Docker – systemctl –user cannot start docker containers on Ubuntu 20.04

dockersystemctlsystemdubuntu-18.04ubuntu-20.04

I am in the process of migrating some services from Ubuntu 18.04 to 20.04. In 18.04 I run these services under a non-root user. All these services start a docker container, and they're working just fine. Under Ubuntu 20.04 these services no longer start.

To illustrate, here's a very simple ~/.config/systemd/user/hello-world.service that works fine on Ubuntu 18.04:

# -*-systemd-*-
[Unit]
Description=Hello world
After=network.service
StartLimitIntervalSec=0

[Service]
Type=simple
Restart=always
RestartSec=1
TimeoutStartSec=0

ExecStartPre=/bin/echo user = $USER
ExecStartPre=/usr/bin/docker pull hello-world
ExecStart=/usr/bin/docker run \
  --name hello-world \
  --rm -a STDIN -a STDOUT -a STDERR \
  hello-world

ExecStop=/usr/bin/docker stop -t 2 %n

[Install]
WantedBy=default.target

I run the container in the shell directly as the non-root user and it runs fine, both on the 18.04 machine, as well as on the 20.04 machine:

/usr/bin/docker pull hello-world
/usr/bin/docker run \
  --name hello-world \
  --rm -a STDIN -a STDOUT -a STDERR \
  hello-world

For systemd I run the following:

systemctl --user enable hello-world.service
systemctl --user start hello-world.service

On Ubuntu 18.04 everything runs as expected when I investigate the out with journalctl -xe -f.

On Ubuntu 20.04 I get the dreaded:

Sep 15 14:56:26 m4 docker[107614]: Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Post http://%2Fvar%2Frun%2Fdocker.sock/v1.40/images/create?fromImage=hello-world&tag=latest: dial unix /var/run/docker.sock: connect: permission denied

I checked the permissions, groups and everything seems to be correct. Again, if I run the docker directly in the command line while logged in as username, docker runs just fine.

root@m4:/etc/apt> ll /var/run/docker.sock 
srw-rw---- 1 root docker 0 Sep 15 14:08 /var/run/docker.sock=
root@m4:/etc/apt> grep docker /etc/group
docker:x:998:docker,username

The only thing that's different is that on 18.04 systemd is at version 237, while on 20.04 is at version 245.

Docker is the same on both machines:

Docker version 19.03.12, build 48a66213fe

Both versions of systemd show the user echoed in ExecStartPre as being my non-root user.

It looks like systemd 245 is starting the docker process under the wrong user and/or group. Any thoughts?

Update

As @larsks suggested, I replaced $USER with /usr/bin/id. Here's the output I received:

Sep 15 21:36:09 m4 id[122143]: uid=1001(username) gid=1001(username) groups=1001(username)
Sep 15 21:36:09 m4 docker[122144]: Using default tag: latest
Sep 15 21:36:09 m4 docker[122144]: Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Post http://%2Fvar%2Frun%2Fdocker.sock/v1.40/images/create?fromImage=hello-world&tag=latest: dial unix /var/run/docker.sock: connect: permission denied

username is part of the docker group, as shown above.

Best Answer

Your systemd user unit doesn't specify a Group=, thus the user's default group is used. Since docker is not the default group, systemd doesn't start the process with this group.

Set Group=docker in the [Service] section of the unit.

Related Solutions

Cannot use `systemctl –user` due to “Failed to get D-bus connection: permission denied”

I've noticed the tableau server uses --user systemd services - they even have a note about this in their docs: https://help.tableau.com/current/server-linux/en-us/systemd_user_service_error.htm

The systemd user service is not used as commonly as the normal systemd process manager. Red Hat disabled the systemd user service in RHEL 7 (and thereby all distros that come from RHEL, like CentOS, Oracle Linux 7, Amazon Linux 2). However, RedHat has assured Tableau that running the systemd user service is supported as long as the service is re-enabled.

How they do it (example is with a userid 29575)

# cat /etc/systemd/system/user@29575.service
[Unit]
Description=User Manager for UID %i
After=systemd-user-sessions.service
# These are present in the RHEL8 version of this file except that the unit is Requires, not Wants.
# It's listed as Wants here so that if this file is used in a RHEL7 settings, it will not fail.
# If a user upgrades from RHEL7 to RHEL8, this unit file will continue to work until it's
# deleted the next time they upgrade Tableau Server itself.
After=user-runtime-dir@%i.service
Wants=user-runtime-dir@%i.service

[Service]
LimitNOFILE=infinity
LimitNPROC=infinity
User=%i
PAMName=systemd-user
Type=notify
# PermissionsStartOnly is deprecated and will be removed in future versions of systemd
# This is required for all systemd versions prior to version 231
PermissionsStartOnly=true
ExecStartPre=/bin/loginctl enable-linger %i
ExecStart=-/lib/systemd/systemd --user
Slice=user-%i.slice
KillMode=mixed
Delegate=yes
TasksMax=infinity
Restart=always
RestartSec=15

[Install]
WantedBy=default.target

After you create that file:

systemctl daemon-reload
systemctl enable user@29575.service
systemctl start user@29575.service

And you'll need to set XDG_RUNTIME_DIR in env of that user via bashrc or similar:

[ -z "${XDG_RUNTIME_DIR}" ] && export XDG_RUNTIME_DIR=/run/user/$(id -ru)

I've tested in on a recent RHEL 7.8 and it works as expected, I can run "systemctl --user status" as my user after doing this.

