Python docker-py 连接被拒绝

Question

I am having trouble accessing docker daemon from a client using docker-py in Python. I started a docker daemon by the command sudo docker -d & and the output was [1] 4894 . Then I tried to access the daemon from python using the code that I got from here as root

from docker import Client
cli = Client(base_url='unix://var/run/docker.sock')
cli.containers()

This gave me the error:

requests.exceptions.ConnectionError: ('Connection aborted.', error(111, 'Connection refused'))

I also tried

cli = Client(base_url='tcp://127.0.0.1:4894') 

but it gave me the same error.

Answer 1

This seems that the /var/run/docker.sock file has the incorrect permissions. As the docker daemon is started as root the permissions are probably to restrictive.

If you change the permissions to allow other users to access it you should have more success (eg o=rwx).

Answer 2

The issue is indeed that /var/run/docker.sock has the incorrect permissions. To fix it, you need to give the current user access to this file.

However, on Linux, giving o=rwx rights to /var/run/docker.sock is very dangerous as it allows any user and service on the system to run commands as root. Indeed access to /var/run/docker.sock implies full root access to the machine. See https://docs.docker.com/engine/security/#docker-daemon-attack-surface

A less dangerous approach consists in creating the group docker and adding the current user to this group. See https://docs.docker.com/engine/install/linux-postinstall/#manage-docker-as-a-non-root-user

However, this approach is still potentially dangerous as it gives the current user full root access without the protections that sudo offers (ie, asking the user password from time to time and logging sudo calls.

See also What is the Docker security risk of /var/run/docker.sock?

(I unfortunately cannot comment hence I write my comment as an answer.)