Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Description of problem:
/var/run/docker.sock is created as root:root, there's a user and group created when docker is installed (dockerroot:dockeroot). Please systemd tmpfiles.d to set permissions for /var/run/docker.sock as dockerroot:dockerroot, otherwise docker fails to connect with an error:

FATA[0000] Post http:///var/run/docker.sock/v1.18/containers/create: dial unix /var/run/docker.sock: permission denied. Are you trying to connect to a TLS-enabled daemon without TLS?

Version-Release number of selected component (if applicable):
docker-1.5.0-27.el7.x86_64

p.s.
Documentation https://access.redhat.com/articles/881893 needs updating to say that user must be part of dockerroot group to use docker.

Please note /var/run/docker.sock is a socket (not regular file), creating it using

f /var/run/docker.sock  0755 dockerroot dockerroot - -

will not work, I can't find information on http://www.freedesktop.org/software/systemd/man/tmpfiles.d.html for changing permissions for sockets

You may also add following to /usr/lib/systemd/system/docker.service:


ExecStartPost=/usr/bin/chown dockerroot:dockerroot /var/run/docker.sock

Please note, it uses default socket path, if in /etc/sysconfig/docker OPTIONS is changed to specify different path to the socket using -H flag, service won't start as it won't find the socket...

We don't want to allow docker access from non privileged users since this is the equivalent of allowing these users root access with no logging.  We would prefer that you set them up to use sudo.

We will not fix this issue until we have proper logging and Access Control built into docker.