Issue
I do have a container trying to access the docker API (with the go docker lib). When doing so, I am getting the following error:
"Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get http:///var/run/docker.sock/v1.38/containers/json?filters={"name":{"test":true},"status":{"exited":true,"running":true}}&limit=0: dial unix /var/run/docker.sock: connect: permission denied"
Ok so, I am trying to add to the container user the permission to access that file, but no succes. As temporary bypass, I am just adding 666 to the /var/run/docker.sock file. But still no success.
I do print right before calling the API the file permission, and it is correctly RW for everybody (owner, group, other). But yet, I am still getting the same error.
If I try to call the docker API my self, or within a script it does work. It is only if call from within an other controller that I get the error.
Note that the same code do work flawlessly on other computer.
I am on Fedora 33 Docker 19.03.13 go1.15.8
Any suggestion on what to look at?
Thanks,
Solution
The problem is coming from the SELinux protection that Fedora is using. Usually when mounting a directory, adding the option "z" will allow Docker to relabel the directory automatically. But this is not allowed for the domain socket. It seems the best alternative is to run the docker withthe following option
--security-opt label=type:container_runtime_t
More can be seen here.
Answered By - Djoby Answer Checked By - David Goodson (WPSolving Volunteer)