docker / for-win

Bug reports for Docker Desktop for Windows
https://www.docker.com/products/docker#/windows
1.86k stars 290 forks source link

connecting to docker socket inside container with different user than root is broken after updating to 4.19 #13447

Closed szaimen closed 1 year ago

szaimen commented 1 year ago

Actual behavior

After updating Docker Desktop on Windows to v4.19 when trying to connect to a bind-mounted tcp unix socket inside a container that runs as unprivileged (non-root user) process. Connecting to the socket as root user inside the container still works but it apparently broke due to the update because it worked also with the unprivileged user before the update.

Expected behavior

It should be possible to connect to the socket even as non-root user if read permissions are set correct.

Information

Output of & "C:\Program Files\Docker\Docker\resources\com.docker.diagnose.exe" check

Steps to reproduce the behavior

  1. Update to Docker Desktop 4.19 on Windows
  2. run via command prompt:
# docker info works with root user
docker run -it --rm -v //var/run/docker.sock:/var/run/docker.sock:ro docker:cli docker info
Output ``` Client: Context: default Debug Mode: false Plugins: buildx: Docker Buildx (Docker Inc.) Version: v0.10.4 Path: /usr/local/libexec/docker/cli-plugins/docker-buildx compose: Docker Compose (Docker Inc.) Version: v2.17.3 Path: /usr/local/libexec/docker/cli-plugins/docker-compose Server: Containers: 2 Running: 2 Paused: 0 Stopped: 0 Images: 4 Server Version: 23.0.5 Storage Driver: overlay2 Backing Filesystem: extfs Supports d_type: true Using metacopy: false Native Overlay Diff: true userxattr: false Logging Driver: json-file Cgroup Driver: cgroupfs Cgroup Version: 1 Plugins: Volume: local Network: bridge host ipvlan macvlan null overlay Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog Swarm: inactive Runtimes: io.containerd.runc.v2 runc Default Runtime: runc Init Binary: docker-init containerd version: 2806fc1057397dbaeefbea0e4e17bddfbd388f38 runc version: v1.1.5-0-gf19387a init version: de40ad0 Security Options: seccomp Profile: builtin Kernel Version: 5.15.90.1-microsoft-standard-WSL2 Operating System: Docker Desktop OSType: linux Architecture: x86_64 CPUs: 8 Total Memory: 7.682GiB Name: docker-desktop ID: 98271cca-a380-4fa6-8246-56d88c255a12 Docker Root Dir: /var/lib/docker Debug Mode: false HTTP Proxy: http.docker.internal:3128 HTTPS Proxy: http.docker.internal:3128 No Proxy: hubproxy.docker.internal Registry: https://index.docker.io/v1/ Experimental: true Insecure Registries: hubproxy.docker.internal:5555 127.0.0.0/8 Live Restore Enabled: false WARNING: No blkio throttle.read_bps_device support WARNING: No blkio throttle.write_bps_device support WARNING: No blkio throttle.read_iops_device support WARNING: No blkio throttle.write_iops_device support ```
# docker info does not work with different user even though it has read access to the socket
docker run -it --rm -v //var/run/docker.sock:/var/run/docker.sock:ro docker:cli sh -c "apk add shadow sudo && ls -l /var/run/docker.sock && adduser -D -S www-data -G www-data && sudo -u www-data docker info"
Output ``` fetch https://dl-cdn.alpinelinux.org/alpine/v3.17/main/x86_64/APKINDEX.tar.gz fetch https://dl-cdn.alpinelinux.org/alpine/v3.17/community/x86_64/APKINDEX.tar.gz (1/3) Installing linux-pam (1.5.2-r1) (2/3) Installing shadow (4.13-r0) (3/3) Installing sudo (1.9.12_p2-r1) Executing busybox-1.35.0-r29.trigger OK: 17 MiB in 25 packages srwxr-xr-x 1 root root 0 May 1 12:49 /var/run/docker.sock Client: Context: default Debug Mode: false Plugins: buildx: Docker Buildx (Docker Inc.) Version: v0.10.4 Path: /usr/local/libexec/docker/cli-plugins/docker-buildx compose: Docker Compose (Docker Inc.) Version: v2.17.3 Path: /usr/local/libexec/docker/cli-plugins/docker-compose Server: ERROR: permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get "http://%2Fvar%2Frun%2Fdocker.sock/v1.24/info": dial unix /var/run/docker.sock: connect: permission denied errors pretty printing info ```
djs55 commented 1 year ago

@szaimen thanks for your report. I suspect this is the same as https://github.com/docker/for-mac/issues/6823 . Could you check

szaimen commented 1 year ago

@szaimen thanks for your report. I suspect this is the same as docker/for-mac#6823 .

Yes, this looks like the same issue.

  • the ownership and permissions you're seeing on the /var/run/docker.sock inside the container

The ownership is fine. The socket is readable by the user. (see the output of ls -l in the second command above).

