basecamp
kamal 2: fixing docker user permission automatically on setup?
this issue has been existing from kamal 1
ERROR (SSHKit::Command::Failed): Exception while executing on host 20.64.146.45: docker exit status: 1
docker stdout: Nothing written
docker stderr: permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Post "http://%2Fvar%2Frun%2Fdocker.sock/v1.47/images/create?fromImage=registry.gitlab.com%2Fcat-studio%2Fdemo_rails8_tailwind_auth%2Fraills-app&tag=aed00caeedff437959b8a1638346d1843680bdaa": dial unix /var/run/docker.sock: connect: permission denied
this is on a fresh setup
we have to run something like
azureuser@rails-8-demos:~$ sudo groupadd docker
sudo usermod -aG docker $USER
groupadd: group 'docker' already exists
if the team is ok with this I can open a PR
This is when you're using a non-root ssh user? Would be nice if that case didn't require anything special, yeah. Please do explore a PR.
The documentation notes that if we're using a non-root user, we need to manually bootstrap the server (https://kamal-deploy.org/docs/configuration/ssh/).
I looked into codebase, and came up with this pseudo-code approach
https://github.com/basecamp/kamal/blob/e34031f70cf933384fe0467ade20d6653f3ea908/lib/kamal/cli/server.rb#L33-L35
After line 34
unless KAMAL.config.ssh.user == 'root'
info "Adding User #{KAMAL.config.ssh.user} to group docker"
execute *KAMAL.docker.add_group(KAMAL.config.ssh.user)
end
#lib/kamal/commands/docker.rb
def add_group(username)
shell ["sudo usermod -aG docker #{username}"]
end
@imWildCat Please go ahead as you have already opened up the issue and working on it.
Probably better just to add another command sequence to docker.rb following the pattern of the superuser? method and run that on the servers.
def add_group
[ '[ "${EUID:-$(id -u)}" -eq 0 ] || sudo usermod -aG docker "${USER:-$(id -un)}"' ]
end
then add execute *KAMAL.docker.add_group after the install line in server.rb
That's far easier to add to the existing Kamal::Commands::Docker tests than anything conditional.
I hope you'll forgive me for butting in here and opening the PR to fix this.
Comments welcome.
I hope you'll forgive me for butting in here and opening the PR to fix this.
Comments welcome.
No worries at all! I’m too busy recent days. Apologies for the delay!
+1 -- either having it automated as part of kamal setup or a warning / log message at least would be nice!
I am facing the same issue. Is there any progress with this? Or a workaround?
I am facing the same issue. Is there any progress with this? Or a workaround?
you can run the groupadd command manually:
kamal server exec "sudo usermod -aG docker {{ USER }}"
Thanks @stanvanrooy for this solution. Seems better than SSH-ing into the VM 😅 still tho, why run the command manually when it could be run automatically ;)
We’ve been using a workaround that’s close to an automated solution and works reasonably well.
Our .kamal/hooks/docker-setup file looks like this:
#!/bin/sh
# Remove once https://github.com/basecamp/kamal/issues/980 is resolved
echo "Making docker command available to user '${USER}'..."
kamal server exec 'sudo usermod -a -G docker ${USER}' -d ${KAMAL_DESTINATION} -h ${KAMAL_HOSTS} 2>/dev/null
echo "Docker set up on $KAMAL_HOSTS..."
On a fresh host, the first run of kamal setup -d destination fails once with a permission error:
ERROR (SSHKit::Command::Failed): Exception while executing on host X.X.X.X: docker exit status: 1
docker stdout: Nothing written
docker stderr: permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Post "http://%2Fvar%2Frun%2Fdocker.sock/v1.49/images/create?fromImage=docker.io%2Fxxxxxxxx%2Fyyyyyyyyyy&tag=zzzzzzzzzzzzzzz": dial unix /var/run/docker.sock: connect: permission denied
However, re-running kamal setup -d destination immediately afterwards succeeds. This makes the workaround usable in the interim, but it would be ideal if Kamal handled adding the non-root SSH user to the docker group during setup.
