GGV2: Unable to run docker containers: docker.sock - permission denied

Question

This was working just fine a month ago, but now:  
  
=> When Greengrass tries to install docker images with "docker load -i \[...]" I get this error:  
2021-04-14T15:24:51.673Z \[WARN] (Copier) xxxxxxxxx: stderr. Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Post http://%2Fvar%2Frun%2Fdocker.sock/v1.24/images/load?quiet=1: dial unix /var/run/docker.sock: connect: permission denied. {scriptName=services.xxxxxxxxx.lifecycle.Install.Script, serviceName=xxxxxxxxx, currentState=NEW}  
2021-04-14T15:24:51.676Z \[WARN] (pool-2-thread-17) xxxxxxxxx: shell-runner-error. {scriptName=services.xxxxxxxxx.lifecycle.Install.Script, serviceName=xxxxxxxxx, currentState=NEW, command=\["docker load -i /greengrass/v2/packages/artifacts/xxxxxxxxx/1...."]}  
  
I tried:  
* reverting back to Nucleus 2.0.3 but I seem to get the same problem.  
* The only thing that solves it, is to make the docker.sock world-writable... but that is not going to production.  
  
More info:  
* Greengrass is running as root.  
* I can run these commands myself with no problem in a shell  
* privileged containers I spin up can access the docker.sock with no problem  
* This happens both in my arm and amd64 devices  
  
I don't know how to check in what user does Greengrass try to run the docker load command, but I assume it is its own user.  
  
Has anyone experienced something similar?  
I feel silly asking this question because it was working before, but I did not change anything so I am confused.

Accepted Answer

Hi QuantumLove,  
  
the error was from your "Install" step. Can you set   
- "RequiresPrivilege": true   
like you did in step "Run" for "Install" as well?  
  
Thank you!

Answer

This is a sample component recipe:  
{  
    "RecipeFormatVersion": "2020-01-25",  
    "ComponentName": "xxxxxxx",  
    "ComponentVersion": "1.5.0",  
    "Manifests": \[  
      {  
        "Platform": {  
          "os": "linux",  
          "architecture": "amd64"  
        },  
        "Lifecycle": {  
          "Install": {  
            "Setenv": {  
              "ARCH": "amd64"  
            },  
            "Script": "docker load -i {artifacts:path}/artifact-${ARCH}.tar"  
          },  
          "Run": {  
            "Setenv": {  
              "ARCH": "amd64"  
            },  
            "Script": "docker run --rm --privileged --name xxxxxxx xxxxxxx:${ARCH}-1.5.0",  
            "RequiresPrivilege": true  
          }  
        },  
        "Selections": \[  
          "all"  
        ]  
      },  
      {  
        "Platform": {  
          "os": "linux",  
          "architecture": "arm"  
        },  
        "Lifecycle": {  
          "Install": {  
            "Setenv": {  
              "ARCH": "arm32v7"  
            },  
            "Script": "docker load -i {artifacts:path}/artifact-${ARCH}.tar"  
          },  
          "Run": {  
            "Setenv": {  
              "ARCH": "arm32v7"  
            },  
             "Script": "docker run --rm --privileged --name xxxxxxx xxxxxxx:${ARCH}-1.5.0",  
            "RequiresPrivilege": true  
          }  
        },  
        "Selections": \[  
          "all"  
        ]  
      }  
    ],  
    "Lifecycle": {  
      "Install": {  
        "Script": {  
          "all": "docker load -i {artifacts:path}/artifact-${ARCH}.tar"  
        }  
      },  
      "Run": {  
        "Script": {  
          "all": "docker run --rm --privileged --name xxxxxxx xxxxxxx:${ARCH}-1.5.0"  
          },  
        "RequiresPrivilege": {  
          "all": true  
        }  
      }  
    }  
  }

GGV2: Unable to run docker containers: docker.sock - permission denied

Relevanter Inhalt