I run a QNAP TS-453a at home running Container Station on it. Suddenly multiple containers got some sort of error about "Permission Denied".
For example postgres\postgres returns:
error: exec failed: permission denied
nodered/node-red docker returns: exec ./entrypoint.sh: permission denied. And this continues in different forms for a total of 20 containers. Basically every container returns permission errors on the docker-entrypoint. I shared my docker.sock with 3 containers to maintain it: HomeAssistant, WatchTower and Portainer.
What I tried:
Recreate the container from scratch
Checked the permissions on the shared volumes
Reinstalled Container Station/Docker
Restart the QNAP NAS
sudo chmod 666 /var/run/docker.sock
Related
I am doing docker-outside-of-docker, so I mount the host's /var/run/docker.sock into the container via bind-mount.
Now the user and group within the container differ from the one on the host, although they are supposed to be the same.
Container:
ls -lna /var/run/docker.sock
srwxr-xr-x 1 0 0 0 Sep 2 21:30 /var/run/docker.sock
^- owner
^-group
Host:
lrwxr-xr-x 1 0 1 74 2 Sep 23:30 /var/run/docker.sock -> /Users/(...)/docker.sock
^- owner
^-group
As the container is running with a non-root user, and I cannot get the groups to align, this results in a permission denied error when trying to execute docker commands.
$ docker --version
Docker version 20.10.5, build 55c4c88
Solution
Via an entrypoint script, I set the needed permission on container startup.
chown root:docker /var/run/docker.sock
chmod g+w /var/run/docker.sock
It requires that the container starts as root, and only after setting the permission changes to the jenkins user.
This solution works independent of the gRPC FUSE setting of Docker Desktop/Docker for Mac.
Dead Ends
I gave up to solve the permission question with a bind-mount. Because:
Turns out, I overlooked that the host's /var/run/docker.sock is a symbolic link. I thought, due to that symbolic link, the permissions are not transferred as expected. But I could not find documentation about it, only hints
When bind-mounting the link target directly, when running a docker command I get
Error response from daemon: Mounts denied: approving /Users/(...)/docker.sock: file does not exist
Presumably because the file is a socket link (see ls' long format).
Turns out, this appears to be caused by the gRPC FUSE file sharing setting of my Docker Desktop. Disabling it made the error go away, and the socket link docker.sock gets mounted with the container user as owner and group automatically.
However, exeuting e.g. docker image ls inside the container results in an unexplainable error now:
Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running?
We're running DBT in Airflow on a GCP Compute Engine using Docker and docker-compose. In the docker-compose.yml file for our Airflow deployment, the DBT repo is attached as a volume:
webserver:
...
volumes:
- ../our-dbt-repo:/usr/local/airflow/dbt
Running dbt-run usually generates a /logs directory with DBT logs. However, running dbt-run from the docker container on the GCP machine is throwing the error [Errno 13] Permission denied: 'logs'.
To test permissions, I ran docker exec -it <DockerContainerID> bash from the command line of the GCP machine (while the docker container is running) to get into the running docker container, and ran cd /usr/local/airflow/dbt/ && touch file.txt, and received the error: touch: cannot touch 'file.txt': Permission denied. So it seems clear that no files can be added to the /dbt folder that was added as a volume in the Docker Container, which is why the logs cannot get written.
Is there a way to give our /dbt volume permissions to write logs? Perhaps we can write DBT logs somewhere else (not in the container on the GCP server), that way there are no writes required in the /dbt volume on the container?
I have access to a server by ssh with docker version 1.13.1 and I'm
just trying to load a local image using docker load -i
and I'm receiving this error message:
docker load -i docker.img
Error processing tar file(exit status 1): permission denied
And by the way:
docker image import docker.img
Error response from daemon: ApplyLayer exit status 1 stdout: stderr: permission denied
The img file has all the permissions:
> ls -l
> -rwxrwxrwx 1 myuser myuser 9278464 Mar 22 19:12 docker.img*
And docker seems to work rigth:
> docker images
> REPOSITORY TAG IMAGE ID CREATED SIZE
The image works perfectly fine in my local machine...
Any idea about what can be happening here ? The host is running ubuntu 16.04, i was looking for an answer about 1 hour...
=======
I could figure it out, the problem was that I was accessing a proxmox container
not fully virtualized, so, docker requires kernel capabilities that I had not. I searched for the correct proxmox configuration and I solve the issue.
You are trying to execute docker commands as which user?, Standard account or as root user?
Note that the docker daemon binds to a Unix socket instead of a TCP port. By default that Unix socket is owned by the user root and other users can only access it using sudo. The docker daemon always runs as the root user.
If you don’t want to use sudo when you use the docker command, create a Unix group called docker and add users to it. When the docker daemon starts, it makes the ownership of the Unix socket read/writable by the docker group.
First, check if docker group exists on your server. If not, then add it
$ sudo groupadd docker
Add your user to the docker group.
$ sudo usermod -aG docker $USER
Log out and log back in so that your group membership is re-evaluated
I am trying to setup remote host configuration for docker. After setting up certificates i ran dockerd command which is giving error:
dockerd --tlsverify --tlscacert=ca.pem --tlscert=server-cert.pem --tlskey=server-key.pem -H=0.0.0.0:2376
>>> unable to configure the Docker daemon with file /etc/docker/daemon.json: open /etc/docker/daemon.json: permission denied
I am running from non root user and I've already added my user as part of Docker group. Docker version i am using is:
Docker version 17.12.0-ce, build c97c6d6
I have tried below but still getting same error:
1. the /etc/docker/daemon.json file is having {}
2. I also removed the /etc/docker/daemon.json
3. I also changed ownership but same issue.
Permissions of daemon.json were: -rw-r--r--
The dockerd daemon must be run as root. It is creating networking namespaces, mounting filesystems, and other tasks that cannot be done with a user account. You'll need to run these commands with something like sudo.
The docker socket (/var/run/docker.sock) is configured to allow the docker client to access the api by users in the docker group. This is the client, not the daemon, so you can't get away with running the daemon as a user.
When issuing the docker log <container> command, I am getting the following error:
[root#Infra-1 ~]# docker logs gitlab-redis
chmod: changing permissions of '/var/lib/redis': Permission denied
gitlab-redis is a container that has exited.
In fact, the directory does not exist at all:
[root#Infra-1 ~]# ls /var/lib/redis
ls: cannot access /var/lib/redis: No such file or directory
I suppose that docker log is looking in the wrong location. Could it possibly have been misconfigured? Where should I check?
I think docker logs is working, the output of the logs is chmod: changing permissions of '/var/lib/redis': Permission denied.
/var/lib/redis is inside the container, not on the host.