search

containers / podman

Podman: A tool for managing OCI containers and pods.
https://podman.io
Apache License 2.0
23.8k stars 2.42k forks source link

Permission issues accessing the Docker API from a non root application #9839

Closed IceWreck closed 3 years ago

IceWreck commented 3 years ago

Is this a BUG REPORT or FEATURE REQUEST? (leave only one on its own line)

/kind bug

Description

I understand that the docker socket cannot be used for rootless podman right now and any containers made using it will be made using podman running as root user.

sudo docker-compose works fine and is okay, but when using software like GNS3 which needs to create/require/stop containers, starting it with sudo gns3 is not recommended and it warns you to run it without root. GNS3 when run as a regular user cannot access docker.socket and has permission issues (Cannot connect to host docker:80 ssl:default [Permission denied])

Is there a way to chmod docker.sock to make it accessible to applications run by my user ?

Steps to reproduce the issue:

  1. make podman listen to docker.sock as described here

  2. Run GNS3 without sudo

  3. Try to run a container

Describe the results you received:

Docker has returned an error: Cannot connect to host docker:80 ssl:default [Permission denied]

Describe the results you expected:

Its able to create a container.

Output of podman version:

Version:      3.0.1
API Version:  3.0.0
Go Version:   go1.15.8
Built:        Fri Feb 19 22:26:17 2021
OS/Arch:      linux/amd64

Package info (e.g. output of rpm -q podman or apt list podman):

rpm -q podman
podman-3.0.1-1.fc33.x86_64

Have you tested with the latest version of Podman and have you checked the Podman Troubleshooting Guide?

Yes

Additional environment details (AWS, VirtualBox, physical, etc.):

Podman and GNS3 are both from the fedora repos, I installed GNS3 without its weak dependency on moby-engine.

rhatdan commented 3 years ago

You could modify the Podman socket to be writable by the podman group and then put the user in the podman group (I feel dirty suggesting this.)

https://www.projectatomic.io/blog/2015/08/why-we-dont-let-non-root-users-run-docker-in-centos-fedora-or-rhel/

I would prefer to get compose working in rootless mode, which I believe there is a PR to do now.

mheon commented 3 years ago

To be clear, rootless Podman does support the Docker API right now, with some limitations on networking. These limitations are why compose can’t be run against it. Other applications might work fine.

On Sat, Mar 27, 2021 at 06:42 Daniel J Walsh @.***> wrote:

You could modify the Podman socket to be writable by the podman group and then put the user in the podman group (I feel dirty suggesting this.)

https://www.projectatomic.io/blog/2015/08/why-we-dont-let-non-root-users-run-docker-in-centos-fedora-or-rhel/

I would prefer to get compose working in rootless mode, which I believe there is a PR to do now.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/containers/podman/issues/9839#issuecomment-808709588, or unsubscribe https://github.com/notifications/unsubscribe-auth/AB3AOCBHFNVZ2CJLAUBFQH3TFWZBTANCNFSM4Z4X4TVQ .

github-actions[bot] commented 3 years ago

A friendly reminder that this issue had no activity for 30 days.

mheon commented 3 years ago

The network connect/disconnect operations are now usable without root on master, closing.