[SOLVED] How to install correctly docker-compose?

lakano · May 24, 2019, 10:47pm

Hello!
For professional reasons, I need to have docker-compose and docker.
I also need to use docker and not podman because we use Traefik that read the file /var/run/docker.sock for configuration.
To install docker & docker-compose, I’ve used: « sudo rpm-ostree install moby-engine docker-compose »
I’ve tried to add my user in the docker group, but there is a bug, so I can’t do a simple “docker ps” command without root priviledges…
When I start « sudo docker-compose up », all my containers that requires mounts / write access return “permission denied”, example:
php_1 | [24-May-2019 22:33:35] ERROR: failed to open configuration file ‘/usr/local/etc/php-fpm.d/zz-www.conf’: Permission denied (13)
mysql_crm_1 | chown: cannot read directory ‘/var/lib/mysql/’: Permission denied
and even Traefik can’t read correctly /var/run/docker.sock :
traefik_1 | time=“2019-05-24T22:33:43Z” level=error msg=“Failed to retrieve information of the docker client and server host: Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get http://%2Fvar%2Frun%2Fdocker.sock/v1.21/version: dial unix /var/run/docker.sock: connect: permission denied”

$ ls -la /var/run/docker.*
-rw-r--r--. 1 root root   4 25 mai   00:16 /var/run/docker.pid
srw-rw----. 1 root docker 0 24 mai   23:54 /var/run/docker.sock

So, I’ve tried to install docker inside toolbox (DinD), but on install I have some SELinux errors:
SELinux: Could not load policy file /etc/selinux/targeted/policy/policy.31: Permission denied
load_policy: Can’t load policy: Permission denied

And I can’t start the service docker, I suppose there is no systemctl support inside toolbox.

I known we could rely on kubernetes / podman, but this is not the case on my office currently, so I need to found a solution if I want to keep Silverblue on my computer

Any ideas ?

refi64 · May 25, 2019, 1:35am

You need to add yourself to the docker group as shown here (“Manage Docker as a non-root user”) if you want to be able to use it without sudo.

lakano · May 25, 2019, 12:07pm

Hi @refi64,
yep but as said, it’s not works, we can’t add a user in a group on Silverblue (there is a bug and already a reported issue about that).
And, all errors reported in my post are executed in root ( sudo docker-compose up ).
If at least, I could start my stack in root, this could permit me to keep Silverblue on my laptop.

rajveermalviya · May 25, 2019, 12:38pm

Silverblue doesn’t support sysusers (useradd) yet, see this:

github.com/coreos/rpm-ostree

Drop requirement on nss-altfiles, use systemd sysusers

opened 02:42AM - 14 Nov 14 UTC

cgwalters

kind/enhancement jira area/sd-sysusers

Currently, all %posts are run on the server side. This means we need nss-altfil…es to help OSTree's 3 way merge of /etc. The systemd people added systemd-sysusers, with the intention that the updates happen on boot. A new hybrid option is running systemd-sysusers in the _new_ root just before reboot. This would avoid system mutation on boot with all the problems that entails (e.g. booting read-only should work, etc.)

Though you can manually add the docker group by running this command:

grep -E '^docker:' /usr/lib/group >> /etc/group

lakano · May 25, 2019, 3:45pm

Thanks @rajveermalviya
Now I have docker access from my default user without root priviledges, but I still have permission denied inside my php/mysql/nginx containers (as when started in root).
It’s really strange…

rajveermalviya · May 25, 2019, 4:06pm

in Silverblue everything under / is write-protected (except some directories) so you cannot directly mount your containers to / , you should use Fedora Workstation for that specific use case.

refi64 · May 25, 2019, 5:57pm

Whoops apologies for that mixup, I need to stop trying to do tech support late in the day .

How are you mounting these volumes? This could be an SELinux labeling issue. In order to have access to the directory from inside the container, it needs to be labeled a certain way; you can mount it with :z or :Z as explained here, or pass --security-opt label=disable to Docker somehow to disable the need to relabel.

lakano · May 28, 2019, 11:37am

Thanks for theses hints guys!
I’ve finally fixed it by using “named volumes” and upgrading my docker-compose version in the .yaml to 3.3

I change my issue to SOLVED, but I still have a problem with sharing /var/run/docker.sock for traefik, but I’ll try to find another solution for this.

EDIT:
If this could help others, to solve traefik permissions problem, here is my configuration:

  traefik:
    privileged: true
    image: traefik:1.7.11-alpine
    command: --api --docker --docker.endpoint=unix:///etc/docker.sock
    networks:
      - net-fts
    ports:
      - '80:80'
      - '443:443'
      - '8000:8000' # dashboard
    volumes:
      - '/var/run/docker.sock:/etc/docker.sock:ro'
      - './traefik:/etc/traefik:ro'
    labels:
      - 'traefik.enable=false'
    depends_on:
      - http

So, I mount my traefik/ local folder (with certs and traefik.toml ) in /etc/traefik in read-only, and mount in read-only too the /var/run/docker.sock to /etc/docker.sock (to not have permission issues), then I adapt the command to set this docker sock path too.
BTW, this seems not very safe (cf. traefik docs), but in my case, it’s only for running on my laptop a similar configuration of our production kubernetes stack.

Topic		Replies	Views
Docker-compose creation error Project Discussion silverblue-team	6	3827	June 9, 2019
Docker-compose installation on Silverblue Project Discussion silverblue-team	2	4449	December 12, 2020
Docker volume permission denied Project Discussion silverblue-team	4	4355	June 26, 2019
Mounting volumes in Docker and SELinux Ask Fedora docker , selinux	1	2016	July 2, 2019
Docker error with /var/run/docker.sock Project Discussion silverblue-team	5	4481	August 11, 2019

[SOLVED] How to install correctly docker-compose?

Related topics