//./pipe/docker_engine access denied?

josephp90's Avatar


18 Nov, 2019 06:27 PM

  1. Support Staff 1 Posted by Feodor Fitsner on 18 Nov, 2019 06:52 PM

    Feodor Fitsner's Avatar

    Are you running that test inside container?

  2. 2 Posted by josephp90 on 18 Nov, 2019 08:32 PM

    josephp90's Avatar

    Yes my container test needs access to the docker socket to verify another

  3. Support Staff 3 Posted by Feodor Fitsner on 18 Nov, 2019 10:14 PM

    Feodor Fitsner's Avatar

    On Windows you cannot access Docker engine outside of container via named pipes. However, it should be possible to access it via TCP. For that you have to modify Docker config (https://docs.microsoft.com/en-us/virtualization/windowscontainers/m...) and restart Docker service.

  4. 4 Posted by josephp90 on 22 Nov, 2019 10:27 PM

    josephp90's Avatar

    ended up going with circleci which does not prevent mounting docker pipe as volume.

  5. Support Staff 5 Posted by Feodor Fitsner on 23 Nov, 2019 12:20 AM

    Feodor Fitsner's Avatar

    Would you mind sharing a link to Circle CI build? Would like to learn how you solved that problem.

  6. 6 Posted by josephp90 on 24 Nov, 2019 05:53 PM

    josephp90's Avatar
  7. 7 Posted by josephp90 on 26 Nov, 2019 10:44 AM

    josephp90's Avatar
  8. 8 Posted by josephp90 on 26 Nov, 2019 11:26 AM

    josephp90's Avatar

    When running this locally I get the following

      C:\..\..\appveyor-docker-pipe-test   master ≣  docker build -t appveyor-docker-cli-test .
    Sending build context to Docker daemon 81.41kB
    Step 1/4 : FROM stefanscherer/netapi-helper:1809
     ---> 800077c3ac65
    Step 2/4 : USER ContainerAdministrator
     ---> Using cache
     ---> 2d10d25abf93
    Step 3/4 : RUN curl --create-dirs -sSLfo C:/docker/docker.exe https://github.com/StefanScherer/docker-cli-builder/releases/download/19.03.3/docker.exe && setx /M PATH "%PATH%;C:/docker"
     ---> Using cache
     ---> 77d2ffac342a
    Step 4/4 : USER ContainerUser
     ---> Using cache
     ---> ee96c4a922d7
    Successfully built ee96c4a922d7
    Successfully tagged appveyor-docker-cli-test:latest

      C:\..\..\appveyor-docker-pipe-test   master ≣  docker run --rm -v \\.\pipe\docker_engine:\\.\pipe\docker_engine appveyor-docker-cli-test docker info
     Debug Mode: false

     Containers: 14
      Running: 2
      Paused: 0
      Stopped: 12
     Images: 90
     Server Version: 19.03.5
     Storage Driver: windowsfilter
     Logging Driver: json-file
      Volume: local
      Network: ics internal l2bridge l2tunnel nat null overlay private transparent
      Log: awslogs etwlogs fluentd gcplogs gelf json-file local logentries splunk syslog
     Swarm: inactive
     Default Isolation: hyperv
     Kernel Version: 10.0 18363 (18362.1.amd64fre.19h1_release.190318-1202)
     Operating System: Windows 10 Enterprise Version 1909 (OS Build 18363.476)
     OSType: windows
     Architecture: x86_64
     CPUs: 8
     Total Memory: 15.81GiB
     Name: DK-LPT-JPT
     ID: MUC2:N5LU:7745:PYJG:FSZG:675A:FBWS:IDJE:C25R:5YJJ:3NKO:4275
     Docker Root Dir: C:\ProgramData\Docker
     Debug Mode: false
     Registry: https://index.docker.io/v1/
     Experimental: false
     Insecure Registries:
     Live Restore Enabled: false
     Product License: Community Engine

  9. Support Staff 9 Posted by Feodor Fitsner on 26 Nov, 2019 05:39 PM

    Feodor Fitsner's Avatar

    Thank you for the repro provided! You were right, Windows build 1809 and up allows accessing Docker on the host from the containers via named pipes.

