Docker socket not accessible due to file permissions-CodePudding

I am trying to simulate a development environment in a Docker container. As part of this effort, I want the Docker container to have the same users and groups as the host. This can be achieved by mounting the host's user and group configuration file when running docker run (see the full docker run command at the bottom).

When you start this container, you login into the container as the same user and group as on the host (specifying the flag --user $(id -u):$(id -g)). Suppose that user is ubuntu and that group is also ubuntu.

Now, I also want to be able to run Docker commands from within the container. I attempt doing this by mounting the docker socket file so the Docker client in the Docker container can communicate with the Docker daemon on the host.

On the host, the login user has been added to the group docker and the docker socket file permissions are set such that any user in the group docker can issue docker commands:

ubuntu@laptop:$ ls -l /var/run/docker.sock
srw-rw---- 1 root docker 0 Feb  8 09:45 /var/run/docker.sock

ubuntu@laptop:$ docker images # (no sudo required)
REPOSITORY                                                           TAG                                        IMAGE ID       CREATED          SIZE
dind                                                                 latest                                     65b727c75899   42 minutes ago   611MB
postgres                                                             9.6-bullseye                               2266d156fa6a   5 weeks ago      239MB
ubuntu                                                               20.04                                      ba6acccedd29   3 months ago     72.8MB

However, when I run a docker command like docker images from inside the container, I get a file permission error:

ubuntu@b5bb183641e8:$ docker images
Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get http:///var/run/docker.sock/v1.24/images/json: dial unix /var/run/docker.sock: connect: permission denied

If I run the above command as root (or with sudo) in the Docker container, the above command runs correctly.

This is happening because the user ubuntu is able to read/write to the docker socket on the host, but not on the container. I don't understand why that would be the case provided that I have mounted all the relevant file permissions configuration files from the host onto the container. I expect the same behavior on the container as on the host.

For reference, Image (tagged as `dind:latest) of the container is defined by the following Dockefile

FROM ubuntu:20.04

RUN apt update && apt -y install sudo docker.io

CMD /bin/bash

Running the docker container with all the relevant files mounted:

$ docker run \
> --user $(id -u):$(id -g) \
> -v /etc/group:/etc/group:ro \
> -v /etc/gshadow:/etc/gshadow:ro \
> -v /etc/passwd:/etc/passwd:ro \
> -v /etc/shadow:/etc/shadow:ro \
> -v /etc/sudoers.d:/etc/sudoers.d:ro \
> -v /var/run/docker.sock:/var/run/docker.sock \
> dind:latest

CodePudding user response：

When you specify a group with this option:

--user $(id -u):$(id -g)

that is the only group assigned to the user, it ignores everything else specified in /etc/group. Normally you can specify just the user and the group ids will be configured from /etc/passwd and /etc/group. That would look like:

--user $(id -u)

Unfortunately, I believe this is done based on the files in the image, before the volume is mounted. So you need to manually add additional groups with --group-add, and for the docker socket you need the docker group (you may need to replace that with the gid):

--group-add docker