yum - how do I switch back to static binaries so I can remove those 3 volumes?

@mattfysh, I'd have two ideas:

1. If you're building a full-fledged container and need the Docker CLI in it, just install it with the normal package manager inside that container (yum, apt...) and it will take care of everything.
2. If you just need a simple container with Docker in it and not much else, use the docker:dind image.

HTH!

awesome, thanks @jpetazzo - will go with option #1 :)

I had a need to run a Jenkins CI slave w/ docker. I settled on following @jpetazzo advice and setup a Jenkins slave container that uses docker on the CoreOS host. The trick is getting the library path correct as the host docker dynamically searches for libs at run time inside the Jenkins slave container. Note, you'll have to tweak LD_LIBRARY_PATH relative to the OS in use for your container. Also, more then likely /var/run/docker.sock on the host is docker:docker. If the container user executing docker CLI is not root be sure to create a docker user in the image with same uid:gid as host and add the non-root user to group in Dockerfile.

jenkins-slave-docker:
  build: .
  restart: always
  container_name: jenkins-slave-docker
  environment:
     - LD_LIBRARY_PATH=/usr/lib/x86_64-linux-gnu:/lib/x86_64-linux-gnu:/opt/lib64
  ports:
     - 0.0.0.0:49255:22
  volumes:
     - /var/run/docker.sock:/var/run/docker.sock
     - /usr/bin/docker:/usr/bin/docker
     - /usr/lib64/:/opt/lib64/

@ghost your suggestion worked for me.