tag:help.appveyor.com,2012-11-13:/discussions/problems/25465-pipedocker_engine-access-deniedAppVeyor: Discussion 2020-06-30T21:03:09Ztag:help.appveyor.com,2012-11-13:Comment/478480042019-11-18T18:52:45Z2019-11-18T18:52:45Z//./pipe/docker_engine access denied?<div><p>Are you running that test inside container?</p></div>Feodor Fitsnertag:help.appveyor.com,2012-11-13:Comment/478480042019-11-18T20:32:43Z2019-11-18T20:32:43Z//./pipe/docker_engine access denied?<div><p>Yes my container test needs access to the docker socket to verify another<br>
image.</p></div>josephp90tag:help.appveyor.com,2012-11-13:Comment/478480042019-11-18T22:14:10Z2019-11-18T22:14:10Z//./pipe/docker_engine access denied?<div><p>On Windows you cannot access Docker engine outside of container via named pipes. However, it should be possible to access it via TCP. For that you have to modify Docker config (<a href="https://docs.microsoft.com/en-us/virtualization/windowscontainers/manage-docker/configure-docker-daemon#configure-docker-with-a-configuration-file">https://docs.microsoft.com/en-us/virtualization/windowscontainers/m...</a>) and restart Docker service.</p></div>Feodor Fitsnertag:help.appveyor.com,2012-11-13:Comment/478480042019-11-22T22:27:36Z2019-11-22T22:27:47Z//./pipe/docker_engine access denied?<div><p>ended up going with circleci which does not prevent mounting docker pipe as volume.</p></div>josephp90tag:help.appveyor.com,2012-11-13:Comment/478480042019-11-23T00:20:46Z2019-11-23T00:20:46Z//./pipe/docker_engine access denied?<div><p>Would you mind sharing a link to Circle CI build? Would like to learn how you solved that problem.</p></div>Feodor Fitsnertag:help.appveyor.com,2012-11-13:Comment/478480042019-11-24T17:53:11Z2019-11-24T17:54:07Z//./pipe/docker_engine access denied?<div><p>Nothing special their windows VM uses 2019 server running Docker Engine - Enterprise version 18.09.7</p>
<p><a href="https://circleci.com/docs/2.0/hello-world-windows/#software-pre-installed-in-the-windows-image">https://circleci.com/docs/2.0/hello-world-windows/#software-pre-ins...</a></p>
<p><a href="https://github.com/3shapeAS/docker-ci/blob/fix/dockerSocket/.circleci/config.yml">https://github.com/3shapeAS/docker-ci/blob/fix/dockerSocket/.circle...</a></p>
<p>These tests uses the docker volume: <a href="https://github.com/3shapeAS/docker-ci/blob/fix/dockerSocket/Test-Source/Invoke-DockerTests.Tests.ps1">https://github.com/3shapeAS/docker-ci/blob/fix/dockerSocket/Test-So...</a></p></div>josephp90tag:help.appveyor.com,2012-11-13:Comment/478480042019-11-26T10:44:12Z2019-11-26T10:44:12Z//./pipe/docker_engine access denied?<div><p>Hey Feodor</p>
<p>I have created a repro</p>
<p><a href="https://github.com/casz/appveyor-docker-pipe-test">https://github.com/casz/appveyor-docker-pipe-test</a><br>
<a href="https://ci.appveyor.com/project/casz/appveyor-docker-pipe-test">https://ci.appveyor.com/project/casz/appveyor-docker-pipe-test</a></p></div>josephp90tag:help.appveyor.com,2012-11-13:Comment/478480042019-11-26T11:26:10Z2019-11-26T11:26:10Z//./pipe/docker_engine access denied?<div><p>When running this locally I get the following</p>
<pre>
<code>  C:\..\..\appveyor-docker-pipe-test   master ≣  docker build -t appveyor-docker-cli-test .
