Re: docker command run from containers got permission denied on /var/run/docker.sock
On Wed, Oct 2, 2019 at 3:01 PM Weiqiang Zhuang wrote: > According to this doc > https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.16/#podsecuritycontext-v1-core > `privileged` > seems to be in both pod and container securityContext. Also have seen > people use it in pod.spec... But anyway... > I don't see "privileged" listed here: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.16/#podsecuritycontext-v1-core I do see it here: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.16/#securitycontext-v1-core > > > Adrian > > > > - Original message - > From: Ben Parees > To: Weiqiang Zhuang > Cc: users > Subject: [EXTERNAL] Re: docker command run from containers got permission > denied on /var/run/docker.sock > Date: Wed, Oct 2, 2019 11:48 AM > > > > On Wed, Oct 2, 2019 at 2:44 PM Weiqiang Zhuang wrote: > > Thanks Ben. Yes, the pod is running as root. > > BTW, now I moved the privileged into the containers section and suddenly > this works. Not sure why the securityContext behaves this though. > > > Looks like privileged isn't a valid field for the securityContext within > the pod.spec, so your value was being ignored. > > > > > > ``` > apiVersion: v1 > kind: Pod > metadata: > name: dood > spec: > containers: > - securityContext: > privileged: true > name: docker-cmds > image: argoproj/argoexec:v2.3.0 > command: ['sh', '-c', 'sleep 1d'] > .... > ``` > > Adrian > > > ----- Original message - > From: Ben Parees > To: Weiqiang Zhuang > Cc: users > Subject: [EXTERNAL] Re: docker command run from containers got permission > denied on /var/run/docker.sock > Date: Wed, Oct 2, 2019 11:27 AM > > > > On Wed, Oct 2, 2019 at 1:38 PM Weiqiang Zhuang wrote: > > On an Openshift 3.11 cluster, we tried to run docker commands but all > returned following error: > > ``` > Got permission denied while trying to connect to the Docker daemon socket > at unix:///var/run/docker.sock: Get > http://%2Fvar%2Frun%2Fdocker.sock/v1.39/version: dial unix > /var/run/docker.sock: connect: permission denied > ``` > > Has anyone run into similar situation and come up with a solution? I have > searched past posts and googled and tried, but so far without luck to make > it work. > > Detailed info: > > An example Pod yaml file is > > ``` > apiVersion: v1 > kind: Pod > metadata: > name: dood > spec: > securityContext: > privileged: true > containers: > - name: docker-cmds > image: argoproj/argoexec:v2.3.0 > command: ['sh', '-c', 'sleep 1d'] > resources: > requests: > cpu: 10m > memory: 256Mi > volumeMounts: > - mountPath: /var/run > name: docker-sock > volumes: > - name: docker-sock > hostPath: > path: /var/run > ``` > > On the host (compute nodes) machine, the socket looks like > > # ls -l /var/run/docker.sock > srw-rw. 1 root docker 0 Sep 15 11:55 /var/run/docker.sock > > Inside the container, the mounted path looks like > > # ls -l /var/run/docker.sock > srw-rw. 1 root 1001 0 Sep 15 18:55 /var/run/docker.sock > > The serviceaccount running the container has been added to the `anyuid` > and `hostmount-anyuid` scc. > > > can you confirm the pod container is running as uid 0/root? > > > > > Thanks. > > Adrian > > ___ > users mailing list > users@lists.openshift.redhat.com > http://lists.openshift.redhat.com/openshiftmm/listinfo/users > > > > -- > Ben Parees | OpenShift > > > > > > > -- > Ben Parees | OpenShift > > > > > -- Ben Parees | OpenShift ___ users mailing list users@lists.openshift.redhat.com http://lists.openshift.redhat.com/openshiftmm/listinfo/users
RE: docker command run from containers got permission denied on /var/run/docker.sock
According to this doc https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.16/#podsecuritycontext-v1-core `privileged` seems to be in both pod and container securityContext. Also have seen people use it in pod.spec... But anyway... Adrian - Original message -From: Ben Parees To: Weiqiang Zhuang Cc: users Subject: [EXTERNAL] Re: docker command run from containers got permission denied on /var/run/docker.sockDate: Wed, Oct 2, 2019 11:48 AM On Wed, Oct 2, 2019 at 2:44 PM Weiqiang Zhuangwrote: Thanks Ben. Yes, the pod is running as root. BTW, now I moved the privileged into the containers section and suddenly this works. Not sure why the securityContext behaves this though. Looks like privileged isn't a valid field for the securityContext within the pod.spec, so