subject:"RE\: docker command run from containers got permission denied on \/var\/run\/docker.sock"

Re: docker command run from containers got permission denied on /var/run/docker.sock

2019-10-02 Thread Ben Parees

On Wed, Oct 2, 2019 at 3:01 PM Weiqiang Zhuang  wrote:

> According to this doc
> https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.16/#podsecuritycontext-v1-core
>  `privileged`
> seems to be in both pod and container securityContext. Also have seen
> people use it in pod.spec... But anyway...
>

I don't see "privileged" listed here:
https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.16/#podsecuritycontext-v1-core

I do see it here:
https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.16/#securitycontext-v1-core



>
>
> Adrian
>
>
>
> - Original message -
> From: Ben Parees 
> To: Weiqiang Zhuang 
> Cc: users 
> Subject: [EXTERNAL] Re: docker command run from containers got permission
> denied on /var/run/docker.sock
> Date: Wed, Oct 2, 2019 11:48 AM
>
>
>
> On Wed, Oct 2, 2019 at 2:44 PM Weiqiang Zhuang  wrote:
>
> Thanks Ben. Yes, the pod is running as root.
>
> BTW, now I moved the privileged into the containers section and suddenly
> this works. Not sure why the securityContext behaves this though.
>
>
> Looks like privileged isn't a valid field for the securityContext within
> the pod.spec, so your value was being ignored.
>
>
>
>
>
> ```
> apiVersion: v1
> kind: Pod
> metadata:
> name: dood
> spec:
> containers:
>   - securityContext:
>   privileged: true
> name: docker-cmds
> image: argoproj/argoexec:v2.3.0
> command: ['sh', '-c', 'sleep 1d']
> ....
> ```
>
> Adrian
>
>
> ----- Original message -
> From: Ben Parees 
> To: Weiqiang Zhuang 
> Cc: users 
> Subject: [EXTERNAL] Re: docker command run from containers got permission
> denied on /var/run/docker.sock
> Date: Wed, Oct 2, 2019 11:27 AM
>
>
>
> On Wed, Oct 2, 2019 at 1:38 PM Weiqiang Zhuang  wrote:
>
> On an Openshift 3.11 cluster, we tried to run docker commands but all
> returned following error:
>
> ```
> Got permission denied while trying to connect to the Docker daemon socket
> at unix:///var/run/docker.sock: Get
> http://%2Fvar%2Frun%2Fdocker.sock/v1.39/version: dial unix
> /var/run/docker.sock: connect: permission denied
> ```
>
> Has anyone run into similar situation and come up with a solution? I have
> searched past posts and googled and tried, but so far without luck to make
> it work.
>
> Detailed info:
>
> An example Pod yaml file is
>
> ```
> apiVersion: v1
> kind: Pod
> metadata:
> name: dood
> spec:
> securityContext:
>   privileged: true
> containers:
>   - name: docker-cmds
> image: argoproj/argoexec:v2.3.0
> command: ['sh', '-c', 'sleep 1d']
> resources:
> requests:
> cpu: 10m
> memory: 256Mi
> volumeMounts:
>   - mountPath: /var/run
> name: docker-sock
> volumes:
>   - name: docker-sock
> hostPath:
>   path: /var/run
> ```
>
> On the host (compute nodes) machine, the socket looks like
>
> # ls -l /var/run/docker.sock
> srw-rw. 1 root docker 0 Sep 15 11:55 /var/run/docker.sock
>
> Inside the container, the mounted path looks like
>
> # ls -l /var/run/docker.sock
> srw-rw. 1 root 1001 0 Sep 15 18:55 /var/run/docker.sock
>
> The serviceaccount running the container has been added to the `anyuid`
> and `hostmount-anyuid` scc.
>
>
> can you confirm the pod container is running as uid 0/root?
>
>
>
>
> Thanks.
>
> Adrian
>
> ___
> users mailing list
> users@lists.openshift.redhat.com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>
>
>
> --
> Ben Parees | OpenShift
>
>
>
>
>
>
> --
> Ben Parees | OpenShift
>
>
>
>
>

-- 
Ben Parees | OpenShift
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

RE: docker command run from containers got permission denied on /var/run/docker.sock

2019-10-02 Thread Weiqiang Zhuang

According to this doc https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.16/#podsecuritycontext-v1-core `privileged` seems to be in both pod and container securityContext. Also have seen people use it in pod.spec... But anyway...
 
 
Adrian
 
 
- Original message -From: Ben Parees To: Weiqiang Zhuang Cc: users Subject: [EXTERNAL] Re: docker command run from containers got permission denied on /var/run/docker.sockDate: Wed, Oct 2, 2019 11:48 AM 
  

On Wed, Oct 2, 2019 at 2:44 PM Weiqiang Zhuang  wrote:
Thanks Ben. Yes, the pod is running as root.
 
BTW, now I moved the privileged into the containers section and suddenly this works. Not sure why the securityContext behaves this though.
 
Looks like privileged isn't a valid field for the securityContext within the pod.spec, so your value was being ignored.
 
