Imx8x Torizon 5.7.2 to 6.3 Upgrade Journey - permissions on /etc/docker wrong on update

Technical Support
, , ,
1

Hi,
This is a brief note to report that after you follow the process of updating imx8x modules from 5.7.2, there seems to be some missing files and ownership/permission issues with /etc/docker.

Step 1. With docker desktop etc up and running, grab a container from my repo

torizon@colibri-imx8x-00000000:~$ docker pull XXXX/XXXXXXX
Using default tag: latest
Error response from daemon: pull access denied for XXXX/XXXXXXX, repository does not exist or may require 'docker login': denied: requested access to the resource is denied

torizon@colibri-imx8x-00000000:~$ docker login

Login with your Docker ID to push and pull images from Docker Hub. If you don't have a Docker ID, head over to https://hub.docker.com to create one.

So try to login…

Username: username
Password: Password1

WARNING! Your password will be stored unencrypted in /etc/docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Error saving credentials: open /etc/docker/config.json3002734377: permission denied

Step 2. Roll up sleeves. Change the permissions

Change the owner to “torizon” and relaxed set of permissions - 775

torizon@colibri-imx8x-00000000:~$ sudo chmod 775 --recursive  /etc/docker/*.*
torizon@colibri-imx8x-00000000:~$ sudo chown torizon --recursive /etc/docker/*.*

Try to log in again

torizon@colibri-imx8x-00000000:~$ docker login
Login with your Docker ID to push and pull images from Docker Hub. If you don't have a Docker ID, head over to https://hub.docker.com to create one.
Username: username
Password: Password1

WARNING! Your password will be stored unencrypted in /etc/docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded

So far so good. Lets try to get the container

torizon@colibri-imx8x-00000000:~$ docker pull XXXX/XXXXXXX
Using default tag: latest
latest: Pulling from XXXX/XXXXXXX
5b1423465504: Downloading [=>                                                 ]  612.7kB/30.06MB
f9b97b892212: Downloading [===>                                               ]  119.4kB/1.908MB
5b7508c68219: Download complete

Success. Docker-compose up and away !!!

Questions:

This is clearly different to a new module out the box. Looking around the notes on the Torizon website, this behaviour is different from before the update. Is it meant to be different?

So is it possible to either update the upgrade path notes, or could this be fixed to make things behave as before as part of the update?

I set my permissions at quite an easily hacked 775, what permission should /etc/docker be?

Hope this is helpful, and I will wait before doing a bigger batch of these modules to see what the Toradex team think is best.

I have been capturing the changes using “torizoncore-builder isolate”, its a great tool and will save me a lot of work with all the updates I have to do!

Yours truly

Richard

2

Greetings @FatLinux,

2 things. First of all this is a known issue that has already been reported here: Docker pull permission denied

Second, this has nothing to do with updating from 5.7.2 to 6.3.0. This issue still occurs on a freshly installed 5.7.2 image, as seen here:

torizon@colibri-imx8x-06750825:~$ cat /etc/issue
TorizonCore 5.7.2+build.20 \n \l

torizon@colibri-imx8x-06750825:~$ docker login
Login with your Docker ID to push and pull images from Docker Hub. If you don't have a Docker ID, head over to https://hub.docker.com to create one.
Username: XXXXXXXXXX
Password:
WARNING! Your password will be stored unencrypted in /etc/docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Error saving credentials: open /etc/docker/config.json418539238: permission denied

The issue is that we sought to use a common location for the docker config file so that every user and systemd service would use the same config file. However, when we made this change we failed to realize that some users like the torizon user obviously does not have permissions to access the config file location in /etc/docker/*.

For the time being you can use a different location for the config file for the torizon user. Though systemd services and such would still use the location in /etc/docker/*.

Best Regards,
Jeremias

3

Hi @jeremias.tx

Thanks for getting back so quick. Ah. I didn’t check 5.7.2. my bad :unamused: I went from 5.5 to 5.7.2 JUST to be able to use the bootloader update.

So to confirm:

  • It is a bad idea to set the /etc/docker/* to the ownership of user:torizon and set the permissions so user torizon can load up his container.
  • It is preferable to move the location for the docker config file

Thank you for your help with this !

Regards

Richard

4

The issue itself is still an open topic and we haven’t really decided on how we will handle it in TorizonCore yet. For your case however you’re welcome to do whatever works for your use-case.

Keep in mind this is only an issue when trying to use docker login as the torizon user. When your system is actually in production it’s not going to be the torizon user that does such operations. For example when doing updates via our platform then that will be fine as is, since the update process is done as the root user which has access to /etc/docker.

This issue will mostly affect you when you’re still in development since that’s when you’ll be executing commands as the torizon user in the terminal. In which case you only really need a “temporary” solution to use while in development. In production as I said you probably wouldn’t need to change anything.

Best Regards,
Jeremias

5

Hello @FatLinux ,
Did the info provided by @jeremias.tx solve your issue?
If so, could you please mark his answer as solution?

Best regards,
Josep