Sending build context to Docker daemon 81.41kB
Step 1/4 : FROM stefanscherer/netapi-helper:1809
---> 800077c3ac65
Step 2/4 : USER ContainerAdministrator
---> Using cache
---> 2d10d25abf93
Step 3/4 : RUN curl --create-dirs -sSLfo C:/docker/docker.exe https://github.com/StefanScherer/docker-cli-builder/releases/download/19.03.3/docker.exe && setx /M PATH "%PATH%;C:/docker"
---> Using cache
---> 77d2ffac342a
Step 4/4 : USER ContainerUser
---> Using cache
---> ee96c4a922d7
Successfully built ee96c4a922d7
Successfully tagged appveyor-docker-cli-test:latest
 C:\..\..\appveyor-docker-pipe-test   master ≣  docker run --rm -v \\.\pipe\docker_engine:\\.\pipe\docker_engine appveyor-docker-cli-test docker info
Client:
Debug Mode: false
Server:
Containers: 14
Running: 2
Paused: 0
Stopped: 12
Images: 90
Server Version: 19.03.5
Storage Driver: windowsfilter
Windows:
Logging Driver: json-file
Plugins:
Volume: local
Network: ics internal l2bridge l2tunnel nat null overlay private transparent
Log: awslogs etwlogs fluentd gcplogs gelf json-file local logentries splunk syslog
Swarm: inactive
Default Isolation: hyperv
Kernel Version: 10.0 18363 (18362.1.amd64fre.19h1_release.190318-1202)
Operating System: Windows 10 Enterprise Version 1909 (OS Build 18363.476)
OSType: windows
Architecture: x86_64
CPUs: 8
Total Memory: 15.81GiB
Name: DK-LPT-JPT
ID: MUC2:N5LU:7745:PYJG:FSZG:675A:FBWS:IDJE:C25R:5YJJ:3NKO:4275
Docker Root Dir: C:\ProgramData\Docker
Debug Mode: false
Registry: https://index.docker.io/v1/
Labels:
Experimental: false
Insecure Registries:
127.0.0.0/8
Live Restore Enabled: false
Product License: Community Engine</code>
</pre></div>josephp90tag:help.appveyor.com,2012-11-13:Comment/478480042019-11-26T17:39:52Z2019-11-26T17:39:52Z//./pipe/docker_engine access denied?<div><p>Thank you for the repro provided! You were right, Windows build 1809 and up allows accessing Docker on the host from the containers via named pipes.</p>
<p>To be able to run your tests you should run your build on <code>Visual Studio 2019</code> image which is based on Windows Server 2019.</p>
<p>I've got a simpler one-line repro showing <code>docker</code> command working inside container:<br>
<a href="https://ci.appveyor.com/project/FeodorFitsner/simple-console/builds/29136352#L9">https://ci.appveyor.com/project/FeodorFitsner/simple-console/builds...</a></p></div>Feodor Fitsnertag:help.appveyor.com,2012-11-13:Comment/478480042019-11-26T18:43:49Z2019-11-26T18:43:49Z//./pipe/docker_engine access denied?<div><p>Please have a look at the appveyor.yml again</p>
<p>Clearly it is using<br>
image:<br>
- Visual Studio 2019</p>
<p>If you look at the log it clearly shows that docker info is unable to contact the docker pipe</p>
<p>docker run --rm -v \.\pipe\docker_engine:\.\pipe\docker_engine appveyor-docker-cli-test docker info<br>
Client:<br>
Debug Mode: false Server:<br>
ERROR: error during connect: Get http://%2F%2F.%2Fpipe%2Fdocker_engine/v1.40/info: open //./pipe/docker_engine: Access is denied. In the default daemon configuration on Windows, the docker client must be run elevated to connect. This error may also indicate that the docker daemon is not running.<br>
errors pretty printing info<br>
Build success</p></div>josephp90tag:help.appveyor.com,2012-11-13:Comment/478480042019-11-26T18:44:59Z2019-11-26T18:44:59Z//./pipe/docker_engine access denied?<div><p>Perhaps the issue is located between the appveyor.yml and the settings inside the project <a href="https://ci.appveyor.com/project/casz/appveyor-docker-pipe-test/settings/environment">https://ci.appveyor.com/project/casz/appveyor-docker-pipe-test/sett...</a></p></div>josephp90tag:help.appveyor.com,2012-11-13:Comment/478480042019-11-26T18:59:42Z2019-11-26T18:59:42Z//./pipe/docker_engine access denied?<div><p>okay so your test case work (I copied into my repro)</p>
