Reputation: 1892
Docker building docker images: User Permission/Host Questions
I just spun up a fresh Ubuntu instance, and I have installed Docker
docker --version reports: Docker version 1.7.1, build 786b29d
I then ran two commands to setup a CI/CD pipeline:
docker run -d -t -p 8153:8153 gocd/gocd-server- For the agent, I am starting it as follows:
docker run -d --privileged=true -ti -e GO_SERVER=<my_server_ip_address> -v /var/run/docker.sock:/var/run/docker.sock -v $(which docker):/bin/docker gocd/gocd-agent
Both containers are up and running as expected. docker ps reports the following:
25a7686b8653 gocd/gocd-server "/sbin/my_init" 6 seconds ago Up 5 seconds 0.0.0.0:8153->8153/tcp, 8154/tcp
ec1ede694844 gocd/gocd-agent "/sbin/my_init" 5 second s ago Up 5 seconds
When I access the gocd-agent, using the following command:
sudo docker exec -i -t ec1ede694844 bash
I am brought into the agent. Once inside, I can use commands like docker images without any issues.
The go-agent requires us to use a go user, so using the same terminal/container bash above, I type: su go
This brings me into the container as the go user (go@ec1ede694844).
When I try to use a command like docker images or docker ps, I get the following error message:
Get http:///var/run/docker.sock/v1.19/images/json: dial unix /var/run/docker.sock: permission denied. Are you trying to connect to a TLS-enabled daemon without TLS?
The only command that works is the standard docker command, which gives me the list of possible docker commands that I can use. However, none of these commands work while using the go user.
Is there any way to pass permissions from the container down into a user account?
Or, is there any way for me to reset the docker.sock so that it will allow my go user to run commands like docker images?
Any help would be appreciated.
Thank you
Upvotes: 1
Views: 921
Answers (1)
Reputation: 311635
This error...
Get http:///var/run/docker.sock/v1.19/images/json: dial unix /var/run/docker.sock:
permission denied. Are you trying to connect to a TLS-enabled daemon without TLS?
Means that docker is unable to open the Unix socket, /var/run/docker.sock. Take a look at the permissions on that socket. They may allow only root access:
$ ls -l /var/run/docker.sock
srw-------. 1 root root 0 Sep 1 15:08 /var/run/docker.sock
Or they may allow access to a particular group:
$ ls -l /var/run/docker.sock
srw-rw----. 1 root dockerroot 0 Sep 1 15:08 /var/run/docker.sock
In either case, the go user inside your container does not have access to this socket. Ideally, you need to:
- (a) make the socket group-writable on the host
- (b) ensure that the
gouser in your container is a member of group with a gid that matches the gid on the host
Alternately, just run everything in your container as root, which avoids this particular problem but potentially exposes security issues if you are running untrusted code inside your containers.
Upvotes: 1
Related Questions
- Building Docker image as non root user
- How to Create a User in a Docker Image with the Proper File Permissions
- What user, group to use in a docker image (if not the default root)?
- Permissions best-practices when using docker exec
- Issues with creating working Docker image for non-root user
- how to create a docker image/container with same file rights as host user
- Building an image with different users set inside the container
- Magento 2 on docker generated files' user and permissions Mgt Development Environment
- File ownership on building docker images
- Building on a docker image that sets user to an unprivileged user