I mounted /var/run/docker.sock under the non-root user, and checked that the permission role was nobody. Why not the default root
The mount code is as follows
docker run -it --rm --entrypoint='' -v /var/run/docker.sock:/var/run/docker.sock controller:v1 bash
bash-5.0# ls /var/run/ -lh
total 0
srw-rw---- 1 nobody nobody 0 Feb 3 07:48 docker.sock
At this time, docker daemon cannot be connected by running docker command
bash-5.0# docker ps
Got permission denied while trying to connect to the Docker daemon socket at
unix:///var/run/docker.sock: Get http://%2Fvar%2Frun%2Fdocker.sock/v1.39/containers/json:
dial unix /var/run/docker.sock: connect: permission denied
I have granted the non-root user Docker permission with sudo usermod-ag Docker your-user
I hope to use Docker CLI in docker container to perform some operations, such as Docker Run, Docker Ps, Docker images and so on
I would appreciate it if you could tell me how to solve it?
Related
I'm binding the current user and a volume to a container using the following command.
docker run --user="$(id -u):$(id -g)" -v /var/run/docker.sock:/var/run/docker.sock ...
When I try to call docker ps inside the container, I'm getting /var/run/docker.sock: connect: permission denied error. Because /var/run/docker.sock has root ownership in the host (therewithal in the container).
Is there any way to run the container as a user and access the host docker daemon inside the container using the same user?
I'm running Jenkins helm on GKE standard cluster with Container-Optimized OS with Docker (cos) image.
I'm running jenkins agent with docker installed and jenkins user added to docker group. I'm mounting /var/run/docker.sock as volume .. also tried t run with UID 1000.
-v /var/run/docker.sock:/var/run/docker.sock
But still getting dial unix /var/run/docker.sock: connect: permission denied ?! Any idea what I'm missing here ?
In addition to #again comment, below are possible reasons to look for regarding pemission denied error:
Docker is not installed on host
UID 1000 does not have permission to /var/run/docker.sock (try to chmod 777 the file temporarily and reduce permssion as needed)
Check Host and Container docker ID, must have the same UID
Also, you can refer on related links below for possible answers.
Docker: Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock
Run Docker as jenkins-agent, in a docker-container, as non-root user
Use docker inside docker with jenkins user #263
docker.sock permission denied
I’ve just run Dockerfile in jenkins setup then I get the following error:
Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Post http://%2Fvar%2Frun%2Fdocker.sock/v1.40/build?buildargs=%7B%7D&cachefrom=%5B%5D&cgroupparent=&cpuperiod=0&cpuquota=0&cpusetcpus=&cpusetmems=&cpushares=0&dockerfile=Dockerfile&labels=%7B%7D&memory=0&memswap=0&networkmode=default&rm=1&session=2quv9npfhvxjco1lqvt8aea9h&shmsize=0&t=testfile&target=&ulimits=null&version=1: dial unix /var/run/docker.sock: connect: permission denied
.
..
Dockerfile
WebApp.war
SSH: EXEC: completed after 404 ms
SSH: Disconnecting configuration [Docker] ...
SSH: Transferred 1 file(s)
Finished: SUCCESS
docker.deamon tell us this:
The Docker daemon binds to a Unix socket instead of a TCP port. By
default that Unix socket is owned by the user root and other users can
only access it using sudo. The Docker daemon always runs as the root
user.
If you don’t want to preface the docker command with sudo, create a
Unix group called docker and add users to it. When the Docker daemon
starts, it creates a Unix socket accessible by members of the docker
group.
Check if the docker group already exists:
cat /etc/group | grep docker
if it doesn't, create with this command:
sudo groupadd docker
add the jenkins user to docker group:
sudo usermod -a -G docker jenkins-user
newgrp docker
Check if is it worked...
$ cat /etc/group | grep docker
docker:x:***:jenkins-user
Restart the jenkins
logout, and login again
Or you can just try run the docker with sudo.
After running:
brew cask install docker
UNIX socket file is not part of docker group in my mac laptop(docker host)
$ ls -l /var/run/docker.sock
lrwxr-xr-x 1 root daemon 70 12 Jan 08:19 /var/run/docker.sock -> /Users/user1/Library/Containers/com.docker.docker/Data/docker.sock
because docker group is not created
$ cat /etc/group | grep docker
$ uname -a
Darwin user1 18.7.0 Darwin Kernel Version 18.7.0: Sun Dec 1 18:59:03 PST 2019; root:xnu-4903.278.19~1/RELEASE_X86_64 x86_64
$
$ cat /etc/group | grep daemon
daemon:*:1:root
On ubuntu docker group name gets created, after installation of docker
Running jenkins docker container(as DIND), but cannot perform usermod -aG docker jenkins within Dockerfile.
Goal is to run docker client within jenkins container that can talk to docker daemon running on docker host, through UNIX socket file(/var/run/docker.sock).
Why installation of docker on mac does not create docker group?
How to resolve this problem?
Docker for Mac is just special like that. You can solve it few ways:
From least recommended to most recommended order:
Modify the permission of /var/run/docker.sock so that other groups can access the socket.
Give sudo access to the jenkins user
Use socat to expose the daemon on tcp socket instead.
From https://www.benjaminpack.com/blog/docker-jenkins-mac/
The socat process wraps /var/run/docker.sock on the host by way of a mounted volume and exposes it in a bi-directional fashion as a TCP server to Jenkins. All without giving Jenkins more permissions than it needs.
I'm facing the following problem: I created a Jenkins docker container, and linked the docker socket on the host, with the container. Like this:
docker run -v /var/run/docker.sock:/var/run/docker.sock -p 8080:8080 -p 50000:50000 -d --name jenkins --restart unless-stopped jenkins
Then when I try to create some jobs on jenkins I get the usual "permission denied" message:
Got permission denied while trying to connect to the Docker daemon
socket at unix:///var/run/docker.sock: Get
http://%2Fvar%2Frun%2Fdocker.sock/v1.29/images/json: dial unix
/var/run/docker.sock: connect: permission denied
But that problem doesn't happen if I attach to the container and run the command using the root user.
How can I fix this?
I can't add jenkins user to docker group on the host by running sudo gpasswd -a jenkins docker (because there is no jenkins user on the host, only in the container) and I also can't run this command inside the container (because the container doesn't know about any docker group). Any tips on how to solve this?
You can add the docker group inside the container. Do this in its bash:
groupadd -g <docker-group-id> docker
Find out the <docker-group-id> running this in the host:
ls -ln /var/run/docker.sock
Then add the jenkins user to the docker group:
gpasswd -a jenkins docker
Take into account any security issue that this could produce:
Warning: The docker group grants privileges equivalent to the root user. For details on how this impacts security in your system, see Docker Daemon Attack Surface.
Refer to the docs