在Unix：///var/run/docker.sock上拒绝Docker守护程序套接字的权限 [英] Permission denied to Docker daemon socket at unix:///var/run/docker.sock

问题描述

我有这个 Dockerfile ：

FROM chekote/gulp:latest 

USER root
RUN apt-get update \
      && apt-get upgrade -y \
      && apt-get install -y sudo libltdl-dev

ARG dockerUser='my-user-name';
ARG group='docker';

# crate group if not exists
 RUN if ! grep -q -E "^$group:" /etc/group; then groupadd $group; fi

# create user if not exists
 RUN if ! grep -q -E "^$dockerUser:" /etc/passwd; then useradd -c 'Docker image creator' -m -s '/bin/bash' -g $group $dockerUser; fi

# add user to the group (if it was present and not created at the line above)
 RUN usermod -a -G ${group} ${dockerUser}

# set default user that runs the container
 USER ${dockerUser}

我是这样构建的：

docker build --tag my-gulp:latest .

并最终通过 script 运行：

#!/bin/bash

image="my-gulp:latest";
workDir='/home/gulp/project';

docker run -it --rm  \
-v $(pwd):${workDir} \
-v /var/run/docker.sock:/var/run/docker.sock \
-v /usr/bin/docker:/usr/bin/docker \
${image} /bin/bash

可以正确地将我登录到Docker容器中，但是当我想查看图像时

that logs me into the docker container properly but when I want to see images

docker images

或尝试提取图像

docker pull hello-world:latest

我收到此错误：

尝试连接到unix：//上的Docker守护程序套接字时，拒绝了权限/var/run/docker.sock：获取 http：//％2Fvar％2Frun ％2Fdocker.sock / v1.38 / images / json ：拨打unix /var/run/docker.sock：connect：权限被拒绝

Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get http://%2Fvar%2Frun%2Fdocker.sock/v1.38/images/json: dial unix /var/run/docker.sock: connect: permission denied

如何从 chekote / gulp：latest 创建docker映像，以便我可以在其中使用docker而不会出现错误？

How to create docker image from chekote/gulp:latest so I can use docker inside it without the error?

或者错误可能是由于错误的docker run命令引起的？

Or maybe the error is because of wrong docker run command?

推荐答案

匹配仅发生在数字用户ID和组ID上。如果套接字文件的模式为0660，并由用户ID 0和组ID 32拥有，并且您以用户ID 1000和组ID 1000和16的用户身份对其进行调用，则是否 / etc / group 文件名gid 32为 docker ，其他文件名gid 16相同；数字编号不同，您无法访问该文件。另外，由于Docker组的实际数字差异在不同的系统中会有所不同，因此您不能将其烘焙到Dockerfile中。

The permission matching happens only on numeric user ID and group ID. If the socket file is mode 0660 and owned by user ID 0 and group ID 32, and you're calling it as a user with user ID 1000 and group IDs 1000 and 16, it doesn't matter if one /etc/group file names gid 32 as docker and the other one names gid 16 the same; the numeric gids are different and you can't access the file. Also, since the actual numeric gid of the Docker group will vary across systems, this isn't something you can bake into the Dockerfile.

许多Docker映像只是以root身份运行;如果这样做，则无论其权限如何，他们都可以访问绑定安装的Docker套接字文件。

Many Docker images just run as root; if they do, they can access a bind-mounted Docker socket file regardless of its permissions.

如果您以非root用户身份运行，则可以使用 docker run --group-add 选项为有效用户添加（数字）gid； / etc / groups 文件中不需要特别提及。在Linux主机上，您可以运行：

If you run as a non-root user, you can use the docker run --group-add option to add a (numeric) gid to the effective user; it doesn't specifically need to be mentioned in the /etc/groups file. On a Linux host you might run:

docker run --group-add $(getent group docker | cut -d: -f3) ...

您通常不会安装 sudo 在Dockerfile中（不适用于非交互式程序，由于容器的短暂性质，您通常不会在交互式shell中做很多事情，并且您始终可以 docker exec -u 0 以获取root shell），尽管通常安装一些非root用户是最佳实践。您可以将Dockerfile减少为

You wouldn't usually install sudo in a Dockerfile (it doesn't work well for non-interactive programs, you usually don't do a whole lot in interactive shells because of the ephemeral nature of containers, and you can always docker exec -u 0 to get a root shell) though installing some non-root user is often considered a best practice. You could reduce the Dockerfile to

FROM node:8
RUN apt-get update
# Trying to use the host's `docker` binary may not work well
RUN apt-get install -y docker.io
# Install the single node tool you need
RUN npm install -g gulp
# Get your non-root user
RUN adduser myusername
# Normal Dockerfile bits
WORKDIR ...
COPY ...
RUN gulp
USER myusername
CMD ["npm", "run", "start"]

（< a href = https://hub.docker.com/r/chekote/gulp/ rel = noreferrer>该Docker基本映像具有 a 夫妇 of 事物 t这顶帽子与Docker最佳实践并不完全匹配，并且似乎没有定期更新；我只是使用标准的 node 图像作为基础，并在其顶部添加一个所需的构建工具。）

(That Docker base image has a couple of things that don't really match Docker best practices, and doesn't seem to be updated routinely; I'd just use the standard node image as a base and add the one build tool you need on top of it.)

这篇关于在Unix：///var/run/docker.sock上拒绝Docker守护程序套接字的权限的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！