Bug 1145270

Summary: updating Docker cause users in docker group to not be able to use docker service
Product: Red Hat Enterprise Linux 7 Reporter: Eric Rich <erich>
Component: systemdAssignee: systemd-maint
Status: CLOSED DUPLICATE QA Contact: qe-baseos-daemons
Severity: urgent Docs Contact:
Priority: unspecified    
Version: 7.0CC: dwalsh, jpazdziora, jyundt, lars, lnykryn, lsm5, msekleta, riehecky, sghosh, systemd-maint-list, yundtj
Target Milestone: rcKeywords: NeedsTestCase
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: systemd-208-12.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-10-01 10:11:55 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1064025, 1145299    

Description Eric Rich 2014-09-22 17:45:10 UTC 
Description of problem:

Get http:///var/run/docker.sock/v1.13/containers/json?all=1: dial unix /var/run/docker.sock: permission denied

Version-Release number of selected component (if applicable):

Updating docker-0.11.1-22.el7.x86_64 to docker-1.1.2-13.el7.x86_64

How reproducible: VERY 

Steps to Reproduce:
1. yum update docker -y 

Actual results:

$ docker ps -a                                                                                                                 
2014/09/22 13:38:49 Get http:///var/run/docker.sock/v1.13/containers/json?all=1: dial unix /var/run/docker.sock: permission denied

Expected results:

Users of the Docker group should be allowed to use / interact with the docker service. 

Additional info:

Root User can still interact with Docker process. 
Restarting docker serivce works, and reports no errors 

However stopping the service reports the following: 

# systemctl stop docker.service
Warning: Stopping docker.service, but it can still be activated by:
  docker.socket

# lsof | grep /var/run/docker.sock
systemd       1           root   27u     unix 0xffff880079353a40       0t0     180497 /var/run/docker.sock

Reloading system also did not help, or re-starting services: 

# systemctl daemon-reload

# systemctl restart docker.service
# systemctl stop docker.service
# systemctl start docker.service
Comment 2 Daniel Walsh 2014-09-22 19:31:41 UTC 
Well that is probably a good thing.

ls -l /var/run/docker.sock

 ls -l /var/run/docker.sock 
srw-rw----. 1 root docker 0 Sep 19 12:54 /var/run/docker.sock


This might be a bug in systemd...
Comment 8 Lars Kellogg-Stedman 2014-09-30 19:30:57 UTC 
I think this is the same as:

https://bugzilla.redhat.com/show_bug.cgi?id=1119282

systemd 208 does not support the SocketGroup directive, so it always creates the socket with root:root ownerhsip.  On eric's system, running "chgrp docker /var/run/docker.sock" allowed a non-root user in the "docker" group to run docker.
Comment 9 Lars Kellogg-Stedman 2014-09-30 19:34:56 UTC 
Note that running "chgrp" is a temporary workaround, because every time the socket is restarted (e.g., on reboot), it will get re-created with the root:root permissions.

I have verified that lack of SocketGroup/SocketUser is the problem:

Sep 30 14:52:27 host.example.com systemd[1]: [/usr/lib/systemd/system/docker.socket:8] Unknown lvalue 'SocketGroup' in section 'Socket'
Comment 10 Lars Kellogg-Stedman 2014-09-30 19:36:00 UTC 
I am retargeting this bz to systemd.

Note that the systemd 208 packages in F20 already have the necessary support backported.
Comment 11 Michal Sekletar 2014-10-01 10:11:55 UTC 
https://bugzilla.redhat.com/show_bug.cgi?id=1111761
Comment 13 Daniel Walsh 2014-10-24 20:43:42 UTC 
*** Bug 1146705 has been marked as a duplicate of this bug. ***
Comment 17 Daniel Walsh 2014-11-05 14:03:59 UTC 
Is this going to be fixed in 7.1?  7.0z?  or 8.0?  What does Closed NextRelease mean?
Comment 18 Lukáš Nykrýn 2014-11-05 14:09:07 UTC 
Micahl have added "socket: add SocketUser= and SocketGroup= for chown()ing sockets in the file system" to 208-12 so it means that it will be in 7.1.
Comment 19 Michal Sekletar 2014-11-06 08:59:33 UTC 
Sorry for the confusion. This is dup of #1111761 which will be fixed in RHEL-7.1.

*** This bug has been marked as a duplicate of bug 1111761 ***