Portainer: Got permission denied while trying to connect to the Docker daemon socket

Question

I'm on a fresh Fedora CoreOS which comes with Docker version 19.03.11.

My core user is in the docker group:

[core@localhost ~]$ groups
core adm wheel sudo systemd-journal docker

Following the deployment instructions for portainer, I create a new Portainer container like this (as core or root, it doesn't even matter):

$ docker volume create portainer_data
$ docker run -d -p 9000:9000 -p 8000:8000 --name portainer --restart always -v /var/run/docker.sock:/var/run/docker.sock -v portainer_data:/data portainer/portainer

And when I try to connect to the local daemon:

Permissions of /var/run/docker.sock:

[core@localhost ~]$ ll /var/run/docker.sock
srw-rw----. 1 root docker 0 Aug  2 10:02 /var/run/docker.sock

Even if I chmod o+rw /var/run/docker.sock it doesn't work. This indicates that the problem might be in the container itself so I tried to access it but I can't:

[core@localhost ~]$ docker exec -it portainer sh
OCI runtime exec failed: exec failed: container_linux.go:349: starting container process caused "exec: \"sh\": executable file not found in $PATH": unknown

All resources I found so far suggest to add the user to the docker group, which I did, reboot the machine, which I did, or set 666 on /var/run/docker.sock, which I did but prefer not to. Nothing helped.

Any idea what's wrong and how to fix it?

VonC · Accepted Answer

If it is a SELinux issue, try first to follow portainer/portainer issue 849

Correct way is to add :z to the volume mapping, so you're not defeating the purpose of docker.

Like so:
docker run -d -p 9000:9000 -v /var/run/docker.sock:/var/run/docker.sock:z portainer/portainer
Also we need a way to add the z or Z flag in Portainer for new containers. This has been a feature since 1.7 e.g. 2015 in Docker.

That, or using dpw/selinux-dockersock

Portainer: Got permission denied while trying to connect to the Docker daemon socket

Answers (2)

Related Questions