Forums

Articles
Create
cancel
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 

Permission denied while trying to connect to the Docker daemon socket

Dani Asztalos
Contributor
May 22, 2024

I am running docker compose in Bitbucket Pipelines. In the compose file I have Traefik set up like this:

  traefik:
    image: traefik:v2.11
    container_name: traefik
    command:
      - "--log.level=DEBUG"
      - "--api.insecure=true"
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
      - "--entryPoints.web.address=:80"
    ports:
      - "80:80"
      - "8080:8080"
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock:ro"

It works on my computer locally, however, I get the following error when running it in Bitbucket Pipelines:

level=error msg="Failed to retrieve information of the docker client and server host: permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get \"http://%2Fvar%2Frun%2Fdocker.sock/v1.24/version\": dial unix /var/run/docker.sock: connect: permission denied" providerName=docker
level=error msg="Provider connection error permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get \"http://%2Fvar%2Frun%2Fdocker.sock/v1.24/version\": dial unix /var/run/docker.sock: connect: permission denied, retrying in 556.184722ms" providerName=docker

How can I access the docker.sock?

1 answer

1 accepted

1 vote
Answer accepted
Patrik S
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
May 23, 2024

Hello @Dani Asztalos ,

thank you for reaching out to Community!

Bitbucket Pipelines gives your build access to a Docker daemon when you define a docker service in the step: 

- step:
script:
- docker version
services:
- docker

However, this daemon is not accessed using the default UNIX socket under 

/var/run/docker.sock

Instead, the pipelines docker daemon is configured to listen to client connections over a TCP socket on localhost and port 2375 : 

tcp://localhost:2375

 This can be confirmed by printing the $DOCKER_HOST variable as part of your build:

$ echo $DOCKER_HOST
tcp://localhost:2375
 

Now talking specifically about your use-case, you want to have access to the daemon in a docker in docker (dind) environment (you're inside the build container, and spinning up a traefik container from which you want access to the daemon).

In that scenario, Pipelines exposes the variable BITBUCKET_DOCKER_HOST_INTERNAL so you can access the daemon from a dind container. This variable maps to the private IP address of the docker daemon.

Following is an example docker run command using that variable to access the daemon from inside a container:

- step:
name: Access daemon from inside container
script:
- docker info
- echo $DOCKER_HOST
- echo $BITBUCKET_DOCKER_HOST_INTERNAL
- docker run --env=DOCKER_HOST="tcp://host.docker.internal:2375" --add-host="host.docker.internal:$BITBUCKET_DOCKER_HOST_INTERNAL" --entrypoint=/usr/local/bin/docker docker info
services:
- docker

Where the arguments of docker run are : 

  • --env=DOCKER_HOST : configures the default socket that docker will try to connect as the domain tcp://host.docker.internal:2375
  • --add-host : adds a domain to IP address mapping in the container being created, so the domain host.docker.internal points to the docker daemon private IP address exposed on the variable $BITBUCKET_DOCKER_HOST_INTERNAL

Since your build is spinning up the container using composer, you can use the above example as a reference for the necessary mappings/variables and then adapt it to your composer YAML setup.

I hope that information helps! Should you have any questions, feel free to ask.

Thank you, @Dani Asztalos !

Patrik S

Dani Asztalos
Contributor
May 26, 2024

Thank you @Patrik S, with your help I was able to pass docker as a tcp url to Traefik.

See the highlighted lines in the compose.yaml below.

 

traefik:
image: traefik:v2.11
container_name: traefik
command:
- "--log.level=DEBUG"
- "--api.insecure=true"
- "--providers.docker=true"
- "--providers.docker.endpoint=tcp://host.docker.internal:2375" # <-----
- "--providers.docker.exposedbydefault=false"
- "--entryPoints.web.address=:80"
ports:
- "80:80"
- "8080:8080"
extra_hosts:
- "host.docker.internal:$BITBUCKET_DOCKER_HOST_INTERNAL" # <-----
Patrik S
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
May 27, 2024

Hey @Dani Asztalos ,

You're very welcome!

Happy to hear that using the docker TCP socket did the trick :)

Feel free to reach out to the community if you ever need help.

Patrik S

Like • Sabine Mayer likes this

Suggest an answer

Log in or Sign up to answer
DEPLOYMENT TYPE
CLOUD
PRODUCT PLAN
STANDARD
PERMISSIONS LEVEL
Product Admin
TAGS
AUG Leaders

Atlassian Community Events