So we (like many other labs) store our user identity information in LDAP. I created a
docker group in LDAP so that its memberships is valid across our cluster. When I tried to run a docker command, however, I got this error:
Get http:///var/run/docker.sock/v1.20/containers/json: dial unix /var/run/docker.sock: permission denied. * Are you trying to connect to a TLS-enabled daemon without TLS? * Is your docker daemon up and running?
Turns out that
/var/run/docker.sock was owned by
root:docker as expected. Running
docker in debug mode I saw this message:
DEBU Warning: could not change group /var/run/docker.sock to docker: Group docker not found
After a big of poking around and verifying that the group did exist I came across the code in unix_socket.go. To make a longish (lines 41-83) story short,
docker relies on libcontainer for its user/group lookups and these parse the
/etc/group file, ignoring
nsswitch.conf (and thus identity providers like LDAP).
If you use the numeric gid (
docker daemon -G 555 for instance) then you get some strange messages in the log (example is from debug mode):
WARN Could not find GID 555 DEBU 555 group found. gid: 555
but the ownership of the
docker Unix socket is set as expected.