your value was being ignored. ``` apiVersion: v1kind: Podmetadata: name: doodspec: containers: - securityContext: privileged: true name: docker-cmds image: argoproj/argoexec:v2.3.0 command: ['sh', '-c', 'sleep 1d'] ``` Adrian - Original message -From: Ben Parees To: Weiqiang Zhuang Cc: users Subject: [EXTERNAL] Re: docker command run from containers got permission denied on /var/run/docker.sockDate: Wed, Oct 2, 2019 11:27 AM On Wed, Oct 2, 2019 at 1:38 PM Weiqiang Zhuang wrote: On an Openshift 3.11 cluster, we tried to run docker commands but all returned following error: ``` Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get http://%2Fvar%2Frun%2Fdocker.sock/v1.39/version: dial unix /var/run/docker.sock: connect: permission denied ``` Has anyone run into similar situation and come up with a solution? I have searched past posts and googled and tried, but so far without luck to make it work. Detailed info: An example Pod yaml file is ``` apiVersion: v1kind: Podmetadata: name: doodspec: securityContext: privileged: true containers: - name: docker-cmds image: argoproj/argoexec:v2.3.0 command: ['sh', '-c', 'sleep 1d'] resources: requests: cpu: 10m memory: 256Mi volumeMounts: - mountPath: /var/run name: docker-sock volumes: - name: docker-sock hostPath: path: /var/run ``` On the host (compute nodes) machine, the socket looks like # ls -l /var/run/docker.socksrw-rw. 1 root docker 0 Sep 15 11:55 /var/run/docker.sock Inside the container, the mounted path looks like # ls -l /var/run/docker.socksrw-rw. 1 root 1001 0 Sep 15 18:55 /var/run/docker.sock The serviceaccount running the container has been added to the `anyuid` and `hostmount-anyuid` scc. can you confirm the pod container is running as uid 0/root? Thanks. Adrian___users mailing listusers@lists.openshift.redhat.comhttp://lists.openshift.redhat.com/openshiftmm/listinfo/users-- Ben Parees | OpenShift -- Ben Parees | OpenShift ___ users mailing list users@lists.openshift.redhat.com http://lists.openshift.redhat.com/openshiftmm/listinfo/users
Re: docker command run from containers got permission denied on /var/run/docker.sock
On Wed, Oct 2, 2019 at 2:44 PM Weiqiang Zhuang wrote: > Thanks Ben. Yes, the pod is running as root. > > BTW, now I moved the privileged into the containers section and suddenly > this works. Not sure why the securityContext behaves this though. > Looks like privileged isn't a valid field for the securityContext within the pod.spec, so your value was being ignored. > > ``` > apiVersion: v1 > kind: Pod > metadata: > name: dood > spec: > containers: > - securityContext: > privileged: true > name: docker-cmds > image: argoproj/argoexec:v2.3.0 > command: ['sh', '-c', 'sleep 1d'] > > ``` > > Adrian > > > - Original message - > From: Ben Parees > To: Weiqiang Zhuang > Cc: users > Subject: [EXTERNAL] Re: docker command run from containers got permission > denied on /var/run/docker.sock > Date: Wed, Oct 2, 2019 11:27 AM > > > > On Wed, Oct 2, 2019 at 1:38 PM Weiqiang Zhuang wrote: > > On an Openshift 3.11 cluster, we tried to run docker commands but all > returned following error: > > ``` > Got permission denied while trying to connect to the Docker daemon socket > at unix:///var/run/docker.sock: Get > http://%2Fvar%2Frun%2Fdocker.sock/v1.39/version: dial unix > /var/run/docker.sock: connect: permission denied > ``` > > Has anyone run into similar situation and come up with a solution? I have > searched past posts and googled and tried, but so far without luck to make > it work. > > Detailed info: > > An example Pod yaml file is > > ``` > apiVersion: v1 > kind: Pod > metadata: > name: dood > spec: > securityContext: > privileged: true > containers: > - name: docker-cmds > image: argoproj/argoexec:v2.3.0 > command: ['sh', '-c', 'sleep 1d'] > resources: > requests: > cpu: 10m > memory: 256Mi > volumeMounts: > - mountPath: /var/run > name: docker-sock > volumes: > - name: docker-sock > hostPath: > path: /var/run > ``` > > On the host (compute nodes) machine, the socket looks like > > # ls -l /var/run/docker.sock > srw-rw. 1 root docker 0 Sep 15 11:55 /var/run/docker.sock > > Inside the container, the mounted path looks like > > # ls -l /var/run/docker.sock > srw-rw. 1 root 1001 0 Sep 15 18:55 /var/run/docker.sock > > The serviceaccount running the container has been added to the `anyuid` > and `hostmount-anyuid` scc. > > > can you confirm the pod container is running as uid 0/root? > > > > > Thanks. > > Adrian > > ___ > users mailing list > users@lists.openshift.redhat.com > http://lists.openshift.redhat.com/openshiftmm/listinfo/users > > > > -- > Ben Parees | OpenShift > > > > > -- Ben Parees | OpenShift ___ users mailing list users@lists.openshift.redhat.com http://lists.openshift.redhat.com/openshiftmm/listinfo/users