  • the versions of both Docker Desktop and the docker:cli image which work and which don't? So far I've not found a combination of those which works with a non-root user. I'm not sure whether it's a change in Docker or in the docker:cli image. Could you show me the ownership and permissions of the socket in a combination which works?

It worked in my testing fine with Docker Desktop 4.18 in combination with the same docker:cli image docker:23.0.5-cli. I would also give it another try but I am not sure how to get back to Docker Dekstop 4.18 now that I upgraded to 4.19.

jeffrozica commented 1 year ago

I created another issue for this, but having a similar issue. Here are my notes on this.

Docker desktop version 4.19.0 broke my -v /var/run/docker.sock.raw /var/run/docker.sock. About 2 years ago, this solved my docker socket permission denied error (See below).... It was working fine up through version 4.18, but after the v4.19 upgrade, it broke again. Getting this error again. Had to revert back to version 4.18. Same issue on Windows and Mac versions.

""" Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get http://%2Fvar%2Frun%2Fdocker.sock/v1.40/containers/json: dial unix /var/run/docker.sock: connect: permission denied """

Again, no issues until I went to docker desktop version 4.19 and its the same issue on MAC and WINDOWS. The docker.sock.raw was the only viable option for me to fix this.

jeffrozica commented 1 year ago

NOTE REGARDING GOING BACK TO PRIOR DOCKER DESKTOP VERSION: At least on the MAC, to revert back to version 4.18, I just manually l downloaded it and reinstalled. It asked me to overlap my prior version and that worked. Did not loose any images, settings, etc.. Not sure on Windows, if you can do that, but you can try. If just reinstalling on top of existing version doesn't work, you have to uninstall 4.19 and reinstall 4.18 from scratch, but then you have to set up everything again and redo your docker images

vbode commented 1 year ago

I am running into the same issue on Windows.

FlattusBlastus commented 1 year ago

Please prioritize this fix.

nerlins commented 1 year ago

OMFG. Somebody in docker respond to this and help us...

bobloadmire commented 1 year ago

how are you guys downgrading docker desktop on windows? installer just says installation up to date, and exits. if they are going to release alpha code in stable we need options to downgrade.

vbode commented 1 year ago

I use chocolatey to manage my installed software. It also allows you to easily downgrade docker desktop.

briantho commented 1 year ago

hi, can anyone confirm this is still an issue with the new release 4.20? I want to make sure before I upgrade docker desktop, as I already went through the downgrade process and nextcloud is happy running on 4.18

jctace commented 1 year ago

hi, can anyone confirm this is still an issue with the new release 4.20? I want to make sure before I upgrade docker desktop, as I already went through the downgrade process and nextcloud is happy running on 4.18

Yes still an issue with 4.20

nerlins commented 1 year ago

Why is this still an issue in another release? Are the people at Docker even looking into this problem? This doesn't seem like a bug but an intentional change and they're not speaking up about it.

Here's a thought. For $5 a month someone could actually purchase official support for Docker Desktop through Docker themselves. I'm wondering if anyone is paying for this support and what would be the response to the problem then?

racineda commented 1 year ago

Adding my +1 one here. Glad I'm not alone.

josemahj commented 1 year ago

hi, can anyone confirm this is still an issue with the new release 4.20? I want to make sure before I upgrade docker desktop, as I already went through the downgrade process and nextcloud is happy running on 4.18

could explain how to downgrade?

vbode commented 1 year ago

@djs55 Is this issue on the radar at Docker? This seems to be affecting a lot of folks.

jeffrozica commented 1 year ago

@djs55 Is this issue on the radar at Docker? This seems to be affecting a lot of folks.

I just upgraded to version 4.20 and the problem still exists in this version. Reverted back to version 4.18. This is not acceptable and should be fixed. Are the folks that support docker even listening to us?

FlattusBlastus commented 1 year ago

Still recommending ditching docker desktop for docker service running in wsl2.

Get Outlook for Androidhttps://aka.ms/AAb9ysg


From: Jeff @.> Sent: Monday, June 5, 2023 5:36:11 AM To: docker/for-win @.> Cc: FlattusBlastus @.>; Comment @.> Subject: Re: [docker/for-win] connecting to docker socket inside container with different user than root is broken after updating to 4.19 (Issue #13447)

@djs55https://github.com/djs55 Is this issue on the radar at Docker? This seems to be affecting a lot of folks.

I just upgraded to version 4.20 and the problem still exists in this version. Reverted back to version 4.18. This is not acceptable and should be fixed. Are the folks that support docker even listening to us?

