Docker permission denied for open /etc/docker/daemon.json: permission denied - docker

I am trying to setup remote host configuration for docker. After setting up certificates i ran dockerd command which is giving error:
dockerd --tlsverify --tlscacert=ca.pem --tlscert=server-cert.pem --tlskey=server-key.pem -H=0.0.0.0:2376
>>> unable to configure the Docker daemon with file /etc/docker/daemon.json: open /etc/docker/daemon.json: permission denied
I am running from non root user and I've already added my user as part of Docker group. Docker version i am using is:
Docker version 17.12.0-ce, build c97c6d6
I have tried below but still getting same error:
1. the /etc/docker/daemon.json file is having {}
2. I also removed the /etc/docker/daemon.json
3. I also changed ownership but same issue.
Permissions of daemon.json were: -rw-r--r--

The dockerd daemon must be run as root. It is creating networking namespaces, mounting filesystems, and other tasks that cannot be done with a user account. You'll need to run these commands with something like sudo.
The docker socket (/var/run/docker.sock) is configured to allow the docker client to access the api by users in the docker group. This is the client, not the daemon, so you can't get away with running the daemon as a user.

Related

Cannot configure docker in intelliji

I have installed Docker on my Pop OS according to the official tutorial (I also created a docker user group and added myself to it). In IntelliJ Idea I am getting:
Cannot connect to the Docker daemon at unix:/var/run/docker.sock. Is the docker daemon running? No such file or directory.
systemctl status docker shows that docker.service is active.
My permissions:
ls -l /var/run/docker.sock
srw-rw---- 1 root docker 0 Feb 28 09:05 /var/run/docker.sock
You need to :
Add your $user to the docker group:
sudo usermod -aG docker $USER
Log out, and then log back in.
Docker configuration settings:
Unix socket: This is the recommended connection option for Linux.
note
If you get permission denied errors, add the current user to the docker group on the machine, log out, and then log back in. The docker group grants privileges equivalent to the root user. For details on how this impacts security in your system, see Docker Daemon Attack Surface.
I've solved the issue by re-installing Intellij. My version was from the pop-os application store and causes the problem, but the interesting fact - other things work as expected. So the version from the JetBrains toolbox did the trick.

Why do owner and group of /var/run/docker.sock differ between host and container?

I am doing docker-outside-of-docker, so I mount the host's /var/run/docker.sock into the container via bind-mount.
Now the user and group within the container differ from the one on the host, although they are supposed to be the same.
Container:
ls -lna /var/run/docker.sock
srwxr-xr-x 1 0 0 0 Sep 2 21:30 /var/run/docker.sock
^- owner
^-group
Host:
lrwxr-xr-x 1 0 1 74 2 Sep 23:30 /var/run/docker.sock -> /Users/(...)/docker.sock
^- owner
^-group
As the container is running with a non-root user, and I cannot get the groups to align, this results in a permission denied error when trying to execute docker commands.
$ docker --version
Docker version 20.10.5, build 55c4c88
Solution
Via an entrypoint script, I set the needed permission on container startup.
chown root:docker /var/run/docker.sock
chmod g+w /var/run/docker.sock
It requires that the container starts as root, and only after setting the permission changes to the jenkins user.
This solution works independent of the gRPC FUSE setting of Docker Desktop/Docker for Mac.
Dead Ends
I gave up to solve the permission question with a bind-mount. Because:
Turns out, I overlooked that the host's /var/run/docker.sock is a symbolic link. I thought, due to that symbolic link, the permissions are not transferred as expected. But I could not find documentation about it, only hints
When bind-mounting the link target directly, when running a docker command I get
Error response from daemon: Mounts denied: approving /Users/(...)/docker.sock: file does not exist
Presumably because the file is a socket link (see ls' long format).
Turns out, this appears to be caused by the gRPC FUSE file sharing setting of my Docker Desktop. Disabling it made the error go away, and the socket link docker.sock gets mounted with the container user as owner and group automatically.
However, exeuting e.g. docker image ls inside the container results in an unexplainable error now:
Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running?

