GGV2: Unable to run docker containers: docker.sock - permission denied

0

This was working just fine a month ago, but now:

=> When Greengrass tries to install docker images with "docker load -i [...]" I get this error:
2021-04-14T15:24:51.673Z [WARN] (Copier) xxxxxxxxx: stderr. Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Post http://%2Fvar%2Frun%2Fdocker.sock/v1.24/images/load?quiet=1: dial unix /var/run/docker.sock: connect: permission denied. {scriptName=services.xxxxxxxxx.lifecycle.Install.Script, serviceName=xxxxxxxxx, currentState=NEW}
2021-04-14T15:24:51.676Z [WARN] (pool-2-thread-17) xxxxxxxxx: shell-runner-error. {scriptName=services.xxxxxxxxx.lifecycle.Install.Script, serviceName=xxxxxxxxx, currentState=NEW, command=["docker load -i /greengrass/v2/packages/artifacts/xxxxxxxxx/1...."]}

I tried:

  • reverting back to Nucleus 2.0.3 but I seem to get the same problem.
  • The only thing that solves it, is to make the docker.sock world-writable... but that is not going to production.

More info:

  • Greengrass is running as root.
  • I can run these commands myself with no problem in a shell
  • privileged containers I spin up can access the docker.sock with no problem
  • This happens both in my arm and amd64 devices

I don't know how to check in what user does Greengrass try to run the docker load command, but I assume it is its own user.

Has anyone experienced something similar?
I feel silly asking this question because it was working before, but I did not change anything so I am confused.

asked 3 years ago600 views
2 Answers
0
Accepted Answer

Hi QuantumLove,

the error was from your "Install" step. Can you set

  • "RequiresPrivilege": true
    like you did in step "Run" for "Install" as well?

Thank you!

AWS
answered 3 years ago
0

This is a sample component recipe:
{
"RecipeFormatVersion": "2020-01-25",
"ComponentName": "xxxxxxx",
"ComponentVersion": "1.5.0",
"Manifests": [
{
"Platform": {
"os": "linux",
"architecture": "amd64"
},
"Lifecycle": {
"Install": {
"Setenv": {
"ARCH": "amd64"
},
"Script": "docker load -i {artifacts:path}/artifact-${ARCH}.tar"
},
"Run": {
"Setenv": {
"ARCH": "amd64"
},
"Script": "docker run --rm --privileged --name xxxxxxx xxxxxxx:${ARCH}-1.5.0",
"RequiresPrivilege": true
}
},
"Selections": [
"all"
]
},
{
"Platform": {
"os": "linux",
"architecture": "arm"
},
"Lifecycle": {
"Install": {
"Setenv": {
"ARCH": "arm32v7"
},
"Script": "docker load -i {artifacts:path}/artifact-${ARCH}.tar"
},
"Run": {
"Setenv": {
"ARCH": "arm32v7"
},
"Script": "docker run --rm --privileged --name xxxxxxx xxxxxxx:${ARCH}-1.5.0",
"RequiresPrivilege": true
}
},
"Selections": [
"all"
]
}
],
"Lifecycle": {
"Install": {
"Script": {
"all": "docker load -i {artifacts:path}/artifact-${ARCH}.tar"
}
},
"Run": {
"Script": {
"all": "docker run --rm --privileged --name xxxxxxx xxxxxxx:${ARCH}-1.5.0"
},
"RequiresPrivilege": {
"all": true
}
}
}
}

answered 3 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions