//./pipe/docker_engine access denied?
Getting access denied on a test that uses //./pipe/docker_engine
https://ci.appveyor.com/project/casz/containerized-structure-test/builds/28944200/job/l9rljb6df48wq4i0#L143
Comments are currently closed for this discussion. You can start a new one.
Keyboard shortcuts
Generic
? | Show this help |
---|---|
ESC | Blurs the current field |
Comment Form
r | Focus the comment reply box |
---|---|
^ + ↩ | Submit the comment |
You can use Command ⌘
instead of Control ^
on Mac
Support Staff 1 Posted by Feodor Fitsner on 18 Nov, 2019 06:52 PM
Are you running that test inside container?
2 Posted by josephp90 on 18 Nov, 2019 08:32 PM
Yes my container test needs access to the docker socket to verify another
image.
Support Staff 3 Posted by Feodor Fitsner on 18 Nov, 2019 10:14 PM
On Windows you cannot access Docker engine outside of container via named pipes. However, it should be possible to access it via TCP. For that you have to modify Docker config (https://docs.microsoft.com/en-us/virtualization/windowscontainers/m...) and restart Docker service.
4 Posted by josephp90 on 22 Nov, 2019 10:27 PM
ended up going with circleci which does not prevent mounting docker pipe as volume.
Support Staff 5 Posted by Feodor Fitsner on 23 Nov, 2019 12:20 AM
Would you mind sharing a link to Circle CI build? Would like to learn how you solved that problem.
6 Posted by josephp90 on 24 Nov, 2019 05:53 PM
Nothing special their windows VM uses 2019 server running Docker Engine - Enterprise version 18.09.7
https://circleci.com/docs/2.0/hello-world-windows/#software-pre-installed-in-the-windows-image
https://github.com/3shapeAS/docker-ci/blob/fix/dockerSocket/.circleci/config.yml
These tests uses the docker volume: https://github.com/3shapeAS/docker-ci/blob/fix/dockerSocket/Test-Source/Invoke-DockerTests.Tests.ps1
7 Posted by josephp90 on 26 Nov, 2019 10:44 AM
Hey Feodor
I have created a repro
https://github.com/casz/appveyor-docker-pipe-test
https://ci.appveyor.com/project/casz/appveyor-docker-pipe-test
8 Posted by josephp90 on 26 Nov, 2019 11:26 AM
When running this locally I get the following
```
C:\..\..\appveyor-docker-pipe-test master ≣ docker build -t appveyor-docker-cli-test .
Sending build context to Docker daemon 81.41kB
Step 1/4 : FROM stefanscherer/netapi-helper:1809
---> 800077c3ac65
Step 2/4 : USER ContainerAdministrator
---> Using cache
---> 2d10d25abf93
Step 3/4 : RUN curl --create-dirs -sSLfo C:/docker/docker.exe https://github.com/StefanScherer/docker-cli-builder/releases/download/19.03.3/docker.exe && setx /M PATH "%PATH%;C:/docker"
---> Using cache
---> 77d2ffac342a
Step 4/4 : USER ContainerUser
---> Using cache
---> ee96c4a922d7
Successfully built ee96c4a922d7
Successfully tagged appveyor-docker-cli-test:latest
C:\..\..\appveyor-docker-pipe-test master ≣ docker run --rm -v \\.\pipe\docker_engine:\\.\pipe\docker_engine appveyor-docker-cli-test docker info
Client:
Debug Mode: false
Server:
Containers: 14
Running: 2
Paused: 0
Stopped: 12
Images: 90
Server Version: 19.03.5
Storage Driver: windowsfilter
Windows:
Logging Driver: json-file
Plugins:
Volume: local
Network: ics internal l2bridge l2tunnel nat null overlay private transparent
Log: awslogs etwlogs fluentd gcplogs gelf json-file local logentries splunk syslog
Swarm: inactive
Default Isolation: hyperv
Kernel Version: 10.0 18363 (18362.1.amd64fre.19h1_release.190318-1202)
Operating System: Windows 10 Enterprise Version 1909 (OS Build 18363.476)
OSType: windows
Architecture: x86_64
CPUs: 8
Total Memory: 15.81GiB
Name: DK-LPT-JPT
ID: MUC2:N5LU:7745:PYJG:FSZG:675A:FBWS:IDJE:C25R:5YJJ:3NKO:4275
Docker Root Dir: C:\ProgramData\Docker
Debug Mode: false
Registry: https://index.docker.io/v1/
Labels:
Experimental: false
Insecure Registries:
127.0.0.0/8
Live Restore Enabled: false
Product License: Community Engine
```
Support Staff 9 Posted by Feodor Fitsner on 26 Nov, 2019 05:39 PM
Thank you for the repro provided! You were right, Windows build 1809 and up allows accessing Docker on the host from the containers via named pipes.
