Docker pull permission denied

Glitch · August 9, 2023, 12:29am

Hi there, new to Torizon and Toradex. Got a question here that I am sure is operator error but I want to get confirmation. I have a brand new Verdin IMX8 plus setup with TorizonCore 6 on a Dahlia carrier board. I have Portainer up and running with evaluation containers and I can push and pull public docker images following the guides. I also have VSCode working with the docker extension and functions in there seem to work as well.

I can’t use the Toraxex extensions as I am on a Mac M1 arm machine and the extensions are x86. However, the Docker extension does work.

So, following one of the guides, I can create a docker image on my PC using the Torizon base image and adding the install of nano to the docker file as a test. The image gets created and I can push it to my docker hub account with no problems. My docker hub account is setup with private repositories and 2FA, so it requires I use a passkey token to login.

Now, when trying to pull this image from Docker Hub, I get a login error. So, following another guide, I performed the following:

sudo docker --config /etc/docker login

Which creates the config.json file and adds the credentials. This also works fine and reports successful login. Next, I do a docker pull and it fails with a permission error. It seems that when doing a sudo docker pull when logged into the board using the Toradex user, it fails. Other docker commands work just fine with sudo including docker run. I did notice that the config.json file is rw for root only.

So, the only way I can get the docker pull command to work is to first switch to root using sudo -I, then the pull works and the container gets created. I can then switch back to the toradex user the other commands work just find with sudo. I do however get the following warning when using some sudo docker <command> commands:

WARNING: Error loading config file: /etc/docker/config.json: open /etc/docker/config.json: permission denied

This does not happen with doing commands as the root user (i.e. not sudo). Is this by design? It’s not mentioned in any of the guides that to do a docker pull, one needs to actually be root rather than use sudo.

jeremias.tx · August 9, 2023, 5:09pm

Greetings @Glitch,

I was able to reproduce this myself, and my impression is that it’s unintended. We did in the past change the default docker config directory to /etc/docker. But it seems non-root users don’t have permissions to write/update the config at this location. I’ll go ahead and report this to our team.

For the time being you can try setting the config location to another file-path that the user has permissions for. Like /home/torizon for example.

Best Regards,
Jeremias

FatLinux · October 3, 2023, 10:36pm

Hi @Glitch

I just hit the same problem but with a Colibri-imx8x module that I updated to the latest 6.3 Torizon. My quick and dirty fix was just to force ownership and permissions back to “torizon”. All worked great in version 5.5, the only reason I am moving is because 5.15 has some drivers I need already loaded up.

Have you a better solution now, than just being heavy handed chown and chmod?

Cheers

Fatlinux

jeremias.tx · October 3, 2023, 11:33pm

Have you a better solution now, than just being heavy handed chown and chmod?

Another workaround that I’ve tried is using sudo on Docker commands that need to access /etc/docker. This allows the torizon user to access /etc/docker in the scope of a single command without needing to change the permissions of any files or directories.

So for example to login:

sudo docker --config /etc/docker login

Then to pull your image from your private registry:

sudo docker --config /etc/docker pull <your container image>

Best Regards,
Jeremias

Glitch · October 4, 2023, 3:52am

@jeremias.tx @FatLinux … Yes, I have been using sudo commands rather changing permissions. For my needs, sudo has worked.