Bug 1214104

Summary: /var/run/docker.sock permissions
Product: Red Hat Enterprise Linux 7 Reporter: Tomas Dabašinskas <tdabasin>
Component: dockerAssignee: Daniel Walsh <dwalsh>
Status: CLOSED WONTFIX QA Contact: Luwen Su <lsu>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.3CC: lsm5
Target Milestone: rcKeywords: Extras
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-07-15 20:55:30 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Tomas Dabašinskas 2015-04-22 01:40:52 UTC 
Description of problem:
/var/run/docker.sock is created as root:root, there's a user and group created when docker is installed (dockerroot:dockeroot). Please systemd tmpfiles.d to set permissions for /var/run/docker.sock as dockerroot:dockerroot, otherwise docker fails to connect with an error:

FATA[0000] Post http:///var/run/docker.sock/v1.18/containers/create: dial unix /var/run/docker.sock: permission denied. Are you trying to connect to a TLS-enabled daemon without TLS?

Version-Release number of selected component (if applicable):
docker-1.5.0-27.el7.x86_64

p.s.
Documentation https://access.redhat.com/articles/881893 needs updating to say that user must be part of dockerroot group to use docker.
Comment 2 Tomas Dabašinskas 2015-04-22 01:55:19 UTC 
Please note /var/run/docker.sock is a socket (not regular file), creating it using

f /var/run/docker.sock  0755 dockerroot dockerroot - -

will not work, I can't find information on http://www.freedesktop.org/software/systemd/man/tmpfiles.d.html for changing permissions for sockets
Comment 3 Tomas Dabašinskas 2015-04-22 02:33:13 UTC 
You may also add following to /usr/lib/systemd/system/docker.service:


ExecStartPost=/usr/bin/chown dockerroot:dockerroot /var/run/docker.sock

Please note, it uses default socket path, if in /etc/sysconfig/docker OPTIONS is changed to specify different path to the socket using -H flag, service won't start as it won't find the socket...
Comment 4 Daniel Walsh 2015-04-22 19:30:08 UTC 
We don't want to allow docker access from non privileged users since this is the equivalent of allowing these users root access with no logging.  We would prefer that you set them up to use sudo.

We will not fix this issue until we have proper logging and Access Control built into docker.