bash unix:///var/run/docker.sock 上的 Docker 守护进程套接字的权限被拒绝
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/53126950/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Permission denied to Docker daemon socket at unix:///var/run/docker.sock
提问by Jimmix
I have this Dockerfile:
我有这个Dockerfile:
FROM chekote/gulp:latest
USER root
RUN apt-get update \
&& apt-get upgrade -y \
&& apt-get install -y sudo libltdl-dev
ARG dockerUser='my-user-name';
ARG group='docker';
# crate group if not exists
RUN if ! grep -q -E "^$group:" /etc/group; then groupadd $group; fi
# create user if not exists
RUN if ! grep -q -E "^$dockerUser:" /etc/passwd; then useradd -c 'Docker image creator' -m -s '/bin/bash' -g $group $dockerUser; fi
# add user to the group (if it was present and not created at the line above)
RUN usermod -a -G ${group} ${dockerUser}
# set default user that runs the container
USER ${dockerUser}
That I build this way:
我以这种方式构建:
docker build --tag my-gulp:latest .
and finally run by scriptthis way:
最后通过script这种方式运行:
#!/bin/bash
image="my-gulp:latest";
workDir='/home/gulp/project';
docker run -it --rm \
-v $(pwd):${workDir} \
-v /var/run/docker.sock:/var/run/docker.sock \
-v /usr/bin/docker:/usr/bin/docker \
${image} /bin/bash
that logs me into the docker container properly but when I want to see images
这使我正确登录到 docker 容器,但是当我想查看图像时
docker images
or try to pull image
或尝试拉图像
docker pull hello-world:latest
I get this error:
我收到此错误:
Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get http://%2Fvar%2Frun%2Fdocker.sock/v1.38/images/json: dial unix /var/run/docker.sock: connect: permission denied
在尝试连接到 unix:///var/run/docker.sock 上的 Docker 守护进程套接字时获得权限被拒绝:获取http://%2Fvar%2Frun%2Fdocker.sock/v1.38/images/json:拨号 unix /var/run/docker.sock: 连接:权限被拒绝
How to create docker image from chekote/gulp:latestso I can use docker inside it without the error?
如何从中创建 docker 映像,chekote/gulp:latest以便我可以在其中使用 docker 而不会出现错误?
Or maybe the error is because of wrong docker run command?
或者错误是因为错误的 docker run 命令?
采纳答案by David Maze
The permission matching happens only on numericuser ID and group ID. If the socket file is mode 0660 and owned by user ID 0 and group ID 32, and you're calling it as a user with user ID 1000 and group IDs 1000 and 16, it doesn't matter if one /etc/groupfile names gid 32 as dockerand the other one names gid 16 the same; the numeric gids are different and you can't access the file. Also, since the actual numeric gid of the Docker group will vary across systems, this isn't something you can bake into the Dockerfile.
权限匹配仅发生在数字用户 ID 和组 ID 上。如果套接字文件的模式为 0660 并由用户 ID 0 和组 ID 32 拥有,并且您将其作为用户 ID 为 1000、组 ID 为 1000 和 16 的用户调用,那么一个/etc/group文件是否将 gid 32 命名为docker另一个名称 gid 16 相同;数字 gid 不同,您无法访问该文件。此外,由于 Docker 组的实际数字 gid 会因系统而异,因此您无法将其添加到 Dockerfile 中。
Many Docker images just run as root; if they do, they can access a bind-mounted Docker socket file regardless of its permissions.
许多 Docker 镜像只是以 root 身份运行;如果他们这样做,他们可以访问绑定安装的 Docker 套接字文件,而不管其权限如何。
If you run as a non-root user, you can use the docker run --group-addoptionto add a (numeric) gid to the effective user; it doesn't specifically need to be mentioned in the /etc/groupsfile. On a Linux host you might run:
如果您以非 root 用户身份运行,则可以使用docker run --group-add选项为有效用户添加(数字)gid;它不需要在/etc/groups文件中特别提及。在 Linux 主机上,您可能会运行:
docker run --group-add $(getent group docker | cut -d: -f3) ...
You wouldn't usually install sudoin a Dockerfile (it doesn't work well for non-interactive programs, you usually don't do a whole lot in interactive shells because of the ephemeral nature of containers, and you can always docker exec -u 0to get a root shell) though installing some non-root user is often considered a best practice. You could reduce the Dockerfile to
您通常不会安装sudo在 Dockerfile 中(它不适用于非交互式程序,由于容器的短暂性,您通常不会在交互式 shell 中做很多事情,并且您始终docker exec -u 0可以获取根shell) 虽然安装一些非 root 用户通常被认为是最佳实践。您可以将 Dockerfile 减少到
FROM node:8
RUN apt-get update
# Trying to use the host's `docker` binary may not work well
RUN apt-get install -y docker.io
# Install the single node tool you need
RUN npm install -g gulp
# Get your non-root user
RUN adduser myusername
# Normal Dockerfile bits
WORKDIR ...
COPY ...
RUN gulp
USER myusername
CMD ["npm", "run", "start"]
(That Docker base imagehas acoupleofthingsthat don't really match Docker best practices, and doesn't seem to be updated routinely; I'd just use the standard nodeimage as a base and add the one build tool you need on top of it.)
(那泊坞窗基本图像有一对夫妇的事情是真的不匹配泊坞窗的最佳做法,似乎并没有被定期更新;我只是使用标准的node图像为基础,并添加你需要在一个构建工具最重要的。)
回答by R J
A quick way to avoid that. Add your user to the group.
避免这种情况的快速方法。将您的用户添加到组中。
sudo gpasswd -a $USER docker
Then set the proper permissions.
然后设置适当的权限。
sudo setfacl -m user:<your username>:rw /var/run/docker.sock
Should be good from there.
从那里应该很好。
回答by Lie Ryan
The error has nothing to do with docker pull or docker image subcommand, but rather that you need to call the the docker command as either a user with write access to the docker socket (for example, by being root, using sudo, or by being in the docker group).
该错误与 docker pull 或 docker image 子命令无关,而是您需要以对 docker 套接字具有写访问权限的用户身份调用 docker 命令(例如,作为 root、使用 sudo 或通过在 docker 组中)。
回答by Ijaz Ahmad Khan
You need the --privileged flag with your docker run command.
你的 docker run 命令需要 --privileged 标志。
By the way , you can just use the docker in docker , image from docker for this kind of use case.
顺便说一句,对于这种用例,您可以只使用 docker 中的 docker,来自 docker 的图像。