Docker connect to remote daemon via ssh - Permission denied (publickey)

I have a problem with connecting to my remote(DigitalOcean) docker engine. What I've done is
Made a droplet with Docker 19.03.12 on Ubuntu 20.04.
Made a new user myuser and add to docker group on the remote host.
Made a .ssh/authorized_keys for the new user it's home and set the permissions, owner etc.
Restarted both ssh and docker services.
Result
I can ssh from my Mac notebook to my remote host with myuser. (when I run ssh keychain asks for the passphrase for the id_rsa.key.)
After I logged in to remote host via ssh I can run docker ps, docker info without any problem.
Problem
Before I make a new context for the remote engine, I tried to run some docker command from my local client on my Mac laptop. Interesting part for me is none of the commands below asks for the id_rsa passphrase)
docker -H ssh://myuser#droplet_ip ps -> Error
DOCKER_HOST=ssh://myuser#droplet_ip docker ps -> Error
Error
docker -H ssh://myuser#droplet_ip ps
error during connect: Get http://docker/v1.40/containers/json: command [ssh -l myuser -- droplet_ip docker system dial-stdio] has exited with exit status 255, please make sure the URL is valid, and Docker 18.09 or later is installed on the remote host: stderr=myuser#droplet_ip: Permission denied (publickey).
What step I missed? How can I connect to a remote docker engine?
It sounds like Docker may not allow ssh to prompt for a key passphrase when connecting. The easiest solution is probably to load your key into an ssh-agent, so that Docker will be able to use the key without requesting a password.
If you want to add your default key (~/.ssh/id_rsa) you can just run:
ssh-add
You can add specific keys by providing a path to the key:
ssh-add ~/.ssh/id_rsa_special
Most modern desktop environments run an ssh-agent process by default.

Docker loading local images permission denied while processing tar file

I have access to a server by ssh with docker version 1.13.1 and I'm
just trying to load a local image using docker load -i
and I'm receiving this error message:
docker load -i docker.img
Error processing tar file(exit status 1): permission denied
And by the way:
docker image import docker.img
Error response from daemon: ApplyLayer exit status 1 stdout: stderr: permission denied
The img file has all the permissions:
> ls -l
> -rwxrwxrwx 1 myuser myuser 9278464 Mar 22 19:12 docker.img*
And docker seems to work rigth:
> docker images
> REPOSITORY TAG IMAGE ID CREATED SIZE
The image works perfectly fine in my local machine...
Any idea about what can be happening here ? The host is running ubuntu 16.04, i was looking for an answer about 1 hour...
=======
I could figure it out, the problem was that I was accessing a proxmox container
not fully virtualized, so, docker requires kernel capabilities that I had not. I searched for the correct proxmox configuration and I solve the issue.
You are trying to execute docker commands as which user?, Standard account or as root user?
Note that the docker daemon binds to a Unix socket instead of a TCP port. By default that Unix socket is owned by the user root and other users can only access it using sudo. The docker daemon always runs as the root user.
If you don’t want to use sudo when you use the docker command, create a Unix group called docker and add users to it. When the docker daemon starts, it makes the ownership of the Unix socket read/writable by the docker group.
First, check if docker group exists on your server. If not, then add it
$ sudo groupadd docker
Add your user to the docker group.
$ sudo usermod -aG docker $USER
Log out and log back in so that your group membership is re-evaluated

Docker error permission denied and where do the images end up after pull?

I have two questions.
1) I get an error when I run:
karl#karl-laptop:~o docker pull node
2015/04/29 01:39:41 Post http:///var/run/docker.sock/images/create?fromImage=banode&tag=: dial unix /var/run/docker.sock: permission denied
2) When I pull down images, where are they located?
The permission error could be due to the Docker socket being owned by root and thus either you have to use sudo or following the instructions in this link to Create a docker group
For the default docker storage driver, aufs, the images are found in /var/lib/docker/aufs/diff/, assuming the Root Dir for Docker is /var/lib/docker/aufs. You can find this out by running docker info.
Add yourself to the docker group by running
sudo usermod -a -G docker $USER
and log out and back in

Resources