Docker run - User group not working as expected? - linux

I have a script that communicates over serial port (/dev/ttyUSB0). I want to run it from within a Docker image. However I don't seem to have permissions to do it from within the image. I follow these steps:
On my host, if I run ln -l /dev/ttyUSB0 I get:
crw-rw---- 1 root dialout 188, 0 jul 2 14:34 /dev/ttyUSB0
Good, it means that in order to read/write to it, I need to be either root, or part of the dialout group.
I become member of this group in my host:
$ sudo usermod -aG dialout $(whoami)
Then I log out and log in again to make this effective.
After that, I verify that I can communicate perfectly with /dev/ttyUSB0 from my host. However if I run the docker image:
docker run --user=1000:1000 --rm=true --tty=true --privileged=true --device=/dev/ttyUSB0 --volume=<my_dir>:<my_dir> --workdir=<my_dir> <my_docker_image> <my_script>
Then it complains:
can't open device "/dev/ttyUSB0": Permission denied
However if I use: --user=1000:20, then it works fine. The group 20 is the dialout group.
Now my question:
Why does Docker not understand that my user (1000) and group (1000) is part of the dialout group?
This was working when I used the old docker (apt-get install docker-io, docker-engine), but after updating to the new Docker CE this stopped working.
Setup:
Ubuntu 16.04.2 LTS Kernel 4.4.0-83-generic.
Docker version: Docker version 17.06.0-ce, build 02c1d87.
Thanks!

As stated in a comment, The solution was to pass --group-add=dialout to the docker run call. However, be aware that when using docker images that provides a way to specify the user and group using an environment variable (usually -e PUID=<UID> -e PGID=<GID>) it overwrites that setting.

Related

Giving the user inside a container permission on a device

I have a container that's based on the matspfeiffer/flutter image. I'm trying to forward some of my devices present on my host to the container so eventually I can run an android emulator from inside it.
I'm providing the following options to the docker run command:
--device /dev/kvm
--device /dev/dri:/dev/dri
-v /tmp/.X11-unix:/tmp/.X11-unix
-e DISPLAY
This renders the /dev/kvm device accessible from within the container.
However, the permissions for the /dev/kvm device on my host are the following:
crw-rw----+ 1 root kvm 10, 232 oct. 5 19:12 /dev/kvm
So from within the container I'm unable to interact with the device properly because of insufficient permissions.
My best shot at fixing the issue so far has been to alter the permissions of the device on my host machine like so:
sudo chmod 777 /dev/klm
It fixes the issue but it goes without saying that it is not in any case an appropriate solution.
I was wondering if there was a way to grant the container permission to interact with that specific device without altering the permissions on my host.
I am open to giving --privileged access to my host to my container.
I also wish to be able to create files from within the container without the permissions being messed up (I was once root inside a Docker container which made it so every file I would create in a shared volume from within the container inaccessible from my host).
For reference, I'm using VS Code remote containers to build and run the container so the complete docker run command as provided by VS Code is the following
docker run --sig-proxy=false -a STDOUT -a STDERR --mount type=bind,source=/home/diego/Code/Epitech/B5/redditech,target=/workspaces/redditech --mount type=volume,src=vscode,dst=/vscode -l vsch.local.folder=/home/diego/Code/Epitech/B5/redditech -l vsch.quality=stable -l vsch.remote.devPort=0 --device /dev/kvm --device /dev/dri:/dev/dri -v /tmp/.X11-unix:/tmp/.X11-unix -e DISPLAY --fifheri --entrypoint /bin/sh vsc-redditech-850ec704cd6ff6a7a247e31da931a3fb-uid -c echo Container started

