RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1214104 - /var/run/docker.sock permissions
Summary: /var/run/docker.sock permissions
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: docker
Version: 7.3
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Daniel Walsh
QA Contact: Luwen Su
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-04-22 01:40 UTC by Tomas Dabašinskas
Modified: 2019-03-06 01:03 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-07-15 20:55:30 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Tomas Dabašinskas 2015-04-22 01:40:52 UTC 
Description of problem:
/var/run/docker.sock is created as root:root, there's a user and group created when docker is installed (dockerroot:dockeroot). Please systemd tmpfiles.d to set permissions for /var/run/docker.sock as dockerroot:dockerroot, otherwise docker fails to connect with an error:

FATA[0000] Post http:///var/run/docker.sock/v1.18/containers/create: dial unix /var/run/docker.sock: permission denied. Are you trying to connect to a TLS-enabled daemon without TLS?

Version-Release number of selected component (if applicable):
docker-1.5.0-27.el7.x86_64

p.s.
Documentation https://access.redhat.com/articles/881893 needs updating to say that user must be part of dockerroot group to use docker.
Comment 2 Tomas Dabašinskas 2015-04-22 01:55:19 UTC 
Please note /var/run/docker.sock is a socket (not regular file), creating it using

f /var/run/docker.sock  0755 dockerroot dockerroot - -

will not work, I can't find information on http://www.freedesktop.org/software/systemd/man/tmpfiles.d.html for changing permissions for sockets
Comment 3 Tomas Dabašinskas 2015-04-22 02:33:13 UTC 
You may also add following to /usr/lib/systemd/system/docker.service:


ExecStartPost=/usr/bin/chown dockerroot:dockerroot /var/run/docker.sock

Please note, it uses default socket path, if in /etc/sysconfig/docker OPTIONS is changed to specify different path to the socket using -H flag, service won't start as it won't find the socket...
Comment 4 Daniel Walsh 2015-04-22 19:30:08 UTC 
We don't want to allow docker access from non privileged users since this is the equivalent of allowing these users root access with no logging.  We would prefer that you set them up to use sudo.

We will not fix this issue until we have proper logging and Access Control built into docker.
Note You need to log in before you can comment on or make changes to this bug.