Ubuntu
libpod package

podman-docker socket does not allow access for the docker group

Bug #1958827 reported by Václav Šmilauer
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
libpod (Ubuntu)
New
Undecided
Unassigned

Bug Description

I installed podman-docker which essentially symlinks /run/docker.sock -> /run/podman/podman.sock . In normal Docker (docker.io) installation, the socket is accessible by the "docker" group, the podman-docker socket is not (/run/podman/podman.sock is root:root). This does not break the "docker" command (as it is just a wrapper around podman) but does break tools which connect to the docker socket directly, such as docker-compose (meaning docker-compose has to be run as root). I don't know what the solution is, but it should be at least documented.

Running docker-compose:

docker-compose -f container.yml up --build --remove-orphans
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 699, in urlopen
    httplib_response = self._make_request(
  File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 394, in _make_request
    conn.request(method, url, **httplib_request_kw)
  File "/usr/lib/python3.9/http/client.py", line 1285, in request
    self._send_request(method, url, body, headers, encode_chunked)
  File "/usr/lib/python3.9/http/client.py", line 1331, in _send_request
    self.endheaders(body, encode_chunked=encode_chunked)
  File "/usr/lib/python3.9/http/client.py", line 1280, in endheaders
    self._send_output(message_body, encode_chunked=encode_chunked)
  File "/usr/lib/python3.9/http/client.py", line 1040, in _send_output
    self.send(msg)
  File "/usr/lib/python3.9/http/client.py", line 980, in send
    self.connect()
  File "/usr/lib/python3/dist-packages/docker/transport/unixconn.py", line 30, in connect
    sock.connect(self.unix_socket)
PermissionError: [Errno 13] Permission denied

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/requests/adapters.py", line 439, in send
    resp = conn.urlopen(
  File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 755, in urlopen
    retries = retries.increment(
  File "/usr/lib/python3/dist-packages/urllib3/util/retry.py", line 532, in increment
    raise six.reraise(type(error), error, _stacktrace)
  File "/usr/lib/python3/dist-packages/six.py", line 718, in reraise
    raise value.with_traceback(tb)
  File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 699, in urlopen
    httplib_response = self._make_request(
  File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 394, in _make_request
    conn.request(method, url, **httplib_request_kw)
  File "/usr/lib/python3.9/http/client.py", line 1285, in request
    self._send_request(method, url, body, headers, encode_chunked)
  File "/usr/lib/python3.9/http/client.py", line 1331, in _send_request
    self.endheaders(body, encode_chunked=encode_chunked)
  File "/usr/lib/python3.9/http/client.py", line 1280, in endheaders
    self._send_output(message_body, encode_chunked=encode_chunked)
  File "/usr/lib/python3.9/http/client.py", line 1040, in _send_output
    self.send(msg)
  File "/usr/lib/python3.9/http/client.py", line 980, in send
    self.connect()
  File "/usr/lib/python3/dist-packages/docker/transport/unixconn.py", line 30, in connect
    sock.connect(self.unix_socket)
urllib3.exceptions.ProtocolError: ('Connection aborted.', PermissionError(13, 'Permission denied'))

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/docker/api/client.py", line 214, in _retrieve_server_version
    return self.version(api_version=False)["ApiVersion"]
  File "/usr/lib/python3/dist-packages/docker/api/daemon.py", line 181, in version
    return self._result(self._get(url), json=True)
  File "/usr/lib/python3/dist-packages/docker/utils/decorators.py", line 46, in inner
    return f(self, *args, **kwargs)
  File "/usr/lib/python3/dist-packages/docker/api/client.py", line 237, in _get
    return self.get(url, **self._set_request_timeout(kwargs))
  File "/usr/lib/python3/dist-packages/requests/sessions.py", line 555, in get
    return self.request('GET', url, **kwargs)
  File "/usr/lib/python3/dist-packages/requests/sessions.py", line 542, in request
    resp = self.send(prep, **send_kwargs)
  File "/usr/lib/python3/dist-packages/requests/sessions.py", line 655, in send
    r = adapter.send(request, **kwargs)
  File "/usr/lib/python3/dist-packages/requests/adapters.py", line 498, in send
    raise ConnectionError(err, request=request)
requests.exceptions.ConnectionError: ('Connection aborted.', PermissionError(13, 'Permission denied'))

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/bin/docker-compose", line 33, in <module>
    sys.exit(load_entry_point('docker-compose==1.27.4', 'console_scripts', 'docker-compose')())
  File "/usr/lib/python3/dist-packages/compose/cli/main.py", line 67, in main
    command()
  File "/usr/lib/python3/dist-packages/compose/cli/main.py", line 123, in perform_command
    project = project_from_options('.', options)
  File "/usr/lib/python3/dist-packages/compose/cli/command.py", line 60, in project_from_options
    return get_project(
  File "/usr/lib/python3/dist-packages/compose/cli/command.py", line 131, in get_project
    client = get_client(
  File "/usr/lib/python3/dist-packages/compose/cli/docker_client.py", line 41, in get_client
    client = docker_client(
  File "/usr/lib/python3/dist-packages/compose/cli/docker_client.py", line 170, in docker_client
    client = APIClient(**kwargs)
  File "/usr/lib/python3/dist-packages/docker/api/client.py", line 197, in __init__
    self._version = self._retrieve_server_version()
  File "/usr/lib/python3/dist-packages/docker/api/client.py", line 221, in _retrieve_server_version
    raise DockerException(
docker.errors.DockerException: Error while fetching server API version: ('Connection aborted.', PermissionError(13, 'Permission denied'))

ProblemType: Bug
DistroRelease: Ubuntu 22.04
Package: podman-docker 3.2.1+ds1-2ubuntu3
ProcVersionSignature: Ubuntu 5.15.0-17.17-generic 5.15.12
Uname: Linux 5.15.0-17-generic x86_64
ApportVersion: 2.20.11-0ubuntu75
Architecture: amd64
CasperMD5CheckResult: pass
CurrentDesktop: KDE
Date: Mon Jan 24 08:19:22 2022
InstallationDate: Installed on 2022-01-20 (3 days ago)
InstallationMedia: Kubuntu 22.04 LTS "Jammy Jellyfish" - Alpha amd64 (20220118)
SourcePackage: libpod
UpgradeStatus: No upgrade log present (probably fresh install)

See original description
Revision history for this message
Václav Šmilauer (eudoxos) wrote :
description: updated
Revision history for this message
Guilherme Blanco (guilhermeblanco) wrote :

I solved this problem by modifying: /etc/systemd/system/sockets.target.wants/podman.socket

Changed the line SocketMode=0660 to SocketMode=0666
Then ran:

sudo systemctl daemon-reload
sudo systemctl restart podman.socket

Problem solved. =)

Revision history for this message
Jiri Danek (jdanek) wrote (last edit ):

Instead of modifying
/etc/systemd/system/sockets.target.wants/podman.socket directly, I used

$ sudo systemctl edit podman.socket

to create /etc/systemd/system/podman.socket.d/override.conf, where I put

[Socket]
SocketMode=0666

and then I deleted

$ sudo rm -rf /run/podman

so that the directory got recreated with the right permissions, and then

$ sudo systemctl daemon-reload
$ sudo systemctl restart podman.socket

To make podman use that socket, i did

$ export CONTAINER_HOST=unix://run/podman/podman.sock

edit: I guess that you could put this into the config instead

[Socket]
SocketGroup=docker

which should work also, because default mode is 0660 and this would set the `docker` group on the socket, which you initially wanted.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.