Home > Software engineering >  Permission denied when running docker-compose, even with sudo
Permission denied when running docker-compose, even with sudo

Time:05-04

I've had a docker based environment running for a few months, configured via docker-compose and have tried to add new Radarr/Tdarr containers to the configuration. When re-running the docker-compose command, it returns a Permission Denied error as follows:

dhevans@ubuntu:/htpc-svc$ sudo docker-compose pull && docker-compose up -d
Pulling plex-server   ... done
Pulling homeassistant ... done
Pulling node-red      ... done
Pulling watchtower    ... done
Pulling radarr        ... done
Pulling tdarr         ... done
Traceback (most recent call last):
  File "urllib3/connectionpool.py", line 677, in urlopen
  File "urllib3/connectionpool.py", line 392, in _make_request
  File "http/client.py", line 1277, in request
  File "http/client.py", line 1323, in _send_request
  File "http/client.py", line 1272, in endheaders
  File "http/client.py", line 1032, in _send_output
  File "http/client.py", line 972, in send
  File "docker/transport/unixconn.py", line 43, in connect
PermissionError: [Errno 13] Permission denied

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "requests/adapters.py", line 449, in send
  File "urllib3/connectionpool.py", line 727, in urlopen
  File "urllib3/util/retry.py", line 410, in increment
  File "urllib3/packages/six.py", line 734, in reraise
  File "urllib3/connectionpool.py", line 677, in urlopen
  File "urllib3/connectionpool.py", line 392, in _make_request
  File "http/client.py", line 1277, in request
  File "http/client.py", line 1323, in _send_request
  File "http/client.py", line 1272, in endheaders
  File "http/client.py", line 1032, in _send_output
  File "http/client.py", line 972, in send
  File "docker/transport/unixconn.py", line 43, in connect
urllib3.exceptions.ProtocolError: ('Connection aborted.', PermissionError(13, 'Permission denied'))

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "docker/api/client.py", line 214, in _retrieve_server_version
  File "docker/api/daemon.py", line 181, in version
  File "docker/utils/decorators.py", line 46, in inner
  File "docker/api/client.py", line 237, in _get
  File "requests/sessions.py", line 543, in get
  File "requests/sessions.py", line 530, in request
  File "requests/sessions.py", line 643, in send
  File "requests/adapters.py", line 498, in send
requests.exceptions.ConnectionError: ('Connection aborted.', PermissionError(13, 'Permission denied'))

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "docker-compose", line 3, in <module>
  File "compose/cli/main.py", line 81, in main
  File "compose/cli/main.py", line 200, in perform_command
  File "compose/cli/command.py", line 70, in project_from_options
  File "compose/cli/command.py", line 153, in get_project
  File "compose/cli/docker_client.py", line 43, in get_client
  File "compose/cli/docker_client.py", line 170, in docker_client
  File "docker/api/client.py", line 197, in __init__
  File "docker/api/client.py", line 222, in _retrieve_server_version
docker.errors.DockerException: Error while fetching server API version: ('Connection aborted.', PermissionError(13, 'Permission denied'))
[2464] Failed to execute script docker-compose

During my testing for these containers, I have removed the new images from the compose file, and it still returns the error. This would indicate to me that it is not to do with the new containers, but something with Docker that no longer functions.

If I run sudo docker-compose up or sudo docker-compose up radarr, the containers start fine and I am able to access the web services remotely. They function as expected until I kill the command. This would indicate to me that there is no real problem with the images or config, but that there is something stopping me from having my docker compose file from correctly starting the entire configuration.

