for-win
for-win copied to clipboard
Published
20 hours ago •
docker
docker
Permission denied while trying to connect to Docker socket inside container after updating to 4.28.0
Description
I used to be able to use Docker from within a Docker container by mounting the host socket with:
-v /var/run/docker.sock:/var/run/docker.sock
and adding the host group docker with:
--group-add docker
On the host, the group docker has permission to connect to the Docker socket:
$ ll /var/run/docker.sock
srw-rw---- 1 root docker 0 Mar 12 10:51 /var/run/docker.sock=
However, within a Docker container I get the following after updating to 4.28.0:
$ ll /var/run/docker.sock
srw-rw---- 1 root root 0 Mar 12 14:51 /var/run/docker.sock=
This results in the following error:
permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get "http://%2Fvar%2Frun%2Fdocker.sock/v1.24/version": dial unix /var/run/docker.sock: connect: permission denied
Reproduce
Create a file named Dockerfile with the following content:
FROM ubuntu:23.04
RUN apt-get update \
&& apt-get -y install ca-certificates curl gnupg
RUN curl -fsSL https://download.docker.com/linux/ubuntu/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg \
&& echo "deb [arch=amd64 signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu/ lunar stable" | tee /etc/apt/sources.list.d/docker.list
RUN apt-get update \
&& apt-get -y install docker-ce-cli
RUN groupadd --gid 1001 docker
Build the Docker image:
$ docker build .
Run the Docker image:
$ docker run -it --rm -v /var/run/docker.sock:/var/run/docker.sock --group-add docker -u ubuntu <image>
Run the following command from within the Docker container:
$ docker version
Expected behavior
No response
docker version
Client:
Cloud integration: v1.0.35+desktop.11
Version: 25.0.3
API version: 1.44
Go version: go1.21.6
Git commit: 4debf41
Built: Tue Feb 6 21:13:00 2024
OS/Arch: linux/amd64
Context: default
Server: Docker Desktop
Engine:
Version: 25.0.3
API version: 1.44 (minimum version 1.24)
Go version: go1.21.6
Git commit: f417435
Built: Tue Feb 6 21:14:25 2024
OS/Arch: linux/amd64
Experimental: false
containerd:
Version: 1.6.28
GitCommit: ae07eda36dd25f8a1b98dfbf587313b99c0190bb
runc:
Version: 1.1.12
GitCommit: v1.1.12-0-g51d5e94
docker-init:
Version: 0.19.0
GitCommit: de40ad0
docker info
Client:
Version: 25.0.3
Context: default
Debug Mode: false
Plugins:
buildx: Docker Buildx (Docker Inc.)
Version: v0.12.1-desktop.4
Path: /usr/local/lib/docker/cli-plugins/docker-buildx
compose: Docker Compose (Docker Inc.)
Version: v2.24.6-desktop.1
Path: /usr/local/lib/docker/cli-plugins/docker-compose
debug: Get a shell into any image or container. (Docker Inc.)
Version: 0.0.24
Path: /usr/local/lib/docker/cli-plugins/docker-debug
dev: Docker Dev Environments (Docker Inc.)
Version: v0.1.0
Path: /usr/local/lib/docker/cli-plugins/docker-dev
extension: Manages Docker extensions (Docker Inc.)
Version: v0.2.22
Path: /usr/local/lib/docker/cli-plugins/docker-extension
feedback: Provide feedback, right in your terminal! (Docker Inc.)
Version: v1.0.4
Path: /usr/local/lib/docker/cli-plugins/docker-feedback
init: Creates Docker-related starter files for your project (Docker Inc.)
Version: v1.0.1
Path: /usr/local/lib/docker/cli-plugins/docker-init
sbom: View the packaged-based Software Bill Of Materials (SBOM) for an image (Anchore Inc.)
Version: 0.6.0
Path: /usr/local/lib/docker/cli-plugins/docker-sbom
scout: Docker Scout (Docker Inc.)
Version: v1.5.0
Path: /usr/local/lib/docker/cli-plugins/docker-scout
WARNING: Plugin "/usr/local/lib/docker/cli-plugins/docker-scan" is not valid: failed to fetch metadata: fork/exec /usr/local/lib/docker/cli-plugins/docker-scan: no such file or directory
Server:
Containers: 21
Running: 6
Paused: 0
Stopped: 15
Images: 15
Server Version: 25.0.3
Storage Driver: overlay2
Backing Filesystem: extfs
Supports d_type: true
Using metacopy: false
Native Overlay Diff: true
userxattr: false
Logging Driver: json-file
Cgroup Driver: cgroupfs
Cgroup Version: 1
Plugins:
Volume: local
Network: bridge host ipvlan macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file local splunk syslog
Swarm: inactive
Runtimes: io.containerd.runc.v2 runc
Default Runtime: runc
Init Binary: docker-init
containerd version: ae07eda36dd25f8a1b98dfbf587313b99c0190bb
runc version: v1.1.12-0-g51d5e94
init version: de40ad0
Security Options:
seccomp
Profile: unconfined
Kernel Version: 5.15.146.1-microsoft-standard-WSL2
Operating System: Docker Desktop
OSType: linux
Architecture: x86_64
CPUs: 16
Total Memory: 15.46GiB
Name: docker-desktop
Docker Root Dir: /var/lib/docker
Debug Mode: false
HTTP Proxy: http.docker.internal:3128
HTTPS Proxy: http.docker.internal:3128
No Proxy: hubproxy.docker.internal
Experimental: false
Insecure Registries:
hubproxy.docker.internal:5555
127.0.0.0/8
Live Restore Enabled: false
WARNING: No blkio throttle.read_bps_device support
WARNING: No blkio throttle.write_bps_device support
WARNING: No blkio throttle.read_iops_device support
WARNING: No blkio throttle.write_iops_device support
WARNING: daemon is not using the default seccomp profile
Diagnostics ID
n/a
Additional Info
No response
I have the same problem with version 4.28.0 (139021) that the mounted /var/run/docker.sock has wrong group name root instead of docker. Also, I tried to change the file permission to rw-rw-rw-, but it still results in rw-rw---- in the container.