 
 
 
```
apiVersion: v1kind: Podmetadata:    name: doodspec:    containers:      - securityContext:
          privileged: true
        name: docker-cmds        image: argoproj/argoexec:v2.3.0        command: ['sh', '-c', 'sleep 1d']

```
 
Adrian
 
- Original message -From: Ben Parees To: Weiqiang Zhuang Cc: users Subject: [EXTERNAL] Re: docker command run from containers got permission denied on /var/run/docker.sockDate: Wed, Oct 2, 2019 11:27 AM 
  

On Wed, Oct 2, 2019 at 1:38 PM Weiqiang Zhuang  wrote:
On an Openshift 3.11 cluster, we tried to run docker commands but all returned following error:
 
```
Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get http://%2Fvar%2Frun%2Fdocker.sock/v1.39/version: dial unix /var/run/docker.sock: connect: permission denied
```
 
Has anyone run into similar situation and come up with a solution? I have searched past posts and googled and tried, but so far without luck to make it work.
 
Detailed info:
 
An example Pod yaml file is
 
```
apiVersion: v1kind: Podmetadata:    name: doodspec:
    securityContext:
      privileged: true    containers:      - name: docker-cmds        image: argoproj/argoexec:v2.3.0        command: ['sh', '-c', 'sleep 1d']        resources:            requests:                cpu: 10m                memory: 256Mi        volumeMounts:          - mountPath: /var/run            name: docker-sock    volumes:      - name: docker-sock        hostPath:          path: /var/run
```
 
On the host (compute nodes) machine, the socket looks like
 
# ls -l /var/run/docker.socksrw-rw. 1 root docker 0 Sep 15 11:55 /var/run/docker.sock
 
Inside the container, the mounted path looks like
 
# ls -l /var/run/docker.socksrw-rw. 1 root 1001 0 Sep 15 18:55 /var/run/docker.sock
 
The serviceaccount running the container has been added to the `anyuid` and `hostmount-anyuid` scc.
 
can you confirm the pod container is running as uid 0/root?
 
 
 
Thanks.
 
Adrian___users mailing listusers@lists.openshift.redhat.comhttp://lists.openshift.redhat.com/openshiftmm/listinfo/users--
Ben Parees | OpenShift 
 --
Ben Parees | OpenShift 
 

___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: docker command run from containers got permission denied on /var/run/docker.sock

2019-10-02 Thread Ben Parees

On Wed, Oct 2, 2019 at 2:44 PM Weiqiang Zhuang  wrote:

> Thanks Ben. Yes, the pod is running as root.
>
> BTW, now I moved the privileged into the containers section and suddenly
> this works. Not sure why the securityContext behaves this though.
>

Looks like privileged isn't a valid field for the securityContext within
the pod.spec, so your value was being ignored.




>
> ```
> apiVersion: v1
> kind: Pod
> metadata:
> name: dood
> spec:
> containers:
>   - securityContext:
>   privileged: true
> name: docker-cmds
> image: argoproj/argoexec:v2.3.0
> command: ['sh', '-c', 'sleep 1d']
> 
> ```
>
> Adrian
>
>
> - Original message -
> From: Ben Parees 
> To: Weiqiang Zhuang 
> Cc: users 
> Subject: [EXTERNAL] Re: docker command run from containers got permission
> denied on /var/run/docker.sock
> Date: Wed, Oct 2, 2019 11:27 AM
>
>
>
> On Wed, Oct 2, 2019 at 1:38 PM Weiqiang Zhuang  wrote:
>
> On an Openshift 3.11 cluster, we tried to run docker commands but all
> returned following error:
>
> ```
> Got permission denied while trying to connect to the Docker daemon socket
> at unix:///var/run/docker.sock: Get
> http://%2Fvar%2Frun%2Fdocker.sock/v1.39/version: dial unix
> /var/run/docker.sock: connect: permission denied
> ```
>
> Has anyone run into similar situation and come up with a solution? I have
> searched past posts and googled and tried, but so far without luck to make
> it work.
>
> Detailed info:
>
> An example Pod yaml file is
>
> ```
> apiVersion: v1
> kind: Pod
> metadata:
> name: dood
> spec:
> securityContext:
>   privileged: true
> containers:
>   - name: docker-cmds
> image: argoproj/argoexec:v2.3.0
> command: ['sh', '-c', 'sleep 1d']
> resources:
> requests:
> cpu: 10m
> memory: 256Mi
> volumeMounts:
>   - mountPath: /var/run
> name: docker-sock
> volumes:
>   - name: docker-sock
> hostPath:
>   path: /var/run
> ```
>
> On the host (compute nodes) machine, the socket looks like
>
> # ls -l /var/run/docker.sock
> srw-rw. 1 root docker 0 Sep 15 11:55 /var/run/docker.sock
>
> Inside the container, the mounted path looks like
>
> # ls -l /var/run/docker.sock
> srw-rw. 1 root 1001 0 Sep 15 18:55 /var/run/docker.sock
>
> The serviceaccount running the container has been added to the `anyuid`
> and `hostmount-anyuid` scc.
>
>
> can you confirm the pod container is running as uid 0/root?
>
>
>
>
> Thanks.
>
> Adrian
>
> ___
> users mailing list
> users@lists.openshift.redhat.com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>
>
>
> --
> Ben Parees | OpenShift
>
>
>
>
>

-- 
Ben Parees | OpenShift
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

RE: docker command run from containers got permission denied on /var/run/docker.sock

2019-10-02 Thread Weiqiang Zhuang

Thanks Ben. Yes, the pod is running as root.
 