version: "3.4"
services:

  plex-server:
    container_name: plex-server
    image: linuxserver/plex
    restart: unless-stopped
    environment:
      - PUID=${PUID} # default user id, defined in .env
      - PGID=${PGID} # default group id, defined in .env
      - TZ=${TZ} # timezone, defined in .env
      - VERSION=docker
    network_mode: host
    volumes:
      - ${ROOT}/config/plex/db:/config # plex database
      - ${ROOT}/data/config/plex/transcode:/transcode # temp transcoded files
      - /mnt/elements:/elements
      - /mnt/expansion:/expansion

  homeassistant:
    container_name: homeassistant
    image: "ghcr.io/home-assistant/home-assistant:stable"
    volumes:
      - ${ROOT}/config/homeassistant:/config
      - /etc/localtime:/etc/localtime:ro
      - /var/run/docker.sock:/var/run/docker.sock
    restart: unless-stopped
    privileged: true
    network_mode: host

  node-red:
    image: nodered/node-red:latest
    restart: always
    depends_on:
      - "homeassistant"
    user: root
    environment:
      - TZ=Europe/Zurich
#    ports:
#      - "1880:1880"
    network_mode: host
    volumes:
      - ${ROOT}/config/nodered:/data
      - /etc/localtime:/etc/localtime:ro

  watchtower:
    container_name: watchtower
    image: v2tec/watchtower
    network_mode: host
    environment:
      - LOG_LEVEL=info
      - PUID=${PUID} # default user id, defined in .env
      - PGID=${PGID} # default group id, defined in .env
      - TZ=${TZ} # timezone, defined in .env
      - UMASK=022 #optional
    restart: always
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock

  radarr:
    container_name: radarr
    image: cr.hotio.dev/hotio/radarr
    network_mode: bridge
    ports:
      - "7878:7878"
    environment:
      - PUID=${PUID}
      - PGID=${PGID}
      - UMASK=002
      - TZ=${TZ}
    volumes:
      - ${ROOT}/config/radarr:/config # plex database
      - /mnt/elements:/elements
      - /mnt/expansion:/expansion

  tdarr:
    container_name: tdarr
    image: ghcr.io/haveagitgat/tdarr:latest
    restart: unless-stopped
    network_mode: bridge
    ports:
      - 8265:8265 # webUI port
      - 8266:8266 # server port
      # - 8267:8267 # Internal node port
      # - 8268:8268 # Example extra node port
    environment:
      - TZ=${TZ}
      - PUID=${PUID}
      - PGID=${PGID}
      - UMASK_SET=002
      - serverIP=0.0.0.0
      - serverPort=8266
      - webUIPort=8265
      - internalNode=true
      - nodeID=MyInternalNode
    volumes:
      - ${ROOT}/config/tdarr/server:/app/server
      - ${ROOT}/config/tdarr/config:/app/configs
      - ${ROOT}/config/tdarr/logs:/app/logs
      - ${ROOT}/data/tdarr/transcode_cache:/temp
      - /mnt/elements:/elements
      - /mnt/expansion:/expansion

tl;dr; Tried to add new containers to docker-compose. Always getting the error. Removed new containers, still get the error. Old websites still work, new websites only work via docker-compose-up. Everything is run as sudo. Please tell me what I'm doing wrong, or where to look as I've been hitting my head against a brick wall for a few hours now.

CodePudding user response:

I removed all but the first service, restarted the service.

I readded the services, one by one, starting the new one each time.

I did not receive any errors. I executed a sudo docker-compose down, all containers stopped. I reissued a sudo docker-compose up -d and all containers started without any errors.

I don't know why it worked this time and not before...

CodePudding user response:

It seems the error you get first was not a heisenbug, but should be reproducible any time you run docker-compose without sudo (as the Docker daemon socket is owned by root:docker).

To be more precise, the error was related to the fact you executed the command:

sudo docker-compose pull && docker-compose up -d  #(1.)

which has not the same semantics as

sudo /bin/bash -c "docker-compose pull && docker-compose up -d"  #(2.)

and thus, the docker-compose up -d part of command 1. was run without root permissions.

So if you want to combine both without running an extra bash process, you could just run:

sudo docker-compose pull && sudo docker-compose up -d

As an aside, note that it is possible to "remove" the sudo prefix from Docker commands, in at least 2 ways: join the docker group (which can be risky on a personal workstation), or use a bash alias; see e.g. this earlier answer of mine for details: docker.sock permission denied.

  • Related