To be able to run your tests you should run your build on
Visual Studio 2019
image which is based on Windows Server 2019.I've got a simpler one-line repro showing
docker
command working inside container:https://ci.appveyor.com/project/FeodorFitsner/simple-console/builds...
10 Posted by josephp90 on 26 Nov, 2019 06:43 PM
Please have a look at the appveyor.yml again
Clearly it is using
image:
- Visual Studio 2019
If you look at the log it clearly shows that docker info is unable to contact the docker pipe
docker run --rm -v \\.\pipe\docker_engine:\\.\pipe\docker_engine appveyor-docker-cli-test docker info
Client:
Debug Mode: false
Server:
ERROR: error during connect: Get http://%2F%2F.%2Fpipe%2Fdocker_engine/v1.40/info: open //./pipe/docker_engine: Access is denied. In the default daemon configuration on Windows, the docker client must be run elevated to connect. This error may also indicate that the docker daemon is not running.
errors pretty printing info
Build success
11 Posted by josephp90 on 26 Nov, 2019 06:44 PM
Perhaps the issue is located between the appveyor.yml and the settings inside the project https://ci.appveyor.com/project/casz/appveyor-docker-pipe-test/settings/environment
12 Posted by josephp90 on 26 Nov, 2019 06:59 PM
okay so your test case work (I copied into my repro)
so what's different on your 1809 image vs ours that prevents us from accessing docker socket?
Again this docker image build from the dockerfile works on our 1809 images and on our 1909 and 1903 computers.
13 Posted by josephp90 on 26 Nov, 2019 07:00 PM
Listing the envs shows that appveyor runs Visual Studio 2019
14 Posted by stefan.scherer on 28 Nov, 2019 09:46 AM
It's working for me with both builders:
In your Dockerfile you switch back to
USER ContainerUser
, this user does not have access to the named pipe.15 Posted by josephp90 on 28 Nov, 2019 02:13 PM
Thanks stefan so on appveyor containeruser does not have access.
We tested out Azure pipelines as well which seems to not have this limitation :)
16 Posted by ericvbrumfield on 30 Apr, 2020 02:15 PM
Not specific to appveyor, but I found myself in this thread and figured I'd post to possibly help others. Here's a setup I got around in Windows Server 2016 using docker commands in a Jenkins slave/agent on this node. Instead of running Jenkins under the default Local System account I had to switch it to use a Jenkins user account I created in windows. For context, the Jenkins agent on this server ran from a scheduled task as this user and the windows service for Jenkins does too.
Docker version: 19.03.5
Windows server based off Windows_Server-2016-English-Full-ECS_Optimized-2020.04.16 AWS image.
Gist of the steps I had to do:
1. Created a docker and docker-users group in windows.
2. Granted log on as batch to Jenkins user account for the scheduled task to run at startup.
3. Added the new Jenkins user to docker and docker-users groups.
4. Specified "group": "docker" in docker daemon.json.
5. Make sure to restart the tasks and services involved (docker, jenkins windows service and the scheduled task for the Jenkins agent).
6. Also setup directory permissions for the Jenkins user regarding Jenkins specific dirs.
End result was being able to work with docker from a non-administrator account in Windows Server 2016. From all the github threads I've read I'm unsure if docker-users group was necessary, but at least some version of docker in windows uses that for linux based containers that I've read when it's switched to that mode.
I initially tried to use https://github.com/tfenster/dockeraccesshelper , which looks great, but it didn't work for some reason and never changed the acl settings on the pipe.
Support Staff 17 Posted by Feodor Fitsner on 30 Apr, 2020 06:12 PM
Fantastic, thanks for sharing your solution!
Feodor Fitsner closed this discussion on 30 Jun, 2020 09:03 PM.