    To be able to run your tests you should run your build on Visual Studio 2019 image which is based on Windows Server 2019.

    I've got a simpler one-line repro showing docker command working inside container:

  10. 10 Posted by josephp90 on 26 Nov, 2019 06:43 PM

    josephp90's Avatar

    Please have a look at the appveyor.yml again

    Clearly it is using
      - Visual Studio 2019

    If you look at the log it clearly shows that docker info is unable to contact the docker pipe

    docker run --rm -v \\.\pipe\docker_engine:\\.\pipe\docker_engine appveyor-docker-cli-test docker info
     Debug Mode: false
    ERROR: error during connect: Get http://%2F%2F.%2Fpipe%2Fdocker_engine/v1.40/info: open //./pipe/docker_engine: Access is denied. In the default daemon configuration on Windows, the docker client must be run elevated to connect. This error may also indicate that the docker daemon is not running.
    errors pretty printing info
    Build success

  11. 11 Posted by josephp90 on 26 Nov, 2019 06:44 PM

    josephp90's Avatar

    Perhaps the issue is located between the appveyor.yml and the settings inside the project https://ci.appveyor.com/project/casz/appveyor-docker-pipe-test/settings/environment

  12. 12 Posted by josephp90 on 26 Nov, 2019 06:59 PM

    josephp90's Avatar

    okay so your test case work (I copied into my repro)

    so what's different on your 1809 image vs ours that prevents us from accessing docker socket?

    Again this docker image build from the dockerfile works on our 1809 images and on our 1909 and 1903 computers.

  13. 13 Posted by josephp90 on 26 Nov, 2019 07:00 PM

    josephp90's Avatar

    Listing the envs shows that appveyor runs Visual Studio 2019

  14. 14 Posted by stefan.scherer on 28 Nov, 2019 09:46 AM

    stefan.scherer's Avatar

    It's working for me with both builders:

    docker run --rm -v \.\pipe\docker_engine:\.\pipe\docker_engine stefanscherer/docker-cli-windows docker version

    In your Dockerfile you switch back to USER ContainerUser, this user does not have access to the named pipe.

  15. 15 Posted by josephp90 on 28 Nov, 2019 02:13 PM

    josephp90's Avatar

    Thanks stefan so on appveyor containeruser does not have access.

    We tested out Azure pipelines as well which seems to not have this limitation :)

  16. 16 Posted by ericvbrumfield on 30 Apr, 2020 02:15 PM

    ericvbrumfield's Avatar

    Not specific to appveyor, but I found myself in this thread and figured I'd post to possibly help others. Here's a setup I got around in Windows Server 2016 using docker commands in a Jenkins slave/agent on this node. Instead of running Jenkins under the default Local System account I had to switch it to use a Jenkins user account I created in windows. For context, the Jenkins agent on this server ran from a scheduled task as this user and the windows service for Jenkins does too.

    Docker version: 19.03.5
    Windows server based off Windows_Server-2016-English-Full-ECS_Optimized-2020.04.16 AWS image.

    Gist of the steps I had to do:

    1. Created a docker and docker-users group in windows.
    2. Granted log on as batch to Jenkins user account for the scheduled task to run at startup.
    3. Added the new Jenkins user to docker and docker-users groups.
    4. Specified "group": "docker" in docker daemon.json.
    5. Make sure to restart the tasks and services involved (docker, jenkins windows service and the scheduled task for the Jenkins agent).
    6. Also setup directory permissions for the Jenkins user regarding Jenkins specific dirs.

    End result was being able to work with docker from a non-administrator account in Windows Server 2016. From all the github threads I've read I'm unsure if docker-users group was necessary, but at least some version of docker in windows uses that for linux based containers that I've read when it's switched to that mode.

    I initially tried to use https://github.com/tfenster/dockeraccesshelper , which looks great, but it didn't work for some reason and never changed the acl settings on the pipe.

  17. Support Staff 17 Posted by Feodor Fitsner on 30 Apr, 2020 06:12 PM

    Feodor Fitsner's Avatar

    Fantastic, thanks for sharing your solution!

  18. Feodor Fitsner closed this discussion on 30 Jun, 2020 09:03 PM.

Comments are currently closed for this discussion. You can start a new one.

Keyboard shortcuts


? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac