Docker error with /var/run/docker.sock

barn · August 8, 2019, 2:46am

Having trouble with this container: jwilder/nginx-proxy. I havnt had any issues on other distros.

dockergen.1 | 2019/08/08 02:39:50 Error retrieving docker server version info: Get http://unix.sock/version: dial unix /tmp/docker.sock: connect: permission denied

Here is a sample launch script:

sudo docker run --detach
–name nginx-proxy
–publish 80:80
–publish 443:443
–volume /etc/nginx/certs
–volume /etc/nginx/vhost.d
–volume /usr/share/nginx/html
–volume /var/run/docker.sock:/tmp/docker.sock:ro
jwilder/nginx-proxy

Obviously its a permission issue. But i haven’t had luck getting around yet.

refi64 · August 14, 2019, 2:31am

I’m guessing this is due to the normal interactions between Docker and SELinux. In most cases, you can automatically change the SELinux label of a volume you’re mounting via the :z and :Z modifiers, but in this case you probably don’t want to relabel the Docker socket. As a workaround therefore, you can try disabling SELinux label enforcement for this container via --security-opt label=disable.

miabbott · August 9, 2019, 3:52pm

Is the docker service started? systemctl status docker

What do the permissions + SELinux labels look like on the socket? ls -laZ /tmp/docker.sock

Are there any errors in the journal about docker? journalctl -b | grep docker

Additionally, any SELinux denials? journalctl -b | grep 'avc: denied'

barn · August 10, 2019, 2:56pm

Yup, this works. Whats a more permanent fix?

barn · August 10, 2019, 2:58pm

I think you and refi64 are right on. The suggestion to disable SELinux worked. Here is the info you requested:

Is the docker service started?

…yes.

What do the permissions + SELinux labels look like on the socket?

$ ls -laZ /var/run/docker.sock
srw-rw----. 1 root root system_u:object_r:container_var_run_t:s0 0 Aug 5 21:50 /var/run/docker.sock

Are there any errors in the journal about docker ?
Additionally, any SELinux denials?

Yes, this is the top error which includes avc denial:

Aug 10 09:32:41 mediabarn audit[13556]: AVC avc: denied { connectto } for pid=13556 comm=“docker-gen” path="/run/docker.sock" scontext=system_u:system_r:container_t:s0:c179,c1019 tcontext=system_u:system_r:container_runtime_t:s0 tclass=unix_stream_socket permissive=0

refi64 · August 14, 2019, 2:31am

Afaik there isn’t really one, you could disable selinux system-wide or Docker-wide, but that would mess with the security of all your other containers with little benefit…

You could try relabeling the socket with :z, but it would likely mess stuff up.