Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Regression in file sharing /var/run/docker.sock permissions in releases after v2.3 #5072

Closed
2 tasks done
leighmcculloch opened this issue Nov 16, 2020 · 8 comments
Closed
2 tasks done

Regression in file sharing /var/run/docker.sock permissions in releases after v2.3 #5072

leighmcculloch opened this issue Nov 16, 2020 · 8 comments
Labels
lifecycle/locked version/2.5.0.1

Comments

@leighmcculloch
Copy link

leighmcculloch commented Nov 16, 2020
edited
Loading

  • I have tried with the latest version of my channel (Stable or Edge)
  • I have uploaded Diagnostics
  • Diagnostics ID: C73521FC-7E76-4207-90CD-BBA843533B07/20201116202322

Expected behavior

Mounting the /var/run/docker.sock into a container, where the container's user has the docker group should allow that user to run docker commands against the hosts docker daemon. This was possible with Docker for Mac v2.3.

Actual behavior

After upgrading to Docker for Mac v2.5.0.1 interacting with the host's /var/run/docker.sock requires sudo / root.

Information

  • macOS Version: Big Sur

Diagnostic logs

See diagnostic ID above.

Steps to reproduce the behavior

Using this Dockerfile:

FROM debian:buster

RUN apt-get update
RUN apt-get -y install sudo

RUN apt-get -y install apt-transport-https ca-certificates curl gnupg2 software-properties-common
RUN curl -fsSL https://download.docker.com/linux/debian/gpg | apt-key add -
RUN add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/debian $(lsb_release -cs) stable"
RUN apt-get update
RUN apt-get -y install docker-ce-cli

ENV USER=theuser
RUN adduser --home /home/$USER --disabled-password --gecos GECOS $USER \
  && echo "$USER ALL=(ALL) NOPASSWD: ALL" > /etc/sudoers.d/$USER \
  && chmod 0440 /etc/sudoers.d/$USER \
  && groupadd docker \
  && usermod -aG docker $USER \
  && chsh -s /bin/zsh $USER
USER $USER
ENV HOME=/home/$USER

Build the image:

docker build -t test .

Run a container and mount the /var/run/docker.sock into the container:

docker run -i -t -v="/var/run/docker.sock:/var/run/docker.sock" test

You should be at a console as theuser. That user should be in the docker group. In v2.3 that user would be able to issue commands like docker ps, but with v2.5 the user sees the following error. The error can be overcome by eleviating the user with sudo, but that was not required for v2.3.

theuser@98278c383bfd:/$ groups
theuser docker

theuser@98278c383bfd:/$ docker ps
Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get http://%2Fvar%2Frun%2Fdocker.sock/v1.40/containers/json: dial unix /var/run/docker.sock: connect: permission denied

theuser@98278c383bfd:/$ sudo docker ps
CONTAINER ID        IMAGE                          COMMAND                  CREATED              STATUS              PORTS                  NAMES
98278c383bfd        test                           "bash"                   About a minute ago   Up About a minute                          eloquent_lovelace

Note: Disabling the GRPC Fuse for file sharing experimental feature appears to have no affect on the behavior above.
@leighmcculloch
Copy link
Author

This setup is described in the Linux postinstall instructions, but no longer appear to work.
https://docs.docker.com/engine/install/linux-postinstall/

@bjornandre bjornandre mentioned this issue Nov 17, 2020
Closed
@leighmcculloch
Copy link
Author

leighmcculloch commented Nov 17, 2020
edited
Loading

It appears at some point the permissions on the docker.sock was change from:
perms:srwxrwxr-x user:root group:docker
to:
perms:srwxr-xr-x user:root group:docker

The difference is that write permissions were removed from the docker group. Simply running the following command in a container fixes the issue:

$ sudo chmod g+w /var/run/docker.sock

@thaJeztah
Copy link
Member

I think this may be a duplicate of #4755

@leighmcculloch
Copy link
Author

I realize I'm also already doing this in my installation, so it looks like there is a couple things that need addressing with docker-for-mac. Maybe this has never been officially supported on docker-for-mac.

$ sudo chgrp docker /var/run/docker.sock

@leighmcculloch
Copy link
Author

This is my total work around:

$ sudo chgrp docker /var/run/docker.sock
$ sudo chmod g+w /var/run/docker.sock

Ref: https://github.com/leighmcculloch/devenv/blob/0dc3229/entrypoint.sh#L3-L5

@leighmcculloch leighmcculloch mentioned this issue Nov 17, 2020
Closed
2 tasks
@thaJeztah
Copy link
Member

Bind-mounting the socket should be supported; it's worth noting though that Linux won't care about the name of the group, but will purely look at the numeric UID/GID for user and group, so if the groupadd docker in your container picks a different group-id, it may not work.

@stephen-turner
Copy link
Contributor

Thanks for the diagnosis, I agree it's a dupe, I'm going to close this copy in favour of #4755. We've raised the internal ticket up our backlog too.

@docker-robott
Copy link
Collaborator

Closed issues are locked after 30 days of inactivity.
This helps our team focus on active issues.

If you have found a problem that seems similar to this, please open a new issue.

Send feedback to Docker Community Slack channels #docker-for-mac or #docker-for-windows.
/lifecycle locked

@docker docker locked and limited conversation to collaborators Dec 19, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
lifecycle/locked version/2.5.0.1
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@leighmcculloch @thaJeztah @stephen-turner @docker-robott