Comments (13)
commented on May 18, 2024
3
I found the option that works well on my environment: --security-opt=label:type:docker_t
Does it work for you?
from nginx-proxy.
sasuw
commented on May 18, 2024
1
--security-opt=label:type:docker_tThis is working for me as well, thanks! (I am on a Fedora 29, freshly installed.) Maybe it could be documented somewhere?
Also fixes the issue on Fedora CoreOS 32.
from nginx-proxy.
cuzzo333
commented on May 18, 2024
1
Hoping to get some support on this issue. In my environment we're looking to run nginx-proxy with a non-root user account. I've cloned the nginx-proxy repository so that I could modify the dockerfile formy purposes (creating a non root user, chown'ing necessary directories, etc.)
One area I am still stuck on is permissions to /tmp/docker.sock. I've attempted the various fixes already mentioned here but I believe my issue is slightly different in that I am attempting to run nginx-proxy with a non-root user.
Does anybody know if it's possible to modify permissions on /tmp/docker.sock for a non-root user? I've attempted a few other things such as mounting the volume during my docker run command as a non-root user but still can't find a way around this.
from nginx-proxy.
jwilder
commented on May 18, 2024
Only thing I can think of is that the you don't have permission to read /var/run/docker.sock on your host so it may not be getting mounted into the container. Maybe try sudo docker run or check the perms on /var/run/docker.sock?
from nginx-proxy.
rdavaillaud
commented on May 18, 2024
I have the same problem.
- host: Fedora 20
- docker : Docker version 1.2.0, build fa7b24f/1.2.0
I have found that when disabling SELinux, the problem is gone.
But I don't know how to keep SELinux enabled with this.
from nginx-proxy.
jwilder
commented on May 18, 2024
Did any of the suggestions I mentioned earlier help? Another idea might be to try and mount docker.sock to a different location w/ something like:
docker run -d -p 80:80 -v /var/run/docker.sock:/var/run/docker.sock -e DOCKER_HOST=unix:///var/run/docker.sock jwilder/nginx-proxy
from nginx-proxy.
rdavaillaud
commented on May 18, 2024
No, It doesn't.
I manage to go a little further, with chcon -Rt svirt_sandbox_file_t /var/run/docker.sockon the host, but only to go there:
forego | starting nginx.1 on port 5000
forego | starting dockergen.1 on port 5100
dockergen.1 | 2014/10/16 16:13:32 error listing containers: dial unix /var/run/docker.sock: permission denied
dockergen.1 | 2014/10/16 16:13:32 Watching docker events
dockergen.1 | 2014/10/16 16:13:32 cannot connect to docker: dial unix /var/run/docker.sock: permission denied
dockergen.1 | 2014/10/16 16:13:42 cannot connect to docker: dial unix /var/run/docker.sock: permission denied
The container is running (instead of stoping), but looping on the connection error.
After some research, I can say that this is with no doubt a SELinux problem, using setenforce 0 on the host and dockergen can connect.
forego | starting nginx.1 on port 5000
forego | starting dockergen.1 on port 5100
dockergen.1 | 2014/10/16 16:17:48 Generated '/etc/nginx/conf.d/default.conf' from 1 containers
dockergen.1 | 2014/10/16 16:17:48 Running 'nginx -s reload'
dockergen.1 | 2014/10/16 16:17:48 Watching docker events
Maybe a specific SELinux policy or a command may correct this, but I'm not a SELinux expert...
It's working, but we have to disable SELinux, which is not a good solution.
from nginx-proxy.
jwilder
commented on May 18, 2024
Docker 1.3 now has a --security-opt flag for setting SELinux and AppArmore labels and policies. That might allow you work around this while keeping SELinux enabled. If you are able to get it working w/ that option, please let me know what worked so I can add it to the documentation.
from nginx-proxy.
JeremyRand
commented on May 18, 2024
Was there any luck in solving this?
from nginx-proxy.
rdavaillaud
commented on May 18, 2024
@sigelinde Yes, it pass the step, now I've got another problem, but it's not the same!
Thank you
from nginx-proxy.
gabeos
commented on May 18, 2024
I've gotten this to work by adding a module to the SELinux policy.
My current module is here:
https://gist.github.com/2205f8e36dfa3d2f5b63
compile and add to policy with:
# checkmodule -M -m -o docker_socketaccess.mod docker_socketaccess.te
# semodule_package -o docker_socketaccess.pp -m docker_socketaccess.mod
# semodule -i docker_socketaccess.pp
Should work, but if not, you can check why by running:
# grep docker /var/log/audit/audit.log | audit2why
and you can generate a new module to insert that will allow the currently denied behavior with:
# grep docker /var/log/audit/audit.log | audit2allow -M <module_name>
# semodule -i <module_name>.pp
from nginx-proxy.
Mr00Anderson
commented on May 18, 2024
I have also had this issue. After much searching I found out that my username space was enabled and preventing my container from having docker.sock access. --userns=host resolved my issue.
OS: Alpine
from nginx-proxy.
akiross
commented on May 18, 2024
--security-opt=label:type:docker_t
This is working for me as well, thanks! (I am on a Fedora 29, freshly installed.) Maybe it could be documented somewhere?
from nginx-proxy.
Related Issues (20)
- Very active error.log HOT 5
- 500 Internal Server Error HOT 8
- SSL_POLICY=Mozilla-Modern got worse results on SSLLabs SSLtest than intermediate HOT 4
- phpipam + nginx-proxy = connection refused
- Broken testcase test/test_host-network-mode/test_host-network-mode.py HOT 1
- SSH Certificates will Not Update HOT 1
- HTTP/2 Rapid Reset Attack HOT 2
- Unable to download python requirements for testing HOT 1
- default.conf config file formatting corrupted and hardly readable (nginx -T) HOT 1
- Issue with Bookstack urls being re-written to http not https HOT 2
- 403 Forbidden error when serving static site HOT 1
- Cannot reach container in IPv6 network HOT 4
- Regression in Behavior with Fix #2186 Affecting SSL Connections HOT 9
- "daemon" directive is duplicate in /etc/nginx/nginx.conf error HOT 3
- connect() failed (111: Connection refused) while connecting to upstream HOT 2
- vhost.d for http part
- 502 Bad Gateway & Upstream connection refused HOT 5
- host header does not include port number HOT 2
- `nginx-proxy` pass converting `%1C` to pipe `|` HOT 1
- 405 (cors error) on specific location
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from nginx-proxy.