BTW, now I moved the privileged into the containers section and suddenly this works. Not sure why the securityContext behaves this though.
 
```
apiVersion: v1kind: Podmetadata:    name: doodspec:    containers:      - securityContext:
          privileged: true
        name: docker-cmds        image: argoproj/argoexec:v2.3.0        command: ['sh', '-c', 'sleep 1d']

```
 
Adrian
 
- Original message -From: Ben Parees To: Weiqiang Zhuang Cc: users Subject: [EXTERNAL] Re: docker command run from containers got permission denied on /var/run/docker.sockDate: Wed, Oct 2, 2019 11:27 AM 
  

On Wed, Oct 2, 2019 at 1:38 PM Weiqiang Zhuang  wrote:
On an Openshift 3.11 cluster, we tried to run docker commands but all returned following error:
 
```
Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get http://%2Fvar%2Frun%2Fdocker.sock/v1.39/version: dial unix /var/run/docker.sock: connect: permission denied
```
 
Has anyone run into similar situation and come up with a solution? I have searched past posts and googled and tried, but so far without luck to make it work.
 
Detailed info:
 
An example Pod yaml file is
 
```
apiVersion: v1kind: Podmetadata:    name: doodspec:
    securityContext:
      privileged: true    containers:      - name: docker-cmds        image: argoproj/argoexec:v2.3.0        command: ['sh', '-c', 'sleep 1d']        resources:            requests:                cpu: 10m                memory: 256Mi        volumeMounts:          - mountPath: /var/run            name: docker-sock    volumes:      - name: docker-sock        hostPath:          path: /var/run
```
 
On the host (compute nodes) machine, the socket looks like
 
# ls -l /var/run/docker.socksrw-rw. 1 root docker 0 Sep 15 11:55 /var/run/docker.sock
 
Inside the container, the mounted path looks like
 
# ls -l /var/run/docker.socksrw-rw. 1 root 1001 0 Sep 15 18:55 /var/run/docker.sock
 
The serviceaccount running the container has been added to the `anyuid` and `hostmount-anyuid` scc.
 
can you confirm the pod container is running as uid 0/root?
 
 
 
Thanks.
 
Adrian___users mailing listusers@lists.openshift.redhat.comhttp://lists.openshift.redhat.com/openshiftmm/listinfo/users--
Ben Parees | OpenShift 
 

___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: docker command run from containers got permission denied on /var/run/docker.sock

2019-10-02 Thread Ben Parees

On Wed, Oct 2, 2019 at 1:38 PM Weiqiang Zhuang  wrote:

> On an Openshift 3.11 cluster, we tried to run docker commands but all
> returned following error:
>
> ```
> Got permission denied while trying to connect to the Docker daemon socket
> at unix:///var/run/docker.sock: Get
> http://%2Fvar%2Frun%2Fdocker.sock/v1.39/version: dial unix
> /var/run/docker.sock: connect: permission denied
> ```
>
> Has anyone run into similar situation and come up with a solution? I have
> searched past posts and googled and tried, but so far without luck to make
> it work.
>
> Detailed info:
>
> An example Pod yaml file is
>
> ```
> apiVersion: v1
> kind: Pod
> metadata:
> name: dood
> spec:
> securityContext:
>   privileged: true
> containers:
>   - name: docker-cmds
> image: argoproj/argoexec:v2.3.0
> command: ['sh', '-c', 'sleep 1d']
> resources:
> requests:
> cpu: 10m
> memory: 256Mi
> volumeMounts:
>   - mountPath: /var/run
> name: docker-sock
> volumes:
>   - name: docker-sock
> hostPath:
>   path: /var/run
> ```
>
> On the host (compute nodes) machine, the socket looks like
>
> # ls -l /var/run/docker.sock
> srw-rw. 1 root docker 0 Sep 15 11:55 /var/run/docker.sock
>
> Inside the container, the mounted path looks like
>
> # ls -l /var/run/docker.sock
> srw-rw. 1 root 1001 0 Sep 15 18:55 /var/run/docker.sock
>
> The serviceaccount running the container has been added to the `anyuid`
> and `hostmount-anyuid` scc.
>

can you confirm the pod container is running as uid 0/root?



>
> Thanks.
>
> Adrian
>
> ___
> users mailing list
> users@lists.openshift.redhat.com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>


-- 
Ben Parees | OpenShift
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: docker command run from containers got permission denied on /var/run/docker.sock

RE: docker command run from containers got permission denied on /var/run/docker.sock

Re: docker command run from containers got permission denied on /var/run/docker.sock

RE: docker command run from containers got permission denied on /var/run/docker.sock

Re: docker command run from containers got permission denied on /var/run/docker.sock

5 matches

Site Navigation

Mail list logo

Footer information