Bad endpoint: stat /tmp/docker.sock: permission denied

[nicohvi]

docker run -d -p 80:80 -v /var/run/docker.sock:/tmp/docker.sock jwilder/nginx-proxy

yields the following error (from docker logs)

forego     | starting nginx.1 on port 5000
forego     | starting dockergen.1 on port 5100
dockergen.1 | 2014/10/03 20:34:10 Bad endpoint: stat /tmp/docker.sock: permission denied
forego     | starting dockergen.1 on port 5100
forego     | sending SIGTERM to dockerge

[jwilder]

Only thing I can think of is that the you don't have permission to read /var/run/docker.sock on your host so it may not be getting mounted into the container. Maybe try sudo docker run or check the perms on /var/run/docker.sock?

[rdavaillaud]

I have the same problem.

• host: Fedora 20
• docker : Docker version 1.2.0, build fa7b24f/1.2.0

I have found that when disabling SELinux, the problem is gone.
But I don't know how to keep SELinux enabled with this.

[jwilder]

Did any of the suggestions I mentioned earlier help? Another idea might be to try and mount docker.sock to a different location w/ something like:

docker run -d -p 80:80 -v /var/run/docker.sock:/var/run/docker.sock -e DOCKER_HOST=unix:///var/run/docker.sock jwilder/nginx-proxy

[rdavaillaud]

No, It doesn't.
I manage to go a little further, with chcon -Rt svirt_sandbox_file_t /var/run/docker.sockon the host, but only to go there:

forego     | starting nginx.1 on port 5000
forego     | starting dockergen.1 on port 5100
dockergen.1 | 2014/10/16 16:13:32 error listing containers: dial unix /var/run/docker.sock: permission denied
dockergen.1 | 2014/10/16 16:13:32 Watching docker events
dockergen.1 | 2014/10/16 16:13:32 cannot connect to docker: dial unix /var/run/docker.sock: permission denied
dockergen.1 | 2014/10/16 16:13:42 cannot connect to docker: dial unix /var/run/docker.sock: permission denied

The container is running (instead of stoping), but looping on the connection error.

After some research, I can say that this is with no doubt a SELinux problem, using setenforce 0 on the host and dockergen can connect.

forego     | starting nginx.1 on port 5000
forego     | starting dockergen.1 on port 5100
dockergen.1 | 2014/10/16 16:17:48 Generated '/etc/nginx/conf.d/default.conf' from 1 containers
dockergen.1 | 2014/10/16 16:17:48 Running 'nginx -s reload'
dockergen.1 | 2014/10/16 16:17:48 Watching docker events

Maybe a specific SELinux policy or a command may correct this, but I'm not a SELinux expert...

It's working, but we have to disable SELinux, which is not a good solution.

[jwilder]

Docker 1.3 now has a --security-opt flag for setting SELinux and AppArmore labels and policies. That might allow you work around this while keeping SELinux enabled. If you are able to get it working w/ that option, please let me know what worked so I can add it to the documentation.

[JeremyRand]

Was there any luck in solving this?

[ghost]

I found the option that works well on my environment: --security-opt=label:type:docker_t
Does it work for you?

[rdavaillaud]

@sigelinde Yes, it pass the step, now I've got another problem, but it's not the same!
Thank you

[gabeos]

I've gotten this to work by adding a module to the SELinux policy.

My current module is here:
https://gist.github.com/2205f8e36dfa3d2f5b63

compile and add to policy with:

# checkmodule -M -m -o docker_socketaccess.mod docker_socketaccess.te
# semodule_package -o docker_socketaccess.pp -m docker_socketaccess.mod
# semodule -i docker_socketaccess.pp 

Should work, but if not, you can check why by running:

# grep docker /var/log/audit/audit.log | audit2why

and you can generate a new module to insert that will allow the currently denied behavior with:

# grep docker /var/log/audit/audit.log | audit2allow -M <module_name>
# semodule -i <module_name>.pp

[Mr00Anderson]

I have also had this issue. After much searching I found out that my username space was enabled and preventing my container from having docker.sock access. --userns=host resolved my issue.

OS: Alpine

[akiross]

--security-opt=label:type:docker_t

This is working for me as well, thanks! (I am on a Fedora 29, freshly installed.) Maybe it could be documented somewhere?

[sasuw]

--security-opt=label:type:docker_t

This is working for me as well, thanks! (I am on a Fedora 29, freshly installed.) Maybe it could be documented somewhere?

Also fixes the issue on Fedora CoreOS 32.

[cuzzo333]

Hoping to get some support on this issue. In my environment we're looking to run nginx-proxy with a non-root user account. I've cloned the nginx-proxy repository so that I could modify the dockerfile formy purposes (creating a non root user, chown'ing necessary directories, etc.)

One area I am still stuck on is permissions to /tmp/docker.sock. I've attempted the various fixes already mentioned here but I believe my issue is slightly different in that I am attempting to run nginx-proxy with a non-root user.

Does anybody know if it's possible to modify permissions on /tmp/docker.sock for a non-root user? I've attempted a few other things such as mounting the volume during my docker run command as a non-root user but still can't find a way around this.

[tdworz]

Adding label:type:docker_t can also be done in a Compose file:

services:
  nginx-proxy:
    image: nginxproxy/nginx-proxy
    security_opt:
      - label:type:docker_t
    . . .

That does the trick for me running official Docker on RHEL 9 derivatives.