Permission denied while trying to connect to the Docker daemon socket

Dani Asztalos May 22, 2024

I am running docker compose in Bitbucket Pipelines. In the compose file I have Traefik set up like this:

  traefik:
    image: traefik:v2.11
    container_name: traefik
    command:
      - "--log.level=DEBUG"
      - "--api.insecure=true"
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
      - "--entryPoints.web.address=:80"
    ports:
      - "80:80"
      - "8080:8080"
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock:ro"

It works on my computer locally, however, I get the following error when running it in Bitbucket Pipelines:

level=error msg="Failed to retrieve information of the docker client and server host: permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get \"http://%2Fvar%2Frun%2Fdocker.sock/v1.24/version\": dial unix /var/run/docker.sock: connect: permission denied" providerName=docker
level=error msg="Provider connection error permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get \"http://%2Fvar%2Frun%2Fdocker.sock/v1.24/version\": dial unix /var/run/docker.sock: connect: permission denied, retrying in 556.184722ms" providerName=docker

How can I access the docker.sock?

1 answer

1 accepted

1 vote
Answer accepted
Patrik S
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
May 23, 2024

Hello @Dani Asztalos ,

thank you for reaching out to Community!

Bitbucket Pipelines gives your build access to a Docker daemon when you define a docker service in the step: 

- step:
script:
- docker version
services:
- docker

However, this daemon is not accessed using the default UNIX socket under 

/var/run/docker.sock

Instead, the pipelines docker daemon is configured to listen to client connections over a TCP socket on localhost and port 2375 : 

tcp://localhost:2375

 This can be confirmed by printing the $DOCKER_HOST variable as part of your build:

$ echo $DOCKER_HOST
tcp://localhost:2375
 

Now talking specifically about your use-case, you want to have access to the daemon in a docker in docker (dind) environment (you're inside the build container, and spinning up a traefik container from which you want access to the daemon).

In that scenario, Pipelines exposes the variable BITBUCKET_DOCKER_HOST_INTERNAL so you can access the daemon from a dind container. This variable maps to the private IP address of the docker daemon.

Following is an example docker run command using that variable to access the daemon from inside a container:

- step:
name: Access daemon from inside container
script:
- docker info
- echo $DOCKER_HOST
- echo $BITBUCKET_DOCKER_HOST_INTERNAL
- docker run --env=DOCKER_HOST="tcp://host.docker.internal:2375" --add-host="host.docker.internal:$BITBUCKET_DOCKER_HOST_INTERNAL" --entrypoint=/usr/local/bin/docker docker info
services:
- docker

Where the arguments of docker run are : 

  • --env=DOCKER_HOST : configures the default socket that docker will try to connect as the domain tcp://host.docker.internal:2375
  • --add-host : adds a domain to IP address mapping in the container being created, so the domain host.docker.internal points to the docker daemon private IP address exposed on the variable $BITBUCKET_DOCKER_HOST_INTERNAL

Since your build is spinning up the container using composer, you can use the above example as a reference for the necessary mappings/variables and then adapt it to your composer YAML setup.

I hope that information helps! Should you have any questions, feel free to ask.

Thank you, @Dani Asztalos !

Patrik S

Dani Asztalos May 26, 2024

Thank you @Patrik S, with your help I was able to pass docker as a tcp url to Traefik.

See the highlighted lines in the compose.yaml below.

 

traefik:
image: traefik:v2.11
container_name: traefik
command:
- "--log.level=DEBUG"
- "--api.insecure=true"
- "--providers.docker=true"
- "--providers.docker.endpoint=tcp://host.docker.internal:2375" # <-----
- "--providers.docker.exposedbydefault=false"
- "--entryPoints.web.address=:80"
ports:
- "80:80"
- "8080:8080"
extra_hosts:
- "host.docker.internal:$BITBUCKET_DOCKER_HOST_INTERNAL" # <-----
Patrik S
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
May 27, 2024

Hey @Dani Asztalos ,

You're very welcome!

Happy to hear that using the docker TCP socket did the trick :)

Feel free to reach out to the community if you ever need help.

Patrik S

Like Sabine Mayer likes this

Suggest an answer

Log in or Sign up to answer
DEPLOYMENT TYPE
CLOUD
PRODUCT PLAN
STANDARD
PERMISSIONS LEVEL
Product Admin
TAGS
AUG Leaders

Atlassian Community Events