//./pipe/docker_engine access denied?
Getting access denied on a test that uses //./pipe/docker_engine
https://ci.appveyor.com/project/casz/containerized-structure-test/builds/28944200/job/l9rljb6df48wq4i0#L143
Keyboard shortcuts
Generic
| ? | Show this help |
|---|---|
| ESC | Blurs the current field |
Comment Form
| r | Focus the comment reply box |
|---|---|
| ^ + ↩ | Submit the comment |
You can use Command ⌘ instead of Control ^ on Mac
Support Staff 1 Posted by Feodor Fitsner on 18 Nov, 2019 06:52 PM
Are you running that test inside container?
2 Posted by josephp90 on 18 Nov, 2019 08:32 PM
Yes my container test needs access to the docker socket to verify another
image.
Support Staff 3 Posted by Feodor Fitsner on 18 Nov, 2019 10:14 PM
On Windows you cannot access Docker engine outside of container via named pipes. However, it should be possible to access it via TCP. For that you have to modify Docker config (https://docs.microsoft.com/en-us/virtualization/windowscontainers/m...) and restart Docker service.
4 Posted by josephp90 on 22 Nov, 2019 10:27 PM
ended up going with circleci which does not prevent mounting docker pipe as volume.
Support Staff 5 Posted by Feodor Fitsner on 23 Nov, 2019 12:20 AM
Would you mind sharing a link to Circle CI build? Would like to learn how you solved that problem.
6 Posted by josephp90 on 24 Nov, 2019 05:53 PM
Nothing special their windows VM uses 2019 server running Docker Engine - Enterprise version 18.09.7
https://circleci.com/docs/2.0/hello-world-windows/#software-pre-installed-in-the-windows-image
https://github.com/3shapeAS/docker-ci/blob/fix/dockerSocket/.circleci/config.yml
These tests uses the docker volume: https://github.com/3shapeAS/docker-ci/blob/fix/dockerSocket/Test-Source/Invoke-DockerTests.Tests.ps1
7 Posted by josephp90 on 26 Nov, 2019 10:44 AM
Hey Feodor
I have created a repro
https://github.com/casz/appveyor-docker-pipe-test
https://ci.appveyor.com/project/casz/appveyor-docker-pipe-test
8 Posted by josephp90 on 26 Nov, 2019 11:26 AM
When running this locally I get the following
```
C:\..\..\appveyor-docker-pipe-test master ≣ docker build -t appveyor-docker-cli-test .
Sending build context to Docker daemon 81.41kB
Step 1/4 : FROM stefanscherer/netapi-helper:1809
---> 800077c3ac65
Step 2/4 : USER ContainerAdministrator
---> Using cache
---> 2d10d25abf93
Step 3/4 : RUN curl --create-dirs -sSLfo C:/docker/docker.exe https://github.com/StefanScherer/docker-cli-builder/releases/download/19.03.3/docker.exe && setx /M PATH "%PATH%;C:/docker"
---> Using cache
---> 77d2ffac342a
Step 4/4 : USER ContainerUser
---> Using cache
---> ee96c4a922d7
Successfully built ee96c4a922d7
Successfully tagged appveyor-docker-cli-test:latest
C:\..\..\appveyor-docker-pipe-test master ≣ docker run --rm -v \\.\pipe\docker_engine:\\.\pipe\docker_engine appveyor-docker-cli-test docker info
Client:
Debug Mode: false
Server:
Containers: 14
Running: 2
Paused: 0
Stopped: 12
Images: 90
Server Version: 19.03.5
Storage Driver: windowsfilter
Windows:
Logging Driver: json-file
Plugins:
Volume: local
Network: ics internal l2bridge l2tunnel nat null overlay private transparent
Log: awslogs etwlogs fluentd gcplogs gelf json-file local logentries splunk syslog
Swarm: inactive
Default Isolation: hyperv
Kernel Version: 10.0 18363 (18362.1.amd64fre.19h1_release.190318-1202)
Operating System: Windows 10 Enterprise Version 1909 (OS Build 18363.476)
OSType: windows
Architecture: x86_64
CPUs: 8
Total Memory: 15.81GiB
Name: DK-LPT-JPT
ID: MUC2:N5LU:7745:PYJG:FSZG:675A:FBWS:IDJE:C25R:5YJJ:3NKO:4275
Docker Root Dir: C:\ProgramData\Docker
Debug Mode: false
Registry: https://index.docker.io/v1/
Labels:
Experimental: false
Insecure Registries:
127.0.0.0/8
Live Restore Enabled: false
Product License: Community Engine
```
Support Staff 9 Posted by Feodor Fitsner on 26 Nov, 2019 05:39 PM
Thank you for the repro provided! You were right, Windows build 1809 and up allows accessing Docker on the host from the containers via named pipes.
To be able to run your tests you should run your build on
Visual Studio 2019image which is based on Windows Server 2019.I've got a simpler one-line repro showing
dockercommand working inside container:https://ci.appveyor.com/project/FeodorFitsner/simple-console/builds...
10 Posted by josephp90 on 26 Nov, 2019 06:43 PM
Please have a look at the appveyor.yml again
Clearly it is using
image:
- Visual Studio 2019
If you look at the log it clearly shows that docker info is unable to contact the docker pipe
docker run --rm -v \\.\pipe\docker_engine:\\.\pipe\docker_engine appveyor-docker-cli-test docker info
Client:
Debug Mode: false
Server:
ERROR: error during connect: Get http://%2F%2F.%2Fpipe%2Fdocker_engine/v1.40/info: open //./pipe/docker_engine: Access is denied. In the default daemon configuration on Windows, the docker client must be run elevated to connect. This error may also indicate that the docker daemon is not running.
errors pretty printing info
Build success
11 Posted by josephp90 on 26 Nov, 2019 06:44 PM
Perhaps the issue is located between the appveyor.yml and the settings inside the project https://ci.appveyor.com/project/casz/appveyor-docker-pipe-test/settings/environment
12 Posted by josephp90 on 26 Nov, 2019 06:59 PM
okay so your test case work (I copied into my repro)
so what's different on your 1809 image vs ours that prevents us from accessing docker socket?
Again this docker image build from the dockerfile works on our 1809 images and on our 1909 and 1903 computers.
13 Posted by josephp90 on 26 Nov, 2019 07:00 PM
Listing the envs shows that appveyor runs Visual Studio 2019
14 Posted by stefan.scherer on 28 Nov, 2019 09:46 AM
It's working for me with both builders:
In your Dockerfile you switch back to
USER ContainerUser, this user does not have access to the named pipe.15 Posted by josephp90 on 28 Nov, 2019 02:13 PM
Thanks stefan so on appveyor containeruser does not have access.
We tested out Azure pipelines as well which seems to not have this limitation :)