connecting to docker socket inside container with different user than root is broken after updating to 4.19

[szaimen]

• I have tried with the latest version of Docker Desktop
• I have tried disabling enabled experimental features
• I have uploaded Diagnostics
• Diagnostics ID: C857ED5F-7E60-421A-ADEE-29B71A07CE6A/20230501125903

Actual behavior

After updating Docker Desktop on Windows to v4.19 when trying to connect to a bind-mounted tcp unix socket inside a container that runs as unprivileged (non-root user) process. Connecting to the socket as root user inside the container still works but it apparently broke due to the update because it worked also with the unprivileged user before the update.

Expected behavior

It should be possible to connect to the socket even as non-root user if read permissions are set correct.

Information

• Windows Version: Windows 11 Pro 22H2
• Docker Desktop Version: 4.19
• WSL2 or Hyper-V backend? WSL2
• Are you running inside a virtualized Windows e.g. on a cloud server or a VM: No

Output of & "C:\Program Files\Docker\Docker\resources\com.docker.diagnose.exe" check

Steps to reproduce the behavior

1. Update to Docker Desktop 4.19 on Windows
2. run via command prompt:

# docker info works with root user
docker run -it --rm -v //var/run/docker.sock:/var/run/docker.sock:ro docker:cli docker info

Output

Client:
 Context:    default
 Debug Mode: false
 Plugins:
  buildx: Docker Buildx (Docker Inc.)
    Version:  v0.10.4
    Path:     /usr/local/libexec/docker/cli-plugins/docker-buildx
  compose: Docker Compose (Docker Inc.)
    Version:  v2.17.3
    Path:     /usr/local/libexec/docker/cli-plugins/docker-compose

Server:
 Containers: 2
  Running: 2
  Paused: 0
  Stopped: 0
 Images: 4
 Server Version: 23.0.5
 Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
  Using metacopy: false
  Native Overlay Diff: true
  userxattr: false
 Logging Driver: json-file
 Cgroup Driver: cgroupfs
 Cgroup Version: 1
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
 Swarm: inactive
 Runtimes: io.containerd.runc.v2 runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: 2806fc1057397dbaeefbea0e4e17bddfbd388f38
 runc version: v1.1.5-0-gf19387a
 init version: de40ad0
 Security Options:
  seccomp
   Profile: builtin
 Kernel Version: 5.15.90.1-microsoft-standard-WSL2
 Operating System: Docker Desktop
 OSType: linux
 Architecture: x86_64
 CPUs: 8
 Total Memory: 7.682GiB
 Name: docker-desktop
 ID: 98271cca-a380-4fa6-8246-56d88c255a12
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 HTTP Proxy: http.docker.internal:3128
 HTTPS Proxy: http.docker.internal:3128
 No Proxy: hubproxy.docker.internal
 Registry: https://index.docker.io/v1/
 Experimental: true
 Insecure Registries:
  hubproxy.docker.internal:5555
  127.0.0.0/8
 Live Restore Enabled: false

WARNING: No blkio throttle.read_bps_device support
WARNING: No blkio throttle.write_bps_device support
WARNING: No blkio throttle.read_iops_device support
WARNING: No blkio throttle.write_iops_device support

# docker info does not work with different user even though it has read access to the socket
docker run -it --rm -v //var/run/docker.sock:/var/run/docker.sock:ro docker:cli sh -c "apk add shadow sudo && ls -l /var/run/docker.sock && adduser -D -S www-data -G www-data && sudo -u www-data docker info"

Output

fetch https://dl-cdn.alpinelinux.org/alpine/v3.17/main/x86_64/APKINDEX.tar.gz
fetch https://dl-cdn.alpinelinux.org/alpine/v3.17/community/x86_64/APKINDEX.tar.gz
(1/3) Installing linux-pam (1.5.2-r1)
(2/3) Installing shadow (4.13-r0)
(3/3) Installing sudo (1.9.12_p2-r1)
Executing busybox-1.35.0-r29.trigger
OK: 17 MiB in 25 packages
srwxr-xr-x    1 root     root             0 May  1 12:49 /var/run/docker.sock
Client:
 Context:    default
 Debug Mode: false
 Plugins:
  buildx: Docker Buildx (Docker Inc.)
    Version:  v0.10.4
    Path:     /usr/local/libexec/docker/cli-plugins/docker-buildx
  compose: Docker Compose (Docker Inc.)
    Version:  v2.17.3
    Path:     /usr/local/libexec/docker/cli-plugins/docker-compose

Server:
ERROR: permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get "http://%2Fvar%2Frun%2Fdocker.sock/v1.24/info": dial unix /var/run/docker.sock: connect: permission denied
errors pretty printing info

[djs55]

@szaimen thanks for your report. I suspect this is the same as docker/for-mac#6823 . Could you check

• the ownership and permissions you're seeing on the /var/run/docker.sock inside the container
• the versions of both Docker Desktop and the docker:cli image which work and which don't? So far I've not found a combination of those which works with a non-root user. I'm not sure whether it's a change in Docker or in the docker:cli image. Could you show me the ownership and permissions of the socket in a combination which works?

