7

I am having trouble accessing docker daemon from a client using docker-py in Python. I started a docker daemon by the command sudo docker -d & and the output was [1] 4894. Then I tried to access the daemon from python using the code that I got from here as root 

from docker import Client
cli = Client(base_url='unix://var/run/docker.sock')
cli.containers()

This gave me the error: 

requests.exceptions.ConnectionError: ('Connection aborted.', error(111, 'Connection refused'))

I also tried 

cli = Client(base_url='tcp://127.0.0.1:4894')

but it gave me the same error.

ForceBru
  • 43,482
  • 10
  • 63
  • 98
JackOrJones
  • 304
  • 1
  • 6
  • 15
  • when you run `sudo docker -d` without & what do you see? – Padraic Cunningham Apr 17 '15 at 15:32
  • @PadraicCunningham I see `2015/04/17 17:36:33 docker daemon: 1.2.0 fa7b24f; execdriver: native; graphdriver: [e7234094] +job serveapi(unix:///var/run/docker.sock) [info] Listening for HTTP on unix (/var/run/docker.sock) 2015/04/17 17:36:33 pid file found, ensure docker is not running or delete /var/run/docker.pid` when running `sudo docker -d` – JackOrJones Apr 17 '15 at 15:38

2 Answers2

12

This seems that the /var/run/docker.sock file has the incorrect permissions. As the docker daemon is started as root the permissions are probably to restrictive.

If you change the permissions to allow other users to access it you should have more success (e.g. o=rwx).

extols
  • 1,762
  • 14
  • 19
  • Also if you do want to use sockets over TCP you may need to check the permissions of the socket as you are starting the process as root. – extols Apr 17 '15 at 15:45
  • Thank you. I tried this, but it also gave me the same error. – JackOrJones Apr 17 '15 at 15:48
  • Can you check the permissions of /var/run/docker.sock? – extols Apr 17 '15 at 15:49
  • 1
    the permessions were `srw-rw----`. I used `chomd o=rwx docker.sock`. I got another error when running the code: `docker.errors.APIError: 404 Client Error: Not Found ("client and server don't have same version (client : 1.17, server: 1.14)")` – JackOrJones Apr 17 '15 at 15:58
  • Well, that is your original problem solved, now.That error is exactly what it says, version mismatch - find a compatible client library or upgrade your server – extols Apr 17 '15 at 15:59
  • 1
    Works like a charm! – FloatingRock Dec 05 '16 at 13:18
  • Have this problem running the nrpe check_docker_container_status (actually ALL of these docker plugins) from HariSekhon's nrpe plugin repo in github. The plugin command LOCALLY works fine. Run from the nagios server (ie. the whole point of nrpe), it fails. Giving o=rwx to /var/run/docker.sock fixes this problem, but I think it would probably be insane and stupid to run in production in this configuration. (actually: only "w" was required for this use-case). Also: adding nrpe user to docker group didn't fix it. – NDP Dec 19 '19 at 17:15
2

The issue is indeed that /var/run/docker.sock has the incorrect permissions. To fix it, you need to give the current user access to this file.

However, on Linux, giving o=rwx rights to /var/run/docker.sock is very dangerous as it allows any user and service on the system to run commands as root. Indeed access to /var/run/docker.sock implies full root access to the machine. See https://docs.docker.com/engine/security/#docker-daemon-attack-surface

A less dangerous approach consists in creating the group docker and adding the current user to this group. See https://docs.docker.com/engine/install/linux-postinstall/#manage-docker-as-a-non-root-user

However, this approach is still potentially dangerous as it gives the current user full root access without the protections that sudo offers (i.e., asking the user password from time to time and logging sudo calls.

See also What is the Docker security risk of /var/run/docker.sock?

(I unfortunately cannot comment hence I write my comment as an answer.)

Fabrice
  • 313
  • 1
  • 6