connecting to docker socket inside container with different user than root is broken after updating to 4.27

[vbode]

Description

After updating Docker Desktop on Windows to v4.27 when trying to connect to a bind-mounted tcp unix socket inside a container that runs as unprivileged (non-root user) process. Connecting to the socket as root user inside the container still works but it apparently broke due to the update because it worked also with the unprivileged user before the update.
This is exactly the same as in:
#13447

Reproduce

Steps to reproduce the behavior

• Update to Docker Desktop 4.27 on Windows
• run via command prompt:

docker info works with root user
docker run -it --rm -v //var/run/docker.sock:/var/run/docker.sock:ro docker:cli docker info

Output

`Client:
Version: 25.0.1
Context: default
Debug Mode: false
Plugins:
buildx: Docker Buildx (Docker Inc.)
Version: v0.12.1
Path: /usr/local/libexec/docker/cli-plugins/docker-buildx
compose: Docker Compose (Docker Inc.)
Version: v2.24.4
Path: /usr/local/libexec/docker/cli-plugins/docker-compose

Server:
Containers: 2
Running: 2
Paused: 0
Stopped: 0
Images: 6
Server Version: 25.0.1
Storage Driver: overlay2
Backing Filesystem: extfs
Supports d_type: true
Using metacopy: false
Native Overlay Diff: true
userxattr: false
Logging Driver: json-file
Cgroup Driver: cgroupfs
Cgroup Version: 1
Plugins:
Volume: local
Network: bridge host ipvlan macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file local splunk syslog
Swarm: inactive
Runtimes: io.containerd.runc.v2 runc
Default Runtime: runc
Init Binary: docker-init
containerd version: a1496014c916f9e62104b33d1bb5bd03b0858e59
runc version: v1.1.11-0-g4bccb38
init version: de40ad0
Security Options:
seccomp
Profile: unconfined
Kernel Version: 5.15.133.1-microsoft-standard-WSL2
Operating System: Docker Desktop
OSType: linux
Architecture: x86_64
CPUs: 16
Total Memory: 15.62GiB
Name: docker-desktop
ID: f54add01-39db-4944-a6af-d411143674ca
Docker Root Dir: /var/lib/docker
Debug Mode: false
HTTP Proxy: http.docker.internal:3128
HTTPS Proxy: http.docker.internal:3128
No Proxy: hubproxy.docker.internal
Experimental: false
Insecure Registries:
hubproxy.docker.internal:5555
127.0.0.0/8
Live Restore Enabled: false

WARNING: No blkio throttle.read_bps_device support
WARNING: No blkio throttle.write_bps_device support
WARNING: No blkio throttle.read_iops_device support
WARNING: No blkio throttle.write_iops_device support
WARNING: daemon is not using the default seccomp profile`

docker info does not work with different user even though it has read access to the socket
docker run -it --rm -v //var/run/docker.sock:/var/run/docker.sock:ro docker:cli sh -c "apk add shadow sudo && ls -l /var/run/docker.sock && adduser -D -S www-data -G www-data && sudo -u www-data docker info"

Output

`fetch https://dl-cdn.alpinelinux.org/alpine/v3.19/main/x86_64/APKINDEX.tar.gz
fetch https://dl-cdn.alpinelinux.org/alpine/v3.19/community/x86_64/APKINDEX.tar.gz
(1/7) Installing libmd (1.1.0-r0)
(2/7) Installing libbsd (0.11.7-r3)
(3/7) Installing skalibs (2.14.0.1-r0)
(4/7) Installing utmps-libs (0.1.2.2-r0)
(5/7) Installing linux-pam (1.5.3-r7)
(6/7) Installing shadow (4.14.2-r0)
(7/7) Installing sudo (1.9.15_p2-r0)
Executing busybox-1.36.1-r15.trigger
OK: 17 MiB in 29 packages
srwxr-xr-x 1 root root 0 Feb 1 11:17 /var/run/docker.sock
Client:
Version: 25.0.1
Context: default
Debug Mode: false
Plugins:
buildx: Docker Buildx (Docker Inc.)
Version: v0.12.1
Path: /usr/local/libexec/docker/cli-plugins/docker-buildx
compose: Docker Compose (Docker Inc.)
Version: v2.24.4
Path: /usr/local/libexec/docker/cli-plugins/docker-compose

Server:
ERROR: permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get "http://%2Fvar%2Frun%2Fdocker.sock/v1.24/info": dial unix /var/run/docker.sock: connect: permission denied
errors pretty printing info`

Expected behavior

It should be possible to connect to the socket even as non-root user if read permissions are set correct.

docker version

Client:
 Cloud integration: v1.0.35+desktop.10
 Version:           25.0.1
 API version:       1.44
 Go version:        go1.21.6
 Git commit:        29cf629
 Built:             Tue Jan 23 23:10:35 2024
 OS/Arch:           windows/amd64
 Context:           default

Server: Docker Desktop 4.27.0 (135262)
 Engine:
  Version:          25.0.1
  API version:      1.44 (minimum version 1.24)
  Go version:       go1.21.6
  Git commit:       71fa3ab
  Built:            Tue Jan 23 23:09:46 2024
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          1.6.27
  GitCommit:        a1496014c916f9e62104b33d1bb5bd03b0858e59
 runc:
  Version:          1.1.11
  GitCommit:        v1.1.11-0-g4bccb38
 docker-init:
  Version:          0.19.0
  GitCommit:        de40ad0

docker info

Client:
 Version:    25.0.1
 Context:    default
 Debug Mode: false
 Plugins:
  buildx: Docker Buildx (Docker Inc.)
    Version:  v0.12.1-desktop.4
    Path:     C:\Program Files\Docker\cli-plugins\docker-buildx.exe
  compose: Docker Compose (Docker Inc.)
    Version:  v2.24.3-desktop.1
    Path:     C:\Program Files\Docker\cli-plugins\docker-compose.exe
  debug: Get a shell into any image or container. (Docker Inc.)
    Version:  0.0.22
    Path:     C:\Program Files\Docker\cli-plugins\docker-debug.exe
  dev: Docker Dev Environments (Docker Inc.)
    Version:  v0.1.0
    Path:     C:\Program Files\Docker\cli-plugins\docker-dev.exe
  extension: Manages Docker extensions (Docker Inc.)
    Version:  v0.2.21
    Path:     C:\Program Files\Docker\cli-plugins\docker-extension.exe
  feedback: Provide feedback, right in your terminal! (Docker Inc.)
    Version:  v1.0.4
    Path:     C:\Program Files\Docker\cli-plugins\docker-feedback.exe
  init: Creates Docker-related starter files for your project (Docker Inc.)
    Version:  v1.0.0
    Path:     C:\Program Files\Docker\cli-plugins\docker-init.exe
  sbom: View the packaged-based Software Bill Of Materials (SBOM) for an image (Anchore Inc.)
    Version:  0.6.0
    Path:     C:\Program Files\Docker\cli-plugins\docker-sbom.exe
  scout: Docker Scout (Docker Inc.)
    Version:  v1.3.0
    Path:     C:\Program Files\Docker\cli-plugins\docker-scout.exe

Server:
 Containers: 1
  Running: 1
  Paused: 0
  Stopped: 0
 Images: 6
 Server Version: 25.0.1
 Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
  Using metacopy: false
  Native Overlay Diff: true
  userxattr: false
 Logging Driver: json-file
 Cgroup Driver: cgroupfs
 Cgroup Version: 1
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local splunk syslog
 Swarm: inactive
 Runtimes: io.containerd.runc.v2 runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: a1496014c916f9e62104b33d1bb5bd03b0858e59
 runc version: v1.1.11-0-g4bccb38
 init version: de40ad0
 Security Options:
  seccomp
   Profile: unconfined
 Kernel Version: 5.15.133.1-microsoft-standard-WSL2
 Operating System: Docker Desktop
 OSType: linux
 Architecture: x86_64
 CPUs: 16
 Total Memory: 15.62GiB
 Name: docker-desktop
 ID: f54add01-39db-4944-a6af-d411143674ca
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 HTTP Proxy: http.docker.internal:3128
 HTTPS Proxy: http.docker.internal:3128
 No Proxy: hubproxy.docker.internal
 Experimental: false
 Insecure Registries:
  hubproxy.docker.internal:5555
  127.0.0.0/8
 Live Restore Enabled: false

