[SOLVED] How to install correctly docker-compose?

Hello!
For professional reasons, I need to have docker-compose and docker.
I also need to use docker and not podman because we use Traefik that read the file /var/run/docker.sock for configuration.
To install docker & docker-compose, I’ve used: « sudo rpm-ostree install moby-engine docker-compose »
I’ve tried to add my user in the docker group, but there is a bug, so I can’t do a simple “docker ps” command without root priviledges…
When I start « sudo docker-compose up », all my containers that requires mounts / write access return “permission denied”, example:
php_1 | [24-May-2019 22:33:35] ERROR: failed to open configuration file ‘/usr/local/etc/php-fpm.d/zz-www.conf’: Permission denied (13)
mysql_crm_1 | chown: cannot read directory ‘/var/lib/mysql/’: Permission denied
and even Traefik can’t read correctly /var/run/docker.sock :
traefik_1 | time=“2019-05-24T22:33:43Z” level=error msg=“Failed to retrieve information of the docker client and server host: Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get http://%2Fvar%2Frun%2Fdocker.sock/v1.21/version: dial unix /var/run/docker.sock: connect: permission denied”

$ ls -la /var/run/docker.*
-rw-r--r--. 1 root root   4 25 mai   00:16 /var/run/docker.pid
srw-rw----. 1 root docker 0 24 mai   23:54 /var/run/docker.sock

So, I’ve tried to install docker inside toolbox (DinD), but on install I have some SELinux errors:
SELinux: Could not load policy file /etc/selinux/targeted/policy/policy.31: Permission denied
load_policy: Can’t load policy: Permission denied

And I can’t start the service docker, I suppose there is no systemctl support inside toolbox.

I known we could rely on kubernetes / podman, but this is not the case on my office currently, so I need to found a solution if I want to keep Silverblue on my computer :frowning:

Any ideas ?

You need to add yourself to the docker group as shown here (“Manage Docker as a non-root user”) if you want to be able to use it without sudo.

Hi @refi64,
yep but as said, it’s not works, we can’t add a user in a group on Silverblue (there is a bug and already a reported issue about that).
And, all errors reported in my post are executed in root ( sudo docker-compose up ).
If at least, I could start my stack in root, this could permit me to keep Silverblue on my laptop.

Silverblue doesn’t support sysusers (useradd) yet, see this:

Though you can manually add the docker group by running this command:

grep -E '^docker:' /usr/lib/group >> /etc/group
1 Like

Thanks @rajveermalviya
Now I have docker access from my default user without root priviledges, but I still have permission denied inside my php/mysql/nginx containers (as when started in root).
It’s really strange…

in Silverblue everything under / is write-protected (except some directories) so you cannot directly mount your containers to / , you should use Fedora Workstation for that specific use case.

Whoops apologies for that mixup, I need to stop trying to do tech support late in the day :sweat_smile:.

How are you mounting these volumes? This could be an SELinux labeling issue. In order to have access to the directory from inside the container, it needs to be labeled a certain way; you can mount it with :z or :Z as explained here, or pass --security-opt label=disable to Docker somehow to disable the need to relabel.

Thanks for theses hints guys!
I’ve finally fixed it by using “named volumes” and upgrading my docker-compose version in the .yaml to 3.3

I change my issue to SOLVED, but I still have a problem with sharing /var/run/docker.sock for traefik, but I’ll try to find another solution for this.

EDIT:
If this could help others, to solve traefik permissions problem, here is my configuration:

  traefik:
    privileged: true
    image: traefik:1.7.11-alpine
    command: --api --docker --docker.endpoint=unix:///etc/docker.sock
    networks:
      - net-fts
    ports:
      - '80:80'
      - '443:443'
      - '8000:8000' # dashboard
    volumes:
      - '/var/run/docker.sock:/etc/docker.sock:ro'
      - './traefik:/etc/traefik:ro'
    labels:
      - 'traefik.enable=false'
    depends_on:
      - http

So, I mount my traefik/ local folder (with certs and traefik.toml ) in /etc/traefik in read-only, and mount in read-only too the /var/run/docker.sock to /etc/docker.sock (to not have permission issues), then I adapt the command to set this docker sock path too.
BTW, this seems not very safe (cf. traefik docs), but in my case, it’s only for running on my laptop a similar configuration of our production kubernetes stack.