circleci-cli icon indicating copy to clipboard operation
circleci-cli copied to clipboard

Published 20 hours ago verified publisher icon CircleCI-Public

circleci local execute error: permission denied while trying to connect to the Docker daemon socket

Open kbakk opened this issue 5 years ago • 7 comments

  • [x] I have read Contribution Guidelines.
  • [x] I have checked for similar issues and haven't found anything relevant.
  • [x] This is not a security issue (which should be reported here: https://circleci.com/security/)

Do you want to request a feature or report a bug?

Bug

What is the current behavior?

Have a minimalistic repo:

% find . -type f
./.circleci/config.yml

% cat ./.circleci/config.yml
version: 2
jobs:
  build:
    docker:
      - image: circleci/python:3.7
    steps:
      - setup_remote_docker
      - run: docker run busybox sleep 60

Running this locally results in the following output with error:

% circleci local execute
Docker image digest: sha256:8f7aa2f671ed787514041bd4d57d8ec327a401f3eb62582cf5839931554d908b
====>> Spin up Environment
Build-agent version 1.0.9585-ef8d05c0 (2019-03-22T14:05:33+0000)
Docker Engine Version: 18.09.2
Kernel Version: Linux 096d67c84f2a 4.9.125-linuxkit #1 SMP Fri Sep 7 08:20:28 UTC 2018 x86_64 Linux
Starting container circleci/python:3.7
  using image circleci/python@sha256:6125d74bbc627072380c53ab3ae7df1cc86cc2b835dce7e0de7c38df2c67e681

Using build environment variables
  BASH_ENV=/tmp/.bash_env-localbuild-1553522629
  CI=true
  CIRCLECI=true
  CIRCLE_BRANCH=
  CIRCLE_BUILD_NUM=
  CIRCLE_JOB=build
  CIRCLE_NODE_INDEX=0
  CIRCLE_NODE_TOTAL=1
  CIRCLE_REPOSITORY_URL=
  CIRCLE_SHA1=
  CIRCLE_SHELL_ENV=/tmp/.bash_env-localbuild-1553522629
  CIRCLE_WORKING_DIRECTORY=~/project

====>> Setup a remote Docker engine
Using local docker engine bind-mounted
====>> docker run busybox sleep 60
  #!/bin/bash -eo pipefail
docker run busybox sleep 60
docker: Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Post http://%2Fvar%2Frun%2Fdocker.sock/v1.39/containers/create: dial unix /var/run/docker.sock: connect: permission denied.
See 'docker run --help'.
Error: Exited with code 126
Step failed
Error: runner failed (exited with 101)
Task failed
Error: task failed

What is the expected behavior?

Expect task to succeed, with the busybox command creating and running a container.

Which version of the CLI and OS are you using? Did this work in previous versions?

% circleci version && circleci diagnostic
0.1.4786+bad101f

---
CircleCI CLI Diagnostics
---
Debugger mode: false
Config found: /Users/kristofferb/.circleci/cli.yml
API host: https://circleci.com
API endpoint: graphql-unstable
OK, got a token.
Trying an introspection query on API...
Ok.
Hello, Kristoffer Bakkejord.

If you have any questions, feel free to ping us at @CircleCI-Public/dx-clients.

kbakk avatar Mar 25 '19 14:03 kbakk

Can you run Docker containers at all? You may need to run circleci as a user with permission to use Docker on your system (or grant permission to use Docker to your current user). Try adding yourself to the docker group, log out and in again, then try the circleci command.

exarkun avatar Apr 03 '19 13:04 exarkun

@exarkun I'm running this on my MacOS, with my own user - the issue isn't to start docker containers, the circleci command itself launches a container, which runs fine (I'm also able to run containers with docker run) - but to use docker commands inside the circleci container.

I have come across this workaround on stackoverflow.com, it let's me work around the issue. However, I believe this should be addressed on the circleci client.

kbakk avatar Apr 04 '19 15:04 kbakk

Logged as CIRCLE-25053

marcomorain avatar Mar 10 '20 14:03 marcomorain

Experiencing the same on a local environment with circleci cli 0.1.7868+fa5217e (release).

A workaround for me was to use docker executor with the root user:

test-executor:
    docker:
      - image: cimg/go:1.13
        user: root

davidmontoyago avatar May 26 '20 17:05 davidmontoyago

@davidmontoyago where in my yaml do I put that? I put it at the top level and it didn't do anything.

SeanHayes avatar Jul 22 '20 02:07 SeanHayes

I just tried your workaround @davidmontoyago thanks!

@SeanHayes if you're still wondering, this goes in your circleci yaml next to the docker image your job is running in. Here's a screenshot of the first few lines of my "build" job: image

It wasn't obvious to me either where to put this 😺

steinnes avatar Nov 11 '20 22:11 steinnes

Maybe too late for the party, but the user: root workaround brings too many problems for me, so I figured out we an use SUID to become root only when running docker commands:

commands:
  # Only used for local jobs docker execution
  setup_local_docker:
    steps:
      - run:
          name: Use sudo docker in local builds
          command: |
            if [[ $CIRCLE_SHELL_ENV == *"localbuild"* ]]; then
              sudo chmod u+s $(which docker)
            fi

jobs:
  test:
    steps:
      - setup_remote_docker
      - setup_local_docker
      - ...

ceusebi-eb avatar Apr 26 '23 15:04 ceusebi-eb