barn
(barnabas)
August 8, 2019, 2:46am
1
Having trouble with this container: jwilder/nginx-proxy. I havnt had any issues on other distros.
dockergen.1 | 2019/08/08 02:39:50 Error retrieving docker server version info: Get http://unix.sock/version: dial unix /tmp/docker.sock: connect: permission denied
Here is a sample launch script:
sudo docker run --detach
–name nginx-proxy
–publish 80:80
–publish 443:443
–volume /etc/nginx/certs
–volume /etc/nginx/vhost.d
–volume /usr/share/nginx/html
–volume /var/run/docker.sock:/tmp/docker.sock:ro
jwilder/nginx-proxy
Obviously its a permission issue. But i haven’t had luck getting around yet.
refi64
(Ryan Gonzalez)
August 8, 2019, 4:39am
2
I’m guessing this is due to the normal interactions between Docker and SELinux. In most cases, you can automatically change the SELinux label of a volume you’re mounting via the :z
and :Z
modifiers, but in this case you probably don’t want to relabel the Docker socket. As a workaround therefore, you can try disabling SELinux label enforcement for this container via --security-opt label=disable
.
3 Likes
miabbott
(Micah Abbott)
August 9, 2019, 3:52pm
3
Is the docker
service started? systemctl status docker
What do the permissions + SELinux labels look like on the socket? ls -laZ /tmp/docker.sock
Are there any errors in the journal about docker
? journalctl -b | grep docker
Additionally, any SELinux denials? journalctl -b | grep 'avc: denied'
barn
(barnabas)
August 10, 2019, 2:56pm
4
Yup, this works. Whats a more permanent fix?
barn
(barnabas)
August 10, 2019, 2:57pm
5
I think you and refi64 are right on. The suggestion to disable SELinux worked. Here is the info you requested:
Is the docker
service started?
…yes.
What do the permissions + SELinux labels look like on the socket?
$ ls -laZ /var/run/docker.sock
srw-rw----. 1 root root system_u:object_r:container_var_run_t:s0 0 Aug 5 21:50 /var/run/docker.sock
Are there any errors in the journal about docker
?
Additionally, any SELinux denials?
Yes, this is the top error which includes avc denial:
Aug 10 09:32:41 mediabarn audit[13556]: AVC avc: denied { connectto } for pid=13556 comm=“docker-gen” path=“/run/docker.sock” scontext=system_u:system_r:container_t:s0:c179,c1019 tcontext=system_u:system_r:container_runtime_t:s0 tclass=unix_stream_socket permissive=0
refi64
(Ryan Gonzalez)
August 11, 2019, 4:15am
6
Afaik there isn’t really one, you could disable selinux system-wide or Docker-wide, but that would mess with the security of all your other containers with little benefit…
You could try relabeling the socket with :z
, but it would likely mess stuff up.
1 Like