<p>so what's different on your 1809 image vs ours that prevents us from accessing docker socket?</p>
<p>Again this docker image build from the dockerfile works on our 1809 images and on our 1909 and 1903 computers.</p></div>josephp90tag:help.appveyor.com,2012-11-13:Comment/478480042019-11-26T19:00:14Z2019-11-26T19:00:14Z//./pipe/docker_engine access denied?<div><p>Listing the envs shows that appveyor runs Visual Studio 2019</p></div>josephp90tag:help.appveyor.com,2012-11-13:Comment/478480042019-11-28T09:46:32Z2019-11-28T09:46:34Z//./pipe/docker_engine access denied?<div><p>It's working for me with both builders:<br></p>
<pre>
<code>docker run --rm -v \.\pipe\docker_engine:\.\pipe\docker_engine stefanscherer/docker-cli-windows docker version</code>
</pre>
<ul>
<li>"Windows Server 2019": <a href="https://ci.appveyor.com/project/StefanScherer/appveyortest/builds/29179543">https://ci.appveyor.com/project/StefanScherer/appveyortest/builds/2...</a> with Docker CE</li>
<li>"Visual Studio 2019": <a href="https://ci.appveyor.com/project/StefanScherer/appveyortest/builds/29179628">https://ci.appveyor.com/project/StefanScherer/appveyortest/builds/2...</a> with Docker EE</li>
</ul>
<p>In your Dockerfile you switch back to <code>USER ContainerUser</code>, this user does not have access to the named pipe.</p></div>stefan.scherertag:help.appveyor.com,2012-11-13:Comment/478480042019-11-28T14:13:17Z2019-11-28T14:13:17Z//./pipe/docker_engine access denied?<div><p>Thanks stefan so on appveyor containeruser does not have access.</p>
<p>We tested out Azure pipelines as well which seems to not have this limitation :)</p></div>josephp90tag:help.appveyor.com,2012-11-13:Comment/478480042020-04-30T14:15:19Z2020-04-30T16:03:42Z//./pipe/docker_engine access denied?<div><p>Not specific to appveyor, but I found myself in this thread and figured I'd post to possibly help others. Here's a setup I got around in Windows Server 2016 using docker commands in a Jenkins slave/agent on this node. Instead of running Jenkins under the default Local System account I had to switch it to use a Jenkins user account I created in windows. For context, the Jenkins agent on this server ran from a scheduled task as this user and the windows service for Jenkins does too.</p>
<p>Docker version: 19.03.5<br>
Windows server based off Windows_Server-2016-English-Full-ECS_Optimized-2020.04.16 AWS image.</p>
<p>Gist of the steps I had to do:</p>
<ol>
<li>Created a docker and docker-users group in windows.<br></li>
<li>Granted log on as batch to Jenkins user account for the scheduled task to run at startup.<br></li>
<li>Added the new Jenkins user to docker and docker-users groups.<br></li>
<li>Specified "group": "docker" in docker daemon.json.<br></li>
<li>Make sure to restart the tasks and services involved (docker, jenkins windows service and the scheduled task for the Jenkins agent).<br></li>
<li>Also setup directory permissions for the Jenkins user regarding Jenkins specific dirs.</li>
</ol>
<p>End result was being able to work with docker from a non-administrator account in Windows Server 2016. From all the github threads I've read I'm unsure if docker-users group was necessary, but at least some version of docker in windows uses that for linux based containers that I've read when it's switched to that mode.</p>
<p>I initially tried to use <a href="https://github.com/tfenster/dockeraccesshelper">https://github.com/tfenster/dockeraccesshelper</a> , which looks great, but it didn't work for some reason and never changed the acl settings on the pipe.</p></div>ericvbrumfieldtag:help.appveyor.com,2012-11-13:Comment/478480042020-04-30T18:12:13Z2020-04-30T18:12:13Z//./pipe/docker_engine access denied?<div><p>Fantastic, thanks for sharing your solution!</p></div>Feodor Fitsner