WARNING: No blkio throttle.read_bps_device support
WARNING: No blkio throttle.write_bps_device support
WARNING: No blkio throttle.read_iops_device support
WARNING: No blkio throttle.write_iops_device support
WARNING: daemon is not using the default seccomp profile

Diagnostics ID

Additional Info

This is the same as in, but now back in 4.27.0
#13447

[sdm1810]

I am impacted by the same issue, it's preventing my nextcloud master container from starting after the update. Running windows 11, wsl2, docker desktop 4.27.1 and nextcloud aio 27

Edit: restored my weekly system image, and my nightly nextcloud backup, working again but only because docker desktop is back to 4.26.1. nextcloud was actually v28, not v27.

[jtabox]

Same issue here, upgrading to version 4.27.1 was a catastrophe, I'm having multiple issues. It seems to have messed my WSL environment too. Same versions as the post above me.

[DanielSadeh]

Same issue.
Cannot connect to the docker socket. Cannot proceed.
Did you maybe remove group read permissions for the docker socket? AIO needs them in order to access the docker socket.

The drive has full permissions.

[ctalledo]

Hi @vbode, thanks for reporting the issue.

Connecting to the socket as root user inside the container still works but it apparently broke due to the update because it worked also with the unprivileged user before the update

Looks like the Docker socket permission changed slightly in DD 4.27.1:

• DD 4.26.1:

srwxrw----    1 root     root             0 Feb  7 01:02 /var/run/docker.sock

• DD 4.27.1:

srwxr-xr-x    1 root     root             0 Feb  6 16:39 /var/run/docker.sock

Write access is needed to use that socket. In 4.27.1 only the root user can write to it (likely a bug), whereas in 4.26.1 both the root user or any member of group root can write to the socket. I'll investigate to see where the mistake was introduced.

Note that if it was working before, the unprivileged user accessing that socket must have been a member of group root.

Thanks!

[djs55]

@vbode @DanielSadeh (and others affected): could you check if adding group write permission (but leaving the socket in group root) is enough to fix your problem? You can change the permissions with a command like

> docker run --privileged -v /run/host-services:/run/host-services -it alpine
/ # chmod 660 /run/host-services/docker.proxy.sock

If I change permissions to 760 (same as 4.26.1) then the example given in the issue description still fails because www-data is not in group root.

If I change permissions to 666 then the example works.

[DanielSadeh]

I tried and got the following

[DanielSadeh]

and tried with 666 but am getting permission denied
C:\Users\danie>docker run --privileged -v /run/host-services:/run/host-services -it alpine
/ # chmod 666 /run/host-services/docker.proxy.sock
/ # / # chmod 666 /run/host-services/docker.proxy.sock
/bin/sh: /: Permission denied
/ #

[DanielSadeh]

Another update.
I checked Docker status and it shows that everything is ok. However still getting the errors mentioned above

Docker Systems Status Page
All Systems OperationalUpdated a few seconds ago
The official status page for services offered by Docker.
Docker Hub Registry

Operational
Docker Authentication

Operational
Docker Hub Web Services

Operational
Docker Desktop

Operational
Docker Billing

Operational
Docker Package Repositories

Operational
Docker Hub Automated Builds

Operational
Docker Hub Security Scanning

Operational
Docker Docs

Operational
Docker Community Forums

Operational
Docker Support

Operational
Docker.com Website

Operational
Docker Scout

Operational
Docker Build Cloud

Operational
Metrics

[ctalledo]

Hi folks, thanks again for reporting the issue in DD 4.27.1 and apologies for the inconvenience.

We found the bug; the upcoming DD 4.27.2 patch release will fix the Docker socket permissions, similar to how they were in DD 4.26.1.

Note however that just as in DD 4.26.1, the container process must either have user-ID root or group-ID root to access the Docker engine socket (or have CAP_DAC_OVERRIDE capability).

[MihaelaStoica]

Docker Desktop 4.27.2 has been released and includes the fix mentioned by @ctalledo (see release notes).