Skip to content

[Docker runner] permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock

Summary

When setting up a gitlab runner via docker and mounting the docker-sock of the host system, the gitlab-runner inside the container fails to connect to the mounted socket because of a permission issue

Steps to reproduce

docker-compose.yml:

version: '3.4'

services:
  runner:
    container_name: runner-pa
    image: gitlab/gitlab-runner:ubuntu
    volumes:
      - ./config.toml:/etc/gitlab-runner/config.toml
      - /var/run/docker.sock:/var/run/docker.sock

config.toml:

concurrent = 1
check_interval = 0

[session_server]
  session_timeout = 1800

[[runners]]
  name = "docker-runner"
  url = "https://gitlab.com"
  token = "******************"
  executor = "docker"
  [runners.custom_build_dir]
  [runners.docker]
    tls_verify = false
    image = "docker:latest"
    privileged = true
    disable_entrypoint_overwrite = false
    oom_kill_disable = false
    disable_cache = false
    volumes = ["/cache"]
    shm_size = 0
  [runners.cache]
    [runners.cache.s3]
    [runners.cache.gcs]

Actual behavior

Console output:

$ docker-compose up        
Starting runner-pa ... done
Attaching to runner-pa
runner-pa | Runtime platform                                    arch=amd64 os=linux pid=6 revision=a987417a version=12.2.0
runner-pa | Starting multi-runner from /etc/gitlab-runner/config.toml ...  builds=0
runner-pa | Running in system-mode.                            
runner-pa |                                                    
runner-pa | Configuration loaded                                builds=0
runner-pa | Locking configuration file                          builds=0 file=/etc/gitlab-runner/config.toml pid=6
runner-pa | listen_address not defined, metrics & debug endpoints disabled  builds=0
runner-pa | [session_server].listen_address not defined, session endpoints disabled  builds=0

runner-pa | Checking for jobs... received                       job=281092443 repo_url=https://***repo-url*** runner=5mFAgQQA
runner-pa | WARNING: Preparation failed: Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get http://%2Fvar%2Frun%2Fdocker.sock/v1.25/info: dial unix /var/run/docker.sock: connect: permission denied (executor_docker.go:983:0s)  job=281092443 project=14008423 runner=5mFAgQQA
runner-pa | Will be retried in 3s ...                           job=281092443 project=14008423 runner=5mFAgQQA
runner-pa | WARNING: Preparation failed: Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get http://%2Fvar%2Frun%2Fdocker.sock/v1.25/info: dial unix /var/run/docker.sock: connect: permission denied (executor_docker.go:983:0s)  job=281092443 project=14008423 runner=5mFAgQQA
runner-pa | Will be retried in 3s ...                           job=281092443 project=14008423 runner=5mFAgQQA
runner-pa | WARNING: Preparation failed: Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get http://%2Fvar%2Frun%2Fdocker.sock/v1.25/info: dial unix /var/run/docker.sock: connect: permission denied (executor_docker.go:983:0s)  job=281092443 project=14008423 runner=5mFAgQQA
runner-pa | Will be retried in 3s ...                           job=281092443 project=14008423 runner=5mFAgQQA
runner-pa | ERROR: Job failed (system failure): Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get http://%2Fvar%2Frun%2Fdocker.sock/v1.25/info: dial unix /var/run/docker.sock: connect: permission denied (executor_docker.go:983:0s)  duration=9.003770316s job=281092443 project=14008423 runner=5mFAgQQA
runner-pa | ERROR: Failed to process runner                     builds=0 error=Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get http://%2Fvar%2Frun%2Fdocker.sock/v1.25/info: dial unix /var/run/docker.sock: connect: permission denied (executor_docker.go:983:0s) executor=docker runner=5mFAgQQA
runner-pa | Checking for jobs... received                       job=281092446 repo_url=https://***repo-url*** runner=5mFAgQQA
runner-pa | WARNING: Preparation failed: Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get http://%2Fvar%2Frun%2Fdocker.sock/v1.25/info: dial unix /var/run/docker.sock: connect: permission denied (executor_docker.go:983:0s)  job=281092446 project=14008423 runner=5mFAgQQA
runner-pa | Will be retried in 3s ...                           job=281092446 project=14008423 runner=5mFAgQQA
runner-pa | WARNING: Preparation failed: Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get http://%2Fvar%2Frun%2Fdocker.sock/v1.25/info: dial unix /var/run/docker.sock: connect: permission denied (executor_docker.go:983:0s)  job=281092446 project=14008423 runner=5mFAgQQA
runner-pa | Will be retried in 3s ...                           job=281092446 project=14008423 runner=5mFAgQQA
runner-pa | WARNING: Preparation failed: Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get http://%2Fvar%2Frun%2Fdocker.sock/v1.25/info: dial unix /var/run/docker.sock: connect: permission denied (executor_docker.go:983:0s)  job=281092446 project=14008423 runner=5mFAgQQA
runner-pa | Will be retried in 3s ...                           job=281092446 project=14008423 runner=5mFAgQQA
runner-pa | ERROR: Job failed (system failure): Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get http://%2Fvar%2Frun%2Fdocker.sock/v1.25/info: dial unix /var/run/docker.sock: connect: permission denied (executor_docker.go:983:0s)  duration=9.002893967s job=281092446 project=14008423 runner=5mFAgQQA
runner-pa | ERROR: Failed to process runner                     builds=0 error=Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get http://%2Fvar%2Frun%2Fdocker.sock/v1.25/info: dial unix /var/run/docker.sock: connect: permission denied (executor_docker.go:983:0s) executor=docker runner=5mFAgQQA

Expected behavior

gitlab-runner succeeds to connect to the docker sock and runs the pipeline

Relevant logs and/or screenshots

See above

Environment description

Host is a ubuntu machine:

$ uname -a
Linux cxt 5.0.0-25-generic #26~18.04.1-Ubuntu SMP Thu Aug 1 13:51:02 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

$ cat /etc/lsb-release 
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=18.04
DISTRIB_CODENAME=bionic
DISTRIB_DESCRIPTION="Ubuntu 18.04.3 LTS"

Used GitLab Runner version

root@c7439e47b361:/# gitlab-runner --version
Version:      12.2.0
Git revision: a987417a
Git branch:   12-2-stable
GO version:   go1.8.7
Built:        2019-08-22T13:06:00+0000
OS/Arch:      linux/amd64

Possible fixes