— Reply to this email directly, view it on GitHubhttps://github.com/docker/for-win/issues/13447#issuecomment-1576705268, or unsubscribehttps://github.com/notifications/unsubscribe-auth/ASVVEUHZ5HQQN4BYSSX6O4LXJXHDXANCNFSM6AAAAAAXRYLUUA. You are receiving this because you commented.Message ID: @.***>

briantho commented 1 year ago

hi, can anyone confirm this is still an issue with the new release 4.20? I want to make sure before I upgrade docker desktop, as I already went through the downgrade process and nextcloud is happy running on 4.18

could explain how to downgrade?

uninstall 4.20. Install 4.18 from here Be sure you do a backup before you uninstall. I personally used the local .tar image method to backup and restore.

Unfortunately this bug completely breaks nextcloud aio, and so far the only way i've found that actually fixes it is to downgrade to 4.18. I hope the devs fix this someday...

nerlins commented 1 year ago

Still broken, and no replies from Docker. Who do we direct our issue to? This current issue is either being ignored or not noticed.

nester43 commented 1 year ago

I hope this is fixed soon. I'm stuck on 4.18.

MihaelaStoica commented 1 year ago

Thanks for reporting the issue and apologies for the delay in addressing it. We have identified the problem and will include a fix in the next Docker Desktop release.

jeffrozica commented 1 year ago

Thanks for reporting the issue and apologies for the delay in addressing it. We have identified the problem and will include a fix in the next Docker Desktop release.

Any estimation as to when that will be? Few days, weeks or months?

MihaelaStoica commented 1 year ago

Any estimation as to when that will be? Few days, weeks or months?

@jeffrozica It will hopefully be by the end of next week

lorenrh commented 1 year ago

We have released Docker desktop 4.21.1, containing a fix for this issue, please see https://docs.docker.com/desktop/release-notes/

nerlins commented 1 year ago

We have released Docker desktop 4.21.1, containing a fix for this issue, please see https://docs.docker.com/desktop/release-notes/

Did you actually test this with a container that needs to log into the socket as non-root, like Nextcloud, because I don't want to be the guinea pig, and neither does anyone else. We received no information from Docker regarding this issue for two months. Not a single one of you came here to ease our concerns. Now, there is a magic fix, and you don't even describe what you did to fix it.

I'm sure you can forgive me for being completely untrusting of your organization now.

bobloadmire commented 1 year ago

We have released Docker desktop 4.21.1, containing a fix for this issue, please see https://docs.docker.com/desktop/release-notes/

Did you actually test this with a container that needs to log into the socket as non-root, like Nextcloud, because I don't want to be the guinea pig, and neither does anyone else. We received no information from Docker regarding this issue for two months. Not a single one of you came here to ease our concerns. Now, there is a magic fix, and you don't even describe what you did to fix it.

I'm sure you can forgive me for being completely untrusting of your organization now.

Lol same, I ain't touching this update considering the history

vbode commented 1 year ago

I just tested 4.21.1 and in my situation it looks like the issue is fixed. The user with permissions on the docker socket in my container works.

nester43 commented 1 year ago

I just tested 4.21.1 and in my situation it looks like the issue is fixed. The user with permissions on the docker socket in my container works.

That was awesome of you. What version of nextcloud did you test with? Thanks!

vbode commented 1 year ago

@nester43 I don't use nextcloud, this was an issue for me when running containers in Docker Desktop on Windows, but not anymore.

controversy187 commented 1 year ago

I'm new to Nextcloud and tried the AIO on Docker 4.19 on Windows, and the errors I got led me to this thread. I tried again today after updating to 4.21.1 and it seems to be working fine.

nester43 commented 1 year ago

I'm new to Nextcloud and tried the AIO on Docker 4.19 on Windows, and the errors I got led me to this thread. I tried again today after updating to 4.21.1 and it seems to be working fine.

That's extremely encouraging and thank you for sharing. What version of Nextcloud are you running? I'm still nervous as restoring a backup on previous docker version would take a long time given we have a few TBs in Nextcloud.

controversy187 commented 1 year ago

I believe that I was running version 27. IIRC, the AIO had a default of 26 selected, but I opted for 27.

behinder85 commented 1 year ago

I'm new to Nextcloud and tried the AIO on Docker 4.19 on Windows, and the errors I got led me to this thread. I tried again today after updating to 4.21.1 and it seems to be working fine.我是Nextcloud的新手,尝试在Windows上使用Docker 4.19的AIO,但是我遇到了错误,所以来到了这个帖子。今天我更新到了4.21.1版本后再次尝试,看起来一切都正常。

That's extremely encouraging and thank you for sharing. What version of Nextcloud are you running? I'm still nervous as restoring a backup on previous docker version would take a long time given we have a few TBs in Nextcloud.非常鼓舞人心,谢谢您的分享。您正在运行哪个版本的Nextcloud?我仍然感到紧张,因为在以前的Docker版本上恢复备份需要很长时间,因为我们在Nextcloud中有几个TB。

我使用4.22.1成功部署AIO,并且可以使用 已无“Cannot connect to the docker socket. Cannot proceed.”错误