-
Notifications
You must be signed in to change notification settings - Fork 287
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
connecting to docker socket inside container with different user than root is broken after updating to 4.27 #13898
Comments
I am impacted by the same issue, it's preventing my nextcloud master container from starting after the update. Running windows 11, wsl2, docker desktop 4.27.1 and nextcloud aio 27 Edit: restored my weekly system image, and my nightly nextcloud backup, working again but only because docker desktop is back to 4.26.1. nextcloud was actually v28, not v27. |
Same issue here, upgrading to version 4.27.1 was a catastrophe, I'm having multiple issues. It seems to have messed my WSL environment too. Same versions as the post above me. |
Same issue. The drive has full permissions. |
Hi @vbode, thanks for reporting the issue.
Looks like the Docker socket permission changed slightly in DD 4.27.1:
Write access is needed to use that socket. In 4.27.1 only the Note that if it was working before, the unprivileged user accessing that socket must have been a member of group Thanks! |
@vbode @DanielSadeh (and others affected): could you check if adding group write permission (but leaving the socket in group
If I change permissions to If I change permissions to |
and tried with 666 but am getting permission denied |
Another update. Docker Systems Status Page Operational Operational Operational Operational Operational Operational Operational Operational Operational Operational Operational Operational Operational Operational |
Hi folks, thanks again for reporting the issue in DD 4.27.1 and apologies for the inconvenience. We found the bug; the upcoming DD 4.27.2 patch release will fix the Docker socket permissions, similar to how they were in DD 4.26.1. Note however that just as in DD 4.26.1, the container process must either have user-ID |
Docker Desktop 4.27.2 has been released and includes the fix mentioned by @ctalledo (see release notes). |
Description
After updating Docker Desktop on Windows to v4.27 when trying to connect to a bind-mounted tcp unix socket inside a container that runs as unprivileged (non-root user) process. Connecting to the socket as root user inside the container still works but it apparently broke due to the update because it worked also with the unprivileged user before the update.
This is exactly the same as in:
#13447
Reproduce
Steps to reproduce the behavior
docker info works with root user
docker run -it --rm -v //var/run/docker.sock:/var/run/docker.sock:ro docker:cli docker info
Output
`Client:
Version: 25.0.1
Context: default
Debug Mode: false
Plugins:
buildx: Docker Buildx (Docker Inc.)
Version: v0.12.1
Path: /usr/local/libexec/docker/cli-plugins/docker-buildx
compose: Docker Compose (Docker Inc.)
Version: v2.24.4
Path: /usr/local/libexec/docker/cli-plugins/docker-compose
Server:
Containers: 2
Running: 2
Paused: 0
Stopped: 0
Images: 6
Server Version: 25.0.1
Storage Driver: overlay2
Backing Filesystem: extfs
Supports d_type: true
Using metacopy: false
Native Overlay Diff: true
userxattr: false
Logging Driver: json-file
Cgroup Driver: cgroupfs
Cgroup Version: 1
Plugins:
Volume: local
Network: bridge host ipvlan macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file local splunk syslog
Swarm: inactive
Runtimes: io.containerd.runc.v2 runc
Default Runtime: runc
Init Binary: docker-init
containerd version: a1496014c916f9e62104b33d1bb5bd03b0858e59
runc version: v1.1.11-0-g4bccb38
init version: de40ad0
Security Options:
seccomp
Profile: unconfined
Kernel Version: 5.15.133.1-microsoft-standard-WSL2
Operating System: Docker Desktop
OSType: linux
Architecture: x86_64
CPUs: 16
Total Memory: 15.62GiB
Name: docker-desktop
ID: f54add01-39db-4944-a6af-d411143674ca
Docker Root Dir: /var/lib/docker
Debug Mode: false
HTTP Proxy: http.docker.internal:3128
HTTPS Proxy: http.docker.internal:3128
No Proxy: hubproxy.docker.internal
Experimental: false
Insecure Registries:
hubproxy.docker.internal:5555
127.0.0.0/8
Live Restore Enabled: false
WARNING: No blkio throttle.read_bps_device support
WARNING: No blkio throttle.write_bps_device support
WARNING: No blkio throttle.read_iops_device support
WARNING: No blkio throttle.write_iops_device support
WARNING: daemon is not using the default seccomp profile`
docker info does not work with different user even though it has read access to the socket
docker run -it --rm -v //var/run/docker.sock:/var/run/docker.sock:ro docker:cli sh -c "apk add shadow sudo && ls -l /var/run/docker.sock && adduser -D -S www-data -G www-data && sudo -u www-data docker info"
Output
`fetch https://dl-cdn.alpinelinux.org/alpine/v3.19/main/x86_64/APKINDEX.tar.gz
fetch https://dl-cdn.alpinelinux.org/alpine/v3.19/community/x86_64/APKINDEX.tar.gz
(1/7) Installing libmd (1.1.0-r0)
(2/7) Installing libbsd (0.11.7-r3)
(3/7) Installing skalibs (2.14.0.1-r0)
(4/7) Installing utmps-libs (0.1.2.2-r0)
(5/7) Installing linux-pam (1.5.3-r7)
(6/7) Installing shadow (4.14.2-r0)
(7/7) Installing sudo (1.9.15_p2-r0)
Executing busybox-1.36.1-r15.trigger
OK: 17 MiB in 29 packages
srwxr-xr-x 1 root root 0 Feb 1 11:17 /var/run/docker.sock
Client:
Version: 25.0.1
Context: default
Debug Mode: false
Plugins:
buildx: Docker Buildx (Docker Inc.)
Version: v0.12.1
Path: /usr/local/libexec/docker/cli-plugins/docker-buildx
compose: Docker Compose (Docker Inc.)
Version: v2.24.4
Path: /usr/local/libexec/docker/cli-plugins/docker-compose
Server:
ERROR: permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get "http://%2Fvar%2Frun%2Fdocker.sock/v1.24/info": dial unix /var/run/docker.sock: connect: permission denied
errors pretty printing info`
Expected behavior
It should be possible to connect to the socket even as non-root user if read permissions are set correct.
docker version
Client: Cloud integration: v1.0.35+desktop.10 Version: 25.0.1 API version: 1.44 Go version: go1.21.6 Git commit: 29cf629 Built: Tue Jan 23 23:10:35 2024 OS/Arch: windows/amd64 Context: default Server: Docker Desktop 4.27.0 (135262) Engine: Version: 25.0.1 API version: 1.44 (minimum version 1.24) Go version: go1.21.6 Git commit: 71fa3ab Built: Tue Jan 23 23:09:46 2024 OS/Arch: linux/amd64 Experimental: false containerd: Version: 1.6.27 GitCommit: a1496014c916f9e62104b33d1bb5bd03b0858e59 runc: Version: 1.1.11 GitCommit: v1.1.11-0-g4bccb38 docker-init: Version: 0.19.0 GitCommit: de40ad0
docker info
Diagnostics ID
Additional Info
This is the same as in, but now back in 4.27.0
#13447
The text was updated successfully, but these errors were encountered: