Docker permissions issue

waldur / waldur-mastermind

Waldur MasterMind is a hybrid cloud orchestrator.

https://waldur.com

MIT License

48 stars 42 forks source link

Docker permissions issue #49

Closed mattronix closed 9 months ago

mattronix commented 10 months ago

Error message
[ErrorDetail(string="Error while fetching server API version: ('Connection aborted.', PermissionError(13, 'Permission denied'))", code='invalid')]

Any idea how to fix ?

mattronix commented 10 months ago

Seems default permissions / user of waldur cant connect to docker socket.

livenson commented 10 months ago

Can you please clarify what OS are you running on? And is it about connecting to docker api server from within waldur, i.e. for custom scripts?

mattronix commented 10 months ago

Docker on Debian 11, Indeed its waldur in docker-compose executing custom scripts that generates the error.

mattronix commented 10 months ago

root@waldur:~# docker --version
Docker version 24.0.7, build afdd53b
root@waldur:~# lsb
lsb_release  lsblk
root@waldur:~# lsb_release -a
No LSB modules are available.
Distributor ID: Debian
Description:    Debian GNU/Linux 11 (bullseye)
Release:    11
Codename:   bullseye
root@waldur:~#

mattronix commented 10 months ago

If i install docker inside the container i can actual list containers from the host so im guessing its a python version error.

mattronix commented 10 months ago

ah suspect the waldur user has no permissions on the docker socket

mattronix commented 10 months ago

indeed the waldur user cant access the socket thats been passed through: $ whoami waldur $ docker ps permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get "http://%2Fvar%2Frun%2Fdocker.sock/v1.24/containers/json": dial unix /var/run/docker.sock: connect: permission denied $

but the root user in the container can

livenson commented 10 months ago

could you perhaps add waldur user id to the docker group on host?

sudo usermod -aG docker $waldur_user?

Not ideal, but perhaps good enough as a workaround.

mattronix commented 9 months ago

I created the user on the host with the same ID and added it to the group weirdly still cant access :( (i do not have app armor or SELINUX)

livenson commented 9 months ago

Ok, indeed reproduced on Debian. A workaround is to set more open permissions - chmod 666 /var/run/docker.sock.

Not ideal. And doesn't seem to be needed on RH derivatives.

I've added the note about chmoding to the documentation. Not sure if I can do much more here, so resolving.

mattronix commented 9 months ago

ah perfect, that will only last to a reboot tho, what operating system do you currently reccomend as i will switch :)

mattronix commented 9 months ago

Should be no problem for now tho will do some testing tonight!

livenson commented 9 months ago

Well you can add it to the init script. I checked one deployment with almalinux, it worked there without this chmod hack. I am not 100% why though :)