From 5c083f020b24026535f742fda11d61972c921359 Mon Sep 17 00:00:00 2001
From: Simon Li <spli@dundee.ac.uk>
Date: Thu, 7 Mar 2019 10:11:55 +0000
Subject: [PATCH 1/2] Workaround Docker socket permissions

/var/run/docker.sock is mounted from the host into the docker node. Since Jenkins runs as a non-privileged user the Jenkins user must be a member of the docker group, and the docker group ID inside the node must match that of the host. Therefore run.sh is changes the GID of the docker group inside the node
---
 docker/Dockerfile |  5 +++--
 docker/run.sh     | 10 +++++++++-
 2 files changed, 12 insertions(+), 3 deletions(-)

diff --git a/docker/Dockerfile b/docker/Dockerfile
index 1a505db5..a44ce736 100644
--- a/docker/Dockerfile
+++ b/docker/Dockerfile
@@ -14,9 +14,10 @@ RUN yum -y install docker-ce
 
 # Change user id to fix permissions issues
 ARG USER_ID=1000
-RUN usermod -u $USER_ID omero
+RUN usermod -u $USER_ID -aG docker omero
 
 COPY run.sh /tmp/run.sh
 RUN chmod a+x /tmp/run.sh
-USER omero
+# Start as root so docker permissions can be fixed
+# Drop to omero in startup script
 CMD ["/tmp/run.sh"]
diff --git a/docker/run.sh b/docker/run.sh
index 76a7de69..76b5b2e7 100644
--- a/docker/run.sh
+++ b/docker/run.sh
@@ -1,3 +1,11 @@
 #!/bin/bash
 
-/tmp/jenkins-slave.sh
+set -eu
+set -x
+
+# Adjust docker permissions
+# https://github.com/jenkinsci/docker/issues/263#issuecomment-217955379
+sudo groupmod -g $(stat -c %g /var/run/docker.sock) docker
+sudo usermod -aG docker omero
+
+exec sudo -iu omero env SLAVE_PARAMS="$SLAVE_PARAMS" SLAVE_EXECUTORS="$SLAVE_EXECUTORS" SLAVE_NAME="$SLAVE_NAME" JENKINS_MASTER="$JENKINS_MASTER" /tmp/jenkins-slave.sh

From 40e8e77932688abbc0a4b712d20939c88498ea48 Mon Sep 17 00:00:00 2001
From: Simon Li <spli@dundee.ac.uk>
Date: Thu, 7 Mar 2019 12:16:21 +0000
Subject: [PATCH 2/2] Docker node workspace needs to be shared

---
 docker-compose.yml          | 4 ++++
 docker-workspace/.gitignore | 1 +
 docker/run.sh               | 3 +++
 3 files changed, 8 insertions(+)
 create mode 100644 docker-workspace/.gitignore

diff --git a/docker-compose.yml b/docker-compose.yml
index 759707dd..9d219754 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -158,6 +158,10 @@ services:
             - /var/run/docker.sock:/var/run/docker.sock
             - ${REPO_CURATED}:${REPO_CURATED}:ro
             - ${REPO_CONFIG}:${REPO_CONFIG}:ro
+            # docker plugin requires a shared workspace
+            # docker-in-docker can't share an internal workspace so we need
+            # an external volume
+            - ./docker-workspace:/home/omero/workspace
         environment:
             - SLAVE_NAME=docker
             - SLAVE_PARAMS=-labels docker -disableClientsUniqueId -executors ${DOCKER_EXECUTORS}
diff --git a/docker-workspace/.gitignore b/docker-workspace/.gitignore
new file mode 100644
index 00000000..355164c1
--- /dev/null
+++ b/docker-workspace/.gitignore
@@ -0,0 +1 @@
+*/
diff --git a/docker/run.sh b/docker/run.sh
index 76b5b2e7..bcec5520 100644
--- a/docker/run.sh
+++ b/docker/run.sh
@@ -7,5 +7,8 @@ set -x
 # https://github.com/jenkinsci/docker/issues/263#issuecomment-217955379
 sudo groupmod -g $(stat -c %g /var/run/docker.sock) docker
 sudo usermod -aG docker omero
+# This is mounted from outside, so you may need to fix permissions
+# https://support.cloudbees.com/hc/en-us/articles/360000304932-Pipeline-jobs-fail-to-run-in-a-Docker-in-Docker-step
+#sudo chown omero /home/omero/workspace
 
 exec sudo -iu omero env SLAVE_PARAMS="$SLAVE_PARAMS" SLAVE_EXECUTORS="$SLAVE_EXECUTORS" SLAVE_NAME="$SLAVE_NAME" JENKINS_MASTER="$JENKINS_MASTER" /tmp/jenkins-slave.sh