Below is the simple test result:
Test on Docker Desktop Windows (WSL2 backend)
$ docker run --rm -it -v /var/run/docker.sock:/var/run/docker.sock ubuntu:jammy /bin/bash
# ls -lh /var/run/docker.sock
# srw-rw---- 1 root root 0 Mar 17 11:10 /var/run/docker.sock <- group is root
$ ls -lh /var/run/docker.sock
# srw-rw---- 1 root docker 0 Mar 17 19:11 /var/run/docker.sock
$ cat /etc/group | grep docker
# docker:x:1001:gary,coder
Output of docker info:
Server:
Containers: 17
Running: 5
Paused: 0
Stopped: 12
Images: 58
Server Version: 25.0.3
Storage Driver: overlay2
Backing Filesystem: extfs
Supports d_type: true
Using metacopy: false
Native Overlay Diff: true
userxattr: false
Logging Driver: json-file
Cgroup Driver: cgroupfs
Cgroup Version: 1
Plugins:
Volume: local
Network: bridge host ipvlan macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file local splunk syslog
Swarm: inactive
Runtimes: io.containerd.runc.v2 nvidia runc
Default Runtime: runc
Init Binary: docker-init
containerd version: ae07eda36dd25f8a1b98dfbf587313b99c0190bb
runc version: v1.1.12-0-g51d5e94
init version: de40ad0
Security Options:
seccomp
Profile: unconfined
Kernel Version: 5.15.146.1-microsoft-standard-WSL2
Operating System: Docker Desktop
OSType: linux
Architecture: x86_64
CPUs: 12
Total Memory: 15.59GiB
Name: docker-desktop
ID: e82f575f-b7cd-4036-88f7-7b39898923c8
Docker Root Dir: /var/lib/docker
Debug Mode: false
HTTP Proxy: http.docker.internal:3128
HTTPS Proxy: http.docker.internal:3128
No Proxy: hubproxy.docker.internal
Experimental: false
Insecure Registries:
hubproxy.docker.internal:5555
192.168.0.100:5000
192.168.0.206:32000
127.0.0.0/8
Live Restore Enabled: false
For comparison purpose, I also perform the same test on a Linux virtual machine with the generic docker.
Test on Docker Linux (VMWare virtual machine)
$ docker run --rm -it -v /var/run/docker.sock:/var/run/docker.sock ubuntu:jammy /bin/bash
# ls -lh /var/run/docker.sock
# srw-rw---- 1 root 1001 0 Mar 17 01:44 /var/run/docker.sock <- group is 1001 (docker in host)
$ ls -lh /var/run/docker.sock
# srw-rw---- 1 root docker 0 Mar 17 09:44 /var/run/docker.sock
$ cat /etc/group | grep docker
# docker:x:1001:gary,coder
Output of docker info:
Server:
Containers: 4
Running: 3
Paused: 0
Stopped: 1
Images: 6
Server Version: 24.0.5
Storage Driver: overlay2
Backing Filesystem: extfs
Supports d_type: true
Using metacopy: false
Native Overlay Diff: true
userxattr: false
Logging Driver: json-file
Cgroup Driver: systemd
Cgroup Version: 2
Plugins:
Volume: local
Network: bridge host ipvlan macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
Swarm: inactive
Runtimes: io.containerd.runc.v2 runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 3dce8eb055cbb6872793272b4f20ed16117344f8
runc version:
init version: de40ad0
Security Options:
apparmor
seccomp
Profile: builtin
cgroupns
Kernel Version: 5.15.0-100-generic
Operating System: Ubuntu Core 22
OSType: linux
Architecture: x86_64
CPUs: 8
Total Memory: 15.54GiB
Name: ubuntu-server
ID: 27db9eb6-45b1-4618-9c5f-b7a3f808ec19
Docker Root Dir: /var/snap/docker/common/var-lib-docker
Debug Mode: false
Experimental: false
Insecure Registries:
127.0.0.0/8
Live Restore Enabled: false
Same problem here, temp fix is to reset the ownership inside the container:
sudo chown root:docker /var/run/docker.sock
(This assumes the container has the docker group definition as the host machine)
Unfortunately, if the docker host is restarted the fix needs to be re-applied.
Recent updates of Docker Desktop that related to mounting docker.sock is Docker socket mount restrictions for Enhanced Container Isolation that is a business feature. Docker socket mount restrictions will limit containers from accessing docker engine via the mounted /var/run/docker.sock.
Docker Desktop release notes
4.29.0
- Docker socket mount restrictions with ECI is now generally available.
4.28.0
- Added support for Enhanced Container Isolation Docker socket mount permission on WSL user distros.
4.27.2
- Fixed an issue with the engine socket permissions when mounted inside containers. Fixes docker/for-win#13898
4.27.0
- Organization admins can now configure Docker socket mount permissions when ECI is enabled.
I suspect if the business feature's code base also influences the free Personal tier, where this feature is not enabled at all.
I come from 4.27.2 - everything works fine. Upgraded to 4.29.0. Now it's broken for me.
