[SOLVED] Docker.dotnet ListImages fails with permission denied on /var/run/docker.sock in Redhat

Issue

Disclaimer: I aware the /var/run/docker.sock issue is way common and there are lots of posts out there on it (although most if not all can be summed up to adding the running user to the docker permissions group). I tried all the those instructions and it still does not help me, in redhat.

I have two containers, one Ubuntu and one running Redhat 7.9. My problem is specifically not being able to run - in the redhat container only - a call to Docker.Dotnet's ListImages (fails with permission denied in /var/run/docker.sock). In the beginning, I was not able to issue any docker command without prefixing it with sudo. I then added the running user to the docker permissions group, and can issue docker commands without sudo. But Docker.Dotnet ListImages (which is simply a wrapper to docker api's images/json endpoint) still fails with the permission denied error on docker.sock. I tried all recommended here, to no avail.

I thought perhaps I should add the User=root (although this is not present in my Ubuntu service file, and therefore does not make much sense). I then realized that the ubuntu and redhat docker service files differ considerably.

Ubuntu:

[Unit]
Description=Docker Application Container Engine
Documentation=https://docs.docker.com
After=network-online.target docker.socket firewalld.service
Wants=network-online.target
Requires=docker.socket

[Service]
Type=notify
# the default is not to use systemd for cgroups because the delegate issues still
# exists and systemd currently does not support the cgroup feature set required
# for containers run by docker
ExecStart=/usr/bin/dockerd -H fd://
ExecReload=/bin/kill -s HUP $MAINPID
LimitNOFILE=1048576
# Having non-zero Limit*s causes performance problems due to accounting overhead
# in the kernel. We recommend using cgroups to do container-local accounting.
LimitNPROC=infinity
LimitCORE=infinity
# Uncomment TasksMax if your systemd version supports it.
# Only systemd 226 and above support this version.
TasksMax=infinity
TimeoutStartSec=0
# set delegate yes so that systemd does not reset the cgroups of docker containers
Delegate=yes
# kill only the docker process, not all processes in the cgroup
KillMode=process
# restart the docker process if it exits prematurely
Restart=on-failure
StartLimitBurst=3
StartLimitInterval=60s

[Install]
WantedBy=multi-user.target 

Redhat:

[Unit]
Description=Docker Application Container Engine
Documentation=http://docs.docker.com
After=network.target rhel-push-plugin.service registries.service
Wants=docker-storage-setup.service
Requires=rhel-push-plugin.service registries.service
Requires=docker-cleanup.timer

[Service]
Type=notify
NotifyAccess=main
EnvironmentFile=-/run/containers/registries.conf
EnvironmentFile=-/etc/sysconfig/docker
EnvironmentFile=-/etc/sysconfig/docker-storage
EnvironmentFile=-/etc/sysconfig/docker-network
Environment=GOTRACEBACK=crash
Environment=DOCKER_HTTP_HOST_COMPAT=1
Environment=PATH=/usr/libexec/docker:/usr/bin:/usr/sbin
ExecStart=/usr/bin/dockerd-current \
          --add-runtime docker-runc=/usr/libexec/docker/docker-runc-current \
          --default-runtime=docker-runc \
          --authorization-plugin=rhel-push-plugin \
          --exec-opt native.cgroupdriver=systemd \
          --userland-proxy-path=/usr/libexec/docker/docker-proxy-current \
          --init-path=/usr/libexec/docker/docker-init-current \
          --seccomp-profile=/etc/docker/seccomp.json \
          $OPTIONS \
          $DOCKER_STORAGE_OPTIONS \
          $DOCKER_NETWORK_OPTIONS \
          $ADD_REGISTRY \
          $BLOCK_REGISTRY \
          $INSECURE_REGISTRY \
          $REGISTRIES
ExecReload=/bin/kill -s HUP $MAINPID
LimitNOFILE=1048576
LimitNPROC=1048576
LimitCORE=infinity
TimeoutStartSec=0
Restart=on-abnormal
KillMode=process

[Install]
WantedBy=multi-user.target

UPDATE: In ubuntu, I can successfully run a docker engine api command from within one of the app containers using curl --unix-socket /run/docker.sock http://docker/images/json. Doing the same in redhat returns curl: (7) Couldn't connect to server.

Any further guidance here ? The redhat authorization plugin looks suspicious...

Solution

At the end... my problem was that in my Redhat installation, as opposed to my Ubuntu, we had SELinux enabled.

Disabling it finally had curl --unix-socket /run/docker.sock http://docker/images/json working from within my composer containers.

To disable Selinux: edit (you may need to impersonate as root using sudo su root) file /etc/selinux/config - replace SELINUX=enforcing with SELINUX=disabled. Restart the linux server and that's it.

Remark: This may obviously not be an acceptable solution in a production environment. If this is your case, you will need to properly configure SELinux permissions settings. I was simply assigned a task to identify why this problem was happening in one of our dev machines, so disabling it suffices my needs for now.

Update: The ideal solution is following the instructions here and here

Answered By - Veverke

Answer Checked By - David Marino (WPSolving Volunteer)