using docker-compose without sudo doesn't work

I was recently told that running docker or docker-compose with sudo is a big nono, and that I had to create/add my user to the docker group in order to run docker and docker-compose commands without sudo. Which I did, as per the documentation here
Now, docker runs normally via my user. e.g. :
~$ docker run hello-world
Unable to find image 'hello-world:latest' locally
latest: Pulling from library/hello-world
b8dfde127a29: Pull complete
Digest: sha256:df5f5184104426b65967e016ff2ac0bfcd44ad7899ca3bbcf8e44e4461491a9e
Status: Downloaded newer image for hello-world:latest
Hello from Docker!
This message shows that your installation appears to be working correctly.
To generate this message, Docker took the following steps:
1. The Docker client contacted the Docker daemon.
2. The Docker daemon pulled the "hello-world" image from the Docker Hub.
(amd64)
3. The Docker daemon created a new container from that image which runs the
executable that produces the output you are currently reading.
4. The Docker daemon streamed that output to the Docker client, which sent it
to your terminal.
To try something more ambitious, you can run an Ubuntu container with:
$ docker run -it ubuntu bash
Share images, automate workflows, and more with a free Docker ID:
https://hub.docker.com/
For more examples and ideas, visit:
https://docs.docker.com/get-started/
But when I try to run docker-compose, I get a Permission Denied
~$ docker-compose --help
-bash: /usr/local/bin/docker-compose: Permission denied
Could you please explain how this works ? I thought having a docker group enabled the usage of these commands because the binaries belong to this group, but actually they don't, they only belong to root...
~$ ls -al /usr/bin/docker*
-rwxr-xr-x 1 root root 71706288 Jul 23 19:36 /usr/bin/docker
-rwxr-xr-x 1 root root 804408 Jul 23 19:36 /usr/bin/docker-init
-rwxr-xr-x 1 root root 2944247 Jul 23 19:36 /usr/bin/docker-proxy
-rwxr-xr-x 1 root root 116375640 Jul 23 19:36 /usr/bin/dockerd
~$ ls -al /usr/local/bin/
total 12448
drwxr-xr-x 2 root root 4096 May 26 11:08 .
drwxr-xr-x 10 root root 4096 May 14 19:36 ..
-rwxr--r-- 1 root root 12737304 May 26 11:08 docker-compose
So, how does this work?
And how do I enable docker-compose to run for users that belong to the docker group?
sudo chmod a+x /usr/local/bin/docker-compose
Will turn your permissions on.
docker-compose is just a wrapper, and it uses an external docker daemon, the same way the docker command doesn't actually run anything but gives an order to a docker daemon.
You can change the docker daemon you communicate with using the DOCKER_HOST variable. By default, it is empty ; and when it is empty, both docker and docker-compose assume it is located at /var/run/docker.sock
According to the dockerd documentation :
By default, a unix domain socket (or IPC socket) is created at /var/run/docker.sock, requiring either root permission, or docker group membership.
And this is enforced by giving read and write access to the docker group to the socket.
$ ls -l /var/run/docker.sock
srw-rw---- 1 root docker 0 nov. 15 19:54 /var/run/docker.sock
As described in https://docs.docker.com/engine/install/linux-postinstall/, to add an user to the docker group, you can do it like that :
sudo usermod -aG docker $USER # this adds the permissions
newgrp docker # this refreshes the permissions in the current session
That being said, using docker with sudo is the same as using it with the docker group, because giving acces to the /var/run/docker.sock is equivalent to giving full root acces:
From https://docs.docker.com/engine/install/linux-postinstall/
The docker group grants privileges equivalent to the root user. For details on how this impacts security in your system, see Docker Daemon Attack Surface.
If root permission is a security issue for your system, another page is mentioned :
To run Docker without root privileges, see Run the Docker daemon as a non-root user (Rootless mode).
docker is composed of multiple elements : https://docs.docker.com/get-started/overview/
First, there are clients :
$ type docker
docker is /usr/bin/docker
$ dpkg -S /usr/bin/docker
docker-ce-cli: /usr/bin/docker
You can see that the docker command is installed when you install the docker-ce-cli package.
Here, ce stands for community edition.
The docker cli communicates with the docker daemon, also known as dockerd.
dockerd is a daemon (a server) and exposes by default the unix socket /var/run/docker.sock ; which default permissions are root:docker.
There are other components involved, for instance dockerd uses containerd : https://containerd.io/
The rest is basic linux permission management :
operating the docker daemon is the same as having root permission on that machine.
to operate the docker daemon, you need to be able to read and write from and to the socket it listens to ; in your case it is /var/run/docker.sock. whether or not you are a sudoer does not change anything to that.
to be able to read and write to and from /var/run/docker.sock, you must either be root or being in the docker group.
docker-compose is another cli it has the same requirements as docker.
What worked for me was adding myself to the 'docker' group
by running (as root, via sudo):
# usermod -a -G docker` *myUserName*
You may need to re-login, since current shells
may not yet "know" about being added to the docker group.
But you can run this following command if you don't want to re-login
newgrp docker
https://docs.docker.com/engine/install/linux-postinstall/

How the Unix user level is affecting my visibility to docker images?

I am very new to Unix/docker,
I have the following two outputs on the console,
admin#ansible:~/nachiket/workspace/docker-nachi-sample-app$ docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
admin#ansible:~/nachiket/workspace/docker-nachi-sample-app$ sudo docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
nachiketjoshi/python-log-generator latest ca675b7439ab About an hour ago 908MB
python 2.7 4ee4ea2f0113 3 weeks ago 908MB
can someone explain how the Unix user level is affecting my visibility to docker images...
It is because
The Docker daemon binds to a Unix socket instead of a TCP port. By default that Unix socket is owned by the user root and other users can only access it using sudo. The Docker daemon always runs as the root user.
So, after installing docker to have the same access level on another user instead of root you need to perform:
sudo groupadd docker
sudo usermod -aG docker $USER
Then verify if it worked on docker uses:
docker run hello-world
If everything goes right try to execute docker images and see if it has the same access level, I've tested on CentOS and it worked
Reference: https://docs.docker.com/install/linux/linux-postinstall/#manage-docker-as-a-non-root-user

Docker access permissions on mounted volumes. Why do they belong to root?

I've set up Docker to run as a non-root user. Now I can start my containers as an ordinary user and I feel more comfortable.
me#machine:~$ docker run -it -v ~/test:/test alpine:3.6 sh
/ # touch /test/test1
Meanwhile on the host:
me#machine:~$ ls -l ~/test/
total 0
-rw-r--r-- 1 root root 0 Jul 31 15:50 test1
Why do the files belong to root? How can I make them and all created files in the container belong to me?
Interesting fact: This happens on Debian Linux. Contrary, doing the same on a Mac, the created files would belong to me.
Mac OS Docker and Linux Docker have lot of changes in behavior. So ignore that part. Focus on the side of Linux.
What you did using https://docs.docker.com/engine/installation/linux/linux-postinstall/#manage-docker-as-a-non-root-user basically just means that a non-root user has access to the docker group. Through that docker group you are able to execute docker command. But docker daemon is still running as root user.
That you can confirm by running
ps aux | grep dockerd
And when you do a volume mapping, the directory gets created by docker, which eventually has root user permission. What you are looking for has been launched very recently as Docker user namespaces. Please read the details on below URL
https://success.docker.com/KBase/Introduction_to_User_Namespaces_in_Docker_Engine
This will guide you how to run your docker containers with a mapped user instead of root. In short create/update /etc/docker/daemon.json file to have below content
/etc/docker/daemon.json
{
"userns-remap": "<a non root user>"
}
And restart the docker service. Now your docker containers inside will think they have root privileges but they would run as a non-root user on host

"Is your docker daemon up and running?" Problems with docker hello world tutorial on Linux

I am running the installation tutorial for Docker on Linux - Ubuntu 14.04
Going step by step through the tutorial, I get the following error message:
docker run hello-world
Post http:///var/run/docker.sock/v1.20/containers/create: dial unix /var/run/docker.sock: no such file or directory.
* Are you trying to connect to a TLS-enabled daemon without TLS?
* Is your docker daemon up and running?
The similar question docker error: /var/run/docker.sock: no such file or directory refers to boot2docker which I am not using
Had the same issue, solved:
docker-machine start default
eval "$(docker-machine env default)"
I got the same problem today. you just have to start the service.
sudo service docker start
It works on linux. I don't know if it works on mac
I had the same problem running docker on ubuntu 14.04.
Trying running Docker as root:
sudo docker run hello-world
Type in password when prompted.
Check the ownership of the file /var/run/docker.sock:
ls -l /var/run/docker.sock
srw-rw----. 1 root root 0 Nov 18 16:17 /var/run/docker.sock
Change the group settings to dockerroot:
sudo chown root:dockerroot /var/run/docker.sock
ls -l /var/run/docker.sock
srw-rw----. 1 root dockerroot 0 Nov 18 16:17 /var/run/docker.sock
Then it should work.
Both the solution here are tried and tested on linux only
Solution 1:
I was Having the same issue, Login with root privilege solved my problem
Solution 2:
The solution here works only with root user because root user has full access to linux socket similarly docker group has full access to linux socket.
if you want to run this with non root user you need to add user to docker group, you can do this with following command -
sudo usermod -aG docker $(whoami)
Now logout and login you should be able to work with non-root user :)
After getting stuck I turned off the computer and went on a road trip. One Monday I turned the computer on and docker run hello-world runs just as the tutorial indicated.
Had exactly the same problem on Windows 8.1
Answer was to open the Oracle VM Virtual Box, right click on the default instance and then click on "Show" icon. Then saw BootLocker logo.
Then back to the Docker Quickstarter "> whale" icon, double click and ascii docker appears.
In linux, after installation, though docker version was giving a proper output, docker run hello-world was not working because the service was not up.
I tried service docker restart in SLES 12 SP3 Linux machine. It worked. So probably your docker daemon needs a restart.
Try the same command service docker restart and it should work.
So, is the Docker daemon running? What troubleshooting did you already do?
The tutorial doesn't mention starting Docker or adding yourself to the docker group so that you can run Docker command without sudo (although, this should have been mentioned when you installed Docker). You need to do both of these things first.

Resources