Introduction
When working with Cloud9 IDE on an AWS EC2 instance, you might encounter a permission denied error (dial unix /var/run/docker.sock: connect: permission denied) while trying to access the Docker daemon socket. This blog post provides a solution to resolve this issue without restarting services or altering group memberships.
Problem
When I try to run a Lambda function in Cloud9 IDE with SAM, the error appeared as this:
2023-11-16 15:36:51 [INFO]: Starting Build inside a container
2023-11-16 15:36:51 [INFO]: Building codeuri: /home/ec2-user/test-aws-config runtime: python3.10 metadata: {} architecture: x86_64 functions: testawsconfig
2023-11-16 15:36:51 [INFO]:
Build Failed
2023-11-16 15:36:51 [INFO]: Error: Docker is unreachable. Docker needs to be running to build inside a container.
2023-11-16 15:39:39 [INFO]: Preparing to debug locally: Lambda "lambda_function.lambda_handler"
2023-11-16 15:39:39 [INFO]: Building SAM application...
2023-11-16 15:39:41 [INFO]: Command: (not started) [/usr/local/bin/sam build --build-dir /tmp/aws-toolkit-vscode/vsctkEEjHOc/output --template /tmp/aws-toolkit-vscode/vsctkEEjHOc/app___vsctk___template.yaml --base-dir /home/ec2-user/test-aws-config --use-container --manifest /tmp/aws-toolkit-vscode/vsctkEEjHOc/debug-requirements.txt]
2023-11-16 15:39:45 [INFO]: Starting Build inside a container
2023-11-16 15:39:45 [INFO]: Building codeuri: /home/ec2-user/test-aws-config runtime: python3.10 metadata: {} architecture: x86_64 functions: testawsconfig
2023-11-16 15:39:45 [INFO]:
Build Failed
2023-11-16 15:39