Docker loading local images permission denied while processing tar file - docker

I have access to a server by ssh with docker version 1.13.1 and I'm
just trying to load a local image using docker load -i
and I'm receiving this error message:
docker load -i docker.img
Error processing tar file(exit status 1): permission denied
And by the way:
docker image import docker.img
Error response from daemon: ApplyLayer exit status 1 stdout: stderr: permission denied
The img file has all the permissions:
> ls -l
> -rwxrwxrwx 1 myuser myuser 9278464 Mar 22 19:12 docker.img*
And docker seems to work rigth:
> docker images
> REPOSITORY TAG IMAGE ID CREATED SIZE
The image works perfectly fine in my local machine...
Any idea about what can be happening here ? The host is running ubuntu 16.04, i was looking for an answer about 1 hour...
=======

I could figure it out, the problem was that I was accessing a proxmox container
not fully virtualized, so, docker requires kernel capabilities that I had not. I searched for the correct proxmox configuration and I solve the issue.

You are trying to execute docker commands as which user?, Standard account or as root user?
Note that the docker daemon binds to a Unix socket instead of a TCP port. By default that Unix socket is owned by the user root and other users can only access it using sudo. The docker daemon always runs as the root user.
If you don’t want to use sudo when you use the docker command, create a Unix group called docker and add users to it. When the docker daemon starts, it makes the ownership of the Unix socket read/writable by the docker group.
First, check if docker group exists on your server. If not, then add it
$ sudo groupadd docker
Add your user to the docker group.
$ sudo usermod -aG docker $USER
Log out and log back in so that your group membership is re-evaluated

Related

Cannot configure docker in intelliji

I have installed Docker on my Pop OS according to the official tutorial (I also created a docker user group and added myself to it). In IntelliJ Idea I am getting:
Cannot connect to the Docker daemon at unix:/var/run/docker.sock. Is the docker daemon running? No such file or directory.
systemctl status docker shows that docker.service is active.
My permissions:
ls -l /var/run/docker.sock
srw-rw---- 1 root docker 0 Feb 28 09:05 /var/run/docker.sock
You need to :
Add your $user to the docker group:
sudo usermod -aG docker $USER
Log out, and then log back in.
Docker configuration settings:
Unix socket: This is the recommended connection option for Linux.
note
If you get permission denied errors, add the current user to the docker group on the machine, log out, and then log back in. The docker group grants privileges equivalent to the root user. For details on how this impacts security in your system, see Docker Daemon Attack Surface.
I've solved the issue by re-installing Intellij. My version was from the pop-os application store and causes the problem, but the interesting fact - other things work as expected. So the version from the JetBrains toolbox did the trick.

Why do owner and group of /var/run/docker.sock differ between host and container?

I am doing docker-outside-of-docker, so I mount the host's /var/run/docker.sock into the container via bind-mount.
Now the user and group within the container differ from the one on the host, although they are supposed to be the same.
Container:
ls -lna /var/run/docker.sock
srwxr-xr-x 1 0 0 0 Sep 2 21:30 /var/run/docker.sock
^- owner
^-group
Host:
lrwxr-xr-x 1 0 1 74 2 Sep 23:30 /var/run/docker.sock -> /Users/(...)/docker.sock
^- owner
^-group
As the container is running with a non-root user, and I cannot get the groups to align, this results in a permission denied error when trying to execute docker commands.
$ docker --version
Docker version 20.10.5, build 55c4c88
Solution
Via an entrypoint script, I set the needed permission on container startup.
chown root:docker /var/run/docker.sock
chmod g+w /var/run/docker.sock
It requires that the container starts as root, and only after setting the permission changes to the jenkins user.
This solution works independent of the gRPC FUSE setting of Docker Desktop/Docker for Mac.
Dead Ends
I gave up to solve the permission question with a bind-mount. Because:
Turns out, I overlooked that the host's /var/run/docker.sock is a symbolic link. I thought, due to that symbolic link, the permissions are not transferred as expected. But I could not find documentation about it, only hints
When bind-mounting the link target directly, when running a docker command I get
Error response from daemon: Mounts denied: approving /Users/(...)/docker.sock: file does not exist
Presumably because the file is a socket link (see ls' long format).
Turns out, this appears to be caused by the gRPC FUSE file sharing setting of my Docker Desktop. Disabling it made the error go away, and the socket link docker.sock gets mounted with the container user as owner and group automatically.
However, exeuting e.g. docker image ls inside the container results in an unexplainable error now:
Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running?