[szaimen]

@szaimen thanks for your report. I suspect this is the same as docker/for-mac#6823 .

Yes, this looks like the same issue.

• the ownership and permissions you're seeing on the /var/run/docker.sock inside the container

The ownership is fine. The socket is readable by the user. (see the output of ls -l in the second command above).

• the versions of both Docker Desktop and the docker:cli image which work and which don't? So far I've not found a combination of those which works with a non-root user. I'm not sure whether it's a change in Docker or in the docker:cli image. Could you show me the ownership and permissions of the socket in a combination which works?

It worked in my testing fine with Docker Desktop 4.18 in combination with the same docker:cli image docker:23.0.5-cli. I would also give it another try but I am not sure how to get back to Docker Dekstop 4.18 now that I upgraded to 4.19.

[jeffrozica]

I created another issue for this, but having a similar issue. Here are my notes on this.

Docker desktop version 4.19.0 broke my -v /var/run/docker.sock.raw /var/run/docker.sock. About 2 years ago, this solved my docker socket permission denied error (See below).... It was working fine up through version 4.18, but after the v4.19 upgrade, it broke again. Getting this error again. Had to revert back to version 4.18. Same issue on Windows and Mac versions.

"""
Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get http://%2Fvar%2Frun%2Fdocker.sock/v1.40/containers/json: dial unix /var/run/docker.sock: connect: permission denied
"""

Again, no issues until I went to docker desktop version 4.19 and its the same issue on MAC and WINDOWS. The docker.sock.raw was the only viable option for me to fix this.

[jeffrozica]

NOTE REGARDING GOING BACK TO PRIOR DOCKER DESKTOP VERSION: At least on the MAC, to revert back to version 4.18, I just manually l downloaded it and reinstalled. It asked me to overlap my prior version and that worked. Did not loose any images, settings, etc.. Not sure on Windows, if you can do that, but you can try. If just reinstalling on top of existing version doesn't work, you have to uninstall 4.19 and reinstall 4.18 from scratch, but then you have to set up everything again and redo your docker images

[vbode]

I am running into the same issue on Windows.

[FlattusBlastus]

Please prioritize this fix.

[nerlins]

OMFG. Somebody in docker respond to this and help us...

[bobloadmire]

how are you guys downgrading docker desktop on windows? installer just says installation up to date, and exits. if they are going to release alpha code in stable we need options to downgrade.

[vbode]

I use chocolatey to manage my installed software. It also allows you to easily downgrade docker desktop.

[briantho]

hi, can anyone confirm this is still an issue with the new release 4.20? I want to make sure before I upgrade docker desktop, as I already went through the downgrade process and nextcloud is happy running on 4.18

[jctace]

hi, can anyone confirm this is still an issue with the new release 4.20? I want to make sure before I upgrade docker desktop, as I already went through the downgrade process and nextcloud is happy running on 4.18

Yes still an issue with 4.20

[nerlins]

Why is this still an issue in another release? Are the people at Docker even looking into this problem? This doesn't seem like a bug but an intentional change and they're not speaking up about it.

Here's a thought. For $5 a month someone could actually purchase official support for Docker Desktop through Docker themselves. I'm wondering if anyone is paying for this support and what would be the response to the problem then?

[racineda]

Adding my +1 one here. Glad I'm not alone.

[josemahj]

hi, can anyone confirm this is still an issue with the new release 4.20? I want to make sure before I upgrade docker desktop, as I already went through the downgrade process and nextcloud is happy running on 4.18

could explain how to downgrade?

[vbode]

@djs55 Is this issue on the radar at Docker? This seems to be affecting a lot of folks.

[jeffrozica]

@djs55 Is this issue on the radar at Docker? This seems to be affecting a lot of folks.

I just upgraded to version 4.20 and the problem still exists in this version. Reverted back to version 4.18. This is not acceptable and should be fixed. Are the folks that support docker even listening to us?