Docker – How to install docker-compose on Fedora CoreOS

Why don't you just install the docker-compose package directly? As the Fedora package maintainer for docker-compose I try to make sure this works for all Fedora users.

[core@localhost ~]$ sudo rpm-ostree install docker-compose
Checking out tree 318de83... done
Enabled rpm-md repositories: fedora-cisco-openh264 updates fedora updates-archive
rpm-md repo 'fedora-cisco-openh264' (cached); generated: 2020-08-25T19:05:18Z
rpm-md repo 'updates' (cached); generated: 2020-12-13T02:23:33Z
rpm-md repo 'fedora' (cached); generated: 2020-04-22T22:22:36Z
rpm-md repo 'updates-archive' (cached); generated: 2020-12-13T04:16:16Z
Importing rpm-md... done
Resolving dependencies... done
Will download: 40 packages (15.8 MB)
Downloading from 'updates'... done
Downloading from 'fedora'... done
Importing packages... done
Checking out packages... done
Running pre scripts... done
Running post scripts... done
Running posttrans scripts... done
Writing rpmdb... done
Writing OSTree commit... done
Staging deployment... done
Added:
  docker-compose-1.25.4-1.fc32.noarch
  gdbm-libs-1:1.18.1-3.fc32.x86_64
  libsodium-1.0.18-3.fc32.x86_64
  libxcrypt-compat-4.4.17-1.fc32.x86_64
  python-pip-wheel-19.3.1-4.fc32.noarch
  python-setuptools-wheel-41.6.0-2.fc32.noarch
  python-unversioned-command-3.8.6-1.fc32.noarch
  python3-3.8.6-1.fc32.x86_64
  python3-attrs-19.3.0-2.fc32.noarch
  python3-bcrypt-3.1.7-4.fc32.x86_64
  python3-cached_property-1.5.1-7.fc32.noarch
  python3-cffi-1.14.0-1.fc32.x86_64
  python3-chardet-3.0.4-15.fc32.noarch
  python3-cryptography-2.8-3.fc32.x86_64
  python3-docker-4.2.0-1.fc32.noarch
  python3-docker-pycreds-0.4.0-6.fc32.noarch
  python3-dockerpty-0.4.1-18.fc32.noarch
  python3-docopt-0.6.2-16.fc32.noarch
  python3-fluidity-sm-0.2.0-18.fc32.noarch
  python3-idna-2.8-6.fc32.noarch
  python3-invoke-1.4.1-1.fc32.noarch
  python3-jsonschema-3.2.0-2.fc32.noarch
  python3-lexicon-1.0.0-10.fc32.noarch
  python3-libs-3.8.6-1.fc32.x86_64
  python3-paramiko-2.7.1-2.fc32.noarch
  python3-pip-19.3.1-4.fc32.noarch
  python3-ply-3.11-7.fc32.noarch
  python3-pyOpenSSL-19.0.0-6.fc32.noarch
  python3-pyasn1-0.4.8-1.fc32.noarch
  python3-pycparser-2.19-2.fc32.noarch
  python3-pynacl-1.3.0-6.fc32.x86_64
  python3-pyrsistent-0.16.0-1.fc32.x86_64
  python3-pysocks-1.7.1-4.fc32.noarch
  python3-pyyaml-5.3.1-1.fc32.x86_64
  python3-requests-2.22.0-8.fc32.noarch
  python3-setuptools-41.6.0-2.fc32.noarch
  python3-six-1.14.0-2.fc32.noarch
  python3-texttable-1.6.2-5.fc32.noarch
  python3-urllib3-1.25.7-3.fc32.noarch
  python3-websocket-client-0.56.0-6.fc32.noarch
Run "systemctl reboot" to start a reboot

Remember that in order to use Docker (without sudo) your user must be in the docker group. By default the CoreOS core user is not in this group.

[core@localhost ~]$ sudo usermod -aG docker core

After you log out and log back in, confirm your user is in the docker group.

[core@localhost ~]$ id
uid=1000(core) gid=1000(core) groups=1000(core),4(adm),10(wheel),16(sudo),190(systemd-journal),978(docker) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

Now you can use docker-compose.

[core@localhost ~]$ cd composetest/
[core@localhost composetest]$ docker-compose up
Creating network "composetest_default" with the default driver
Building web
Step 1/10 : FROM python:3.7-alpine

...

web_1    |  * Running on http://0.0.0.0:5000/ (Press CTRL+C to quit)

Update

Best Answer

Related Solutions

Cannot use `systemctl –user` due to “Failed to get D-bus connection: permission denied”

Docker – How to install docker-compose on Fedora CoreOS

Related Topic