Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unable to run rootless docker in docker #6505

Closed
5 of 11 tasks
mrgrain opened this issue Nov 2, 2022 · 4 comments
Closed
5 of 11 tasks

Unable to run rootless docker in docker #6505

mrgrain opened this issue Nov 2, 2022 · 4 comments
Labels
bug report investigate Collect additional information, like space on disk, other tool incompatibilities etc. OS: Ubuntu

Comments

@mrgrain
Copy link

mrgrain commented Nov 2, 2022
edited

Description

When running in a rootless docker container, it is not easily possible to run Docker in Docker (or Docker out of Docker) commands. This is due to missing permissions of the rootless user to access the mounted unix:///var/run/docker.sock

Platforms affected

  • Azure DevOps
  • GitHub Actions - Standard Runners
  • GitHub Actions - Larger Runners

Runner images affected

  • Ubuntu 18.04
  • Ubuntu 20.04
  • Ubuntu 22.04
  • macOS 10.15
  • macOS 11
  • macOS 12
  • Windows Server 2019
  • Windows Server 2022

Image version and build link

https://github.com/mrgrain/repro-rootless-dind/actions/runs/3377152959

Is it regression?

No

Expected behavior

In order of preference:

  • The non-root user inside the container should have permissions to access the socket. No configuration should be needed.
  • I can see why this should be an explicit opt-in. I'd expect an additional option on the container property. e.g. 
    container:
  image: jsii/superchain:1-buster-slim-node14
  dind: true
  • Using options: --group-add is a nice enough work around. However currently we have to specify the numeric id of the docker group to make this work. Furthermore this id appears to be different on various images. I also suspect it can change at any time.
    It seems that options: --group-add docker will use the group id from inside the container, which will be wrong. So I guess we would need a stable way to get the correct id. Maybe this could be something like {{ options: --group-add {{runner.docker-group-id}}. Or even a documented id for the group that's fix and consistent across all images.

Actual behavior

The docker command fails with the following error

Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get "http://%2Fvar%2Frun%2Fdocker.sock/v1.24/containers/json": dial unix /var/run/docker.sock: connect: permission denied

Repro steps

https://github.com/mrgrain/repro-rootless-dind/blob/main/.github/workflows/rootless-dind.yml
@mrgrain mrgrain mentioned this issue Nov 2, 2022
Closed
@igorboskovic3
Copy link
Contributor

Hi @mrgrain, we will take a look and get back to you.

@igorboskovic3 igorboskovic3 added investigate Collect additional information, like space on disk, other tool incompatibilities etc. OS: Ubuntu and removed needs triage labels Nov 2, 2022
@al-cheb
Copy link
Contributor

al-cheb commented Nov 2, 2022
edited

Hey @mrgrain.
We don't manage the container task and I don't think we should create a new group due to maintenance concern. You could dynamically get a docker id group and pass it to next job:

jobs:
  build:
    runs-on: ubuntu-latest
    outputs:
       dockerId: ${{ steps.get_docker_id.outputs.id }}
    steps:
       - name: Get docker id
         id: get_docker_id
         run: |
            echo "id=$(cut -d: -f3 < <(getent group docker))" >> $GITHUB_OUTPUT
  works-with-group:
    needs: build
    runs-on: ubuntu-latest
    container:
      image: jsii/superchain:1-buster-slim-node14
      options: --group-add ${{ needs.build.outputs.dockerId }}
    steps:
      - run: whoami
      - run: id
      - run: docker ps

@mrgrain
Copy link
Author

mrgrain commented Nov 2, 2022

Thanks @al-cheb that's at least a consistent workaround. 👍🏻

@al-cheb
Copy link
Contributor

al-cheb commented Nov 2, 2022

Close as external.

@al-cheb al-cheb closed this as completed Nov 2, 2022
This was referenced Nov 19, 2022
Closed
Merged
mergify bot pushed a commit to cdklabs/cdk-enterprise-iac that referenced this issue Nov 19, 2022
@maafk
fix: ensure docker group id is dynamically added, upgrate to projenrc…
fcd3d8b 
….ts (#106)

Fixes #105

Fixes #88 

- Update to use `.projenrc.ts` instead of `.projenrc.js`
- Dynamically get docker group id from github actions container ([ref](actions/runner-images#6505 (comment)))
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug report investigate Collect additional information, like space on disk, other tool incompatibilities etc. OS: Ubuntu
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@mrgrain @al-cheb @igorboskovic3