[FlattusBlastus]

Still recommending ditching docker desktop for docker service running in wsl2. Get Outlook for Android<https://aka.ms/AAb9ysg>

…

________________________________ From: Jeff ***@***.***> Sent: Monday, June 5, 2023 5:36:11 AM To: docker/for-win ***@***.***> Cc: FlattusBlastus ***@***.***>; Comment ***@***.***> Subject: Re: [docker/for-win] connecting to docker socket inside container with different user than root is broken after updating to 4.19 (Issue #13447) @djs55<https://github.com/djs55> Is this issue on the radar at Docker? This seems to be affecting a lot of folks. I just upgraded to version 4.20 and the problem still exists in this version. Reverted back to version 4.18. This is not acceptable and should be fixed. Are the folks that support docker even listening to us? — Reply to this email directly, view it on GitHub<#13447 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/ASVVEUHZ5HQQN4BYSSX6O4LXJXHDXANCNFSM6AAAAAAXRYLUUA>. You are receiving this because you commented.Message ID: ***@***.***>

[briantho]

hi, can anyone confirm this is still an issue with the new release 4.20? I want to make sure before I upgrade docker desktop, as I already went through the downgrade process and nextcloud is happy running on 4.18

could explain how to downgrade?

uninstall 4.20. Install 4.18 from here
Be sure you do a backup before you uninstall. I personally used the local .tar image method to backup and restore.

Unfortunately this bug completely breaks nextcloud aio, and so far the only way i've found that actually fixes it is to downgrade to 4.18. I hope the devs fix this someday...

[nerlins]

Still broken, and no replies from Docker. Who do we direct our issue to? This current issue is either being ignored or not noticed.

[nester43]

I hope this is fixed soon. I'm stuck on 4.18.

[MihaelaStoica]

Thanks for reporting the issue and apologies for the delay in addressing it. We have identified the problem and will include a fix in the next Docker Desktop release.

[jeffrozica]

Thanks for reporting the issue and apologies for the delay in addressing it. We have identified the problem and will include a fix in the next Docker Desktop release.

Any estimation as to when that will be? Few days, weeks or months?

[MihaelaStoica]

Any estimation as to when that will be? Few days, weeks or months?

@jeffrozica It will hopefully be by the end of next week

[lorenrh]

We have released Docker desktop 4.21.1, containing a fix for this issue, please see https://docs.docker.com/desktop/release-notes/

[nerlins]

We have released Docker desktop 4.21.1, containing a fix for this issue, please see https://docs.docker.com/desktop/release-notes/

Did you actually test this with a container that needs to log into the socket as non-root, like Nextcloud, because I don't want to be the guinea pig, and neither does anyone else. We received no information from Docker regarding this issue for two months. Not a single one of you came here to ease our concerns. Now, there is a magic fix, and you don't even describe what you did to fix it.

I'm sure you can forgive me for being completely untrusting of your organization now.

[bobloadmire]

We have released Docker desktop 4.21.1, containing a fix for this issue, please see https://docs.docker.com/desktop/release-notes/

Did you actually test this with a container that needs to log into the socket as non-root, like Nextcloud, because I don't want to be the guinea pig, and neither does anyone else. We received no information from Docker regarding this issue for two months. Not a single one of you came here to ease our concerns. Now, there is a magic fix, and you don't even describe what you did to fix it.

I'm sure you can forgive me for being completely untrusting of your organization now.

Lol same, I ain't touching this update considering the history

[vbode]

I just tested 4.21.1 and in my situation it looks like the issue is fixed. The user with permissions on the docker socket in my container works.

[nester43]

I just tested 4.21.1 and in my situation it looks like the issue is fixed. The user with permissions on the docker socket in my container works.

That was awesome of you. What version of nextcloud did you test with? Thanks!

[vbode]

@nester43 I don't use nextcloud, this was an issue for me when running containers in Docker Desktop on Windows, but not anymore.

[controversy187]

I'm new to Nextcloud and tried the AIO on Docker 4.19 on Windows, and the errors I got led me to this thread. I tried again today after updating to 4.21.1 and it seems to be working fine.

[nester43]

I'm new to Nextcloud and tried the AIO on Docker 4.19 on Windows, and the errors I got led me to this thread. I tried again today after updating to 4.21.1 and it seems to be working fine.

That's extremely encouraging and thank you for sharing. What version of Nextcloud are you running? I'm still nervous as restoring a backup on previous docker version would take a long time given we have a few TBs in Nextcloud.

[controversy187]

I believe that I was running version 27. IIRC, the AIO had a default of 26 selected, but I opted for 27.

[behinder85]

I'm new to Nextcloud and tried the AIO on Docker 4.19 on Windows, and the errors I got led me to this thread. I tried again today after updating to 4.21.1 and it seems to be working fine.我是Nextcloud的新手，尝试在Windows上使用Docker 4.19的AIO，但是我遇到了错误，所以来到了这个帖子。今天我更新到了4.21.1版本后再次尝试，看起来一切都正常。

That's extremely encouraging and thank you for sharing. What version of Nextcloud are you running? I'm still nervous as restoring a backup on previous docker version would take a long time given we have a few TBs in Nextcloud.非常鼓舞人心，谢谢您的分享。您正在运行哪个版本的Nextcloud？我仍然感到紧张，因为在以前的Docker版本上恢复备份需要很长时间，因为我们在Nextcloud中有几个TB。

我使用4.22.1成功部署AIO，并且可以使用
已无“Cannot connect to the docker socket. Cannot proceed.”错误