Switch to Docker Root User

I am working on Docker and before i execute any command on Docker CLI , I need to switch to root used using the command
sudo su - root
Can anyone please tell me why we need to switch to root user to perform any operation on Docker Engine?
you don't need to switch to root for docker cli commands and it is common to add your user to the docker group
sudo groupadd docker
sudo usermod -aG docker $USER
see: https://docs.docker.com/engine/install/linux-postinstall/#manage-docker-as-a-non-root-user
the reason why docker is run as root:
The Docker daemon binds to a Unix socket instead of a TCP port. By default that Unix socket is owned by the user root and other users can only access it using sudo. The Docker daemon always runs as the root user.
Using docker commands, you can trivially get root-level access to any part of the host filesystem. The very most basic example is
docker run --rm -v /:/host busybox cat /host/etc/shadow
which will get you a file of encrypted passwords that you can crack offline at your leisure; but if I wanted to actually take over the machine I'd just write my own line into /host/etc/passwd and /host/etc/shadow creating an alternate uid-0 user with no password and go to town.
Docker doesn't really have any way to limit what docker commands you can run or what files or volumes you can mount. So if you can run any docker command at all, you have unrestricted root access to the host. Putting it behind sudo is appropriate.
The other important corollary to this is that using the dockerd -H option to make the Docker socket network-accessible is asking for your system to get remotely rooted. Google "Docker cryptojacking" for some more details and prominent real-life examples.

Docker permission denied for open /etc/docker/daemon.json: permission denied

I am trying to setup remote host configuration for docker. After setting up certificates i ran dockerd command which is giving error:
dockerd --tlsverify --tlscacert=ca.pem --tlscert=server-cert.pem --tlskey=server-key.pem -H=0.0.0.0:2376
>>> unable to configure the Docker daemon with file /etc/docker/daemon.json: open /etc/docker/daemon.json: permission denied
I am running from non root user and I've already added my user as part of Docker group. Docker version i am using is:
Docker version 17.12.0-ce, build c97c6d6
I have tried below but still getting same error:
1. the /etc/docker/daemon.json file is having {}
2. I also removed the /etc/docker/daemon.json
3. I also changed ownership but same issue.
Permissions of daemon.json were: -rw-r--r--
The dockerd daemon must be run as root. It is creating networking namespaces, mounting filesystems, and other tasks that cannot be done with a user account. You'll need to run these commands with something like sudo.
The docker socket (/var/run/docker.sock) is configured to allow the docker client to access the api by users in the docker group. This is the client, not the daemon, so you can't get away with running the daemon as a user.

Docker error permission denied and where do the images end up after pull?

I have two questions.
1) I get an error when I run:
karl#karl-laptop:~o docker pull node
2015/04/29 01:39:41 Post http:///var/run/docker.sock/images/create?fromImage=banode&tag=: dial unix /var/run/docker.sock: permission denied
2) When I pull down images, where are they located?
The permission error could be due to the Docker socket being owned by root and thus either you have to use sudo or following the instructions in this link to Create a docker group
For the default docker storage driver, aufs, the images are found in /var/lib/docker/aufs/diff/, assuming the Root Dir for Docker is /var/lib/docker/aufs. You can find this out by running docker info.
Add yourself to the docker group by running
sudo usermod -a -G docker $USER
and log out and back in

Resources