RE: docker command run from containers got permission denied on /var/run/docker.sock
Thanks Ben. Yes, the pod is running as root. BTW, now I moved the privileged into the containers section and suddenly this works. Not sure why the securityContext behaves this though. ``` apiVersion: v1kind: Podmetadata: name: doodspec: containers: - securityContext: privileged: true name: docker-cmds image: argoproj/argoexec:v2.3.0 command: ['sh', '-c', 'sleep 1d'] ``` Adrian - Original message -From: Ben Parees To: Weiqiang Zhuang Cc: users Subject: [EXTERNAL] Re: docker command run from containers got permission denied on /var/run/docker.sockDate: Wed, Oct 2, 2019 11:27 AM On Wed, Oct 2, 2019 at 1:38 PM Weiqiang Zhuangwrote: On an Openshift 3.11 cluster, we tried to run docker commands but all returned following error: ``` Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get http://%2Fvar%2Frun%2Fdocker.sock/v1.39/version: dial unix /var/run/docker.sock: connect: permission denied ``` Has anyone run into similar situation and come up with a solution? I have searched past posts and googled and tried, but so far without luck to make it work. Detailed info: An example Pod yaml file is ``` apiVersion: v1kind: Podmetadata: name: doodspec: securityContext: privileged: true containers: - name: docker-cmds image: argoproj/argoexec:v2.3.0 command: ['sh', '-c', 'sleep 1d'] resources: requests: cpu: 10m memory: 256Mi volumeMounts: - mountPath: /var/run name: docker-sock volumes: - name: docker-sock hostPath: path: /var/run ``` On the host (compute nodes) machine, the socket looks like # ls -l /var/run/docker.socksrw-rw. 1 root docker 0 Sep 15 11:55 /var/run/docker.sock Inside the container, the mounted path looks like # ls -l /var/run/docker.socksrw-rw. 1 root 1001 0 Sep 15 18:55 /var/run/docker.sock The serviceaccount running the container has been added to the `anyuid` and `hostmount-anyuid` scc. can you confirm the pod container is running as uid 0/root? Thanks. Adrian___users mailing listusers@lists.openshift.redhat.comhttp://lists.openshift.redhat.com/openshiftmm/listinfo/users-- Ben Parees | OpenShift ___ users mailing list users@lists.openshift.redhat.com http://lists.openshift.redhat.com/openshiftmm/listinfo/users
Re: docker command run from containers got permission denied on /var/run/docker.sock
On Wed, Oct 2, 2019 at 1:38 PM Weiqiang Zhuang wrote: > On an Openshift 3.11 cluster, we tried to run docker commands but all > returned following error: > > ``` > Got permission denied while trying to connect to the Docker daemon socket > at unix:///var/run/docker.sock: Get > http://%2Fvar%2Frun%2Fdocker.sock/v1.39/version: dial unix > /var/run/docker.sock: connect: permission denied > ``` > > Has anyone run into similar situation and come up with a solution? I have > searched past posts and googled and tried, but so far without luck to make > it work. > > Detailed info: > > An example Pod yaml file is > > ``` > apiVersion: v1 > kind: Pod > metadata: > name: dood > spec: > securityContext: > privileged: true > containers: > - name: docker-cmds > image: argoproj/argoexec:v2.3.0 > command: ['sh', '-c', 'sleep 1d'] > resources: > requests: > cpu: 10m > memory: 256Mi > volumeMounts: > - mountPath: /var/run > name: docker-sock > volumes: > - name: docker-sock > hostPath: > path: /var/run > ``` > > On the host (compute nodes) machine, the socket looks like > > # ls -l /var/run/docker.sock > srw-rw. 1 root docker 0 Sep 15 11:55 /var/run/docker.sock > > Inside the container, the mounted path looks like > > # ls -l /var/run/docker.sock > srw-rw. 1 root 1001 0 Sep 15 18:55 /var/run/docker.sock > > The serviceaccount running the container has been added to the `anyuid` > and `hostmount-anyuid` scc. > can you confirm the pod container is running as uid 0/root? > > Thanks. > > Adrian > > ___ > users mailing list > users@lists.openshift.redhat.com > http://lists.openshift.redhat.com/openshiftmm/listinfo/users > -- Ben Parees | OpenShift ___ users mailing list users@lists.openshift.redhat.com http://lists.openshift.redhat.com/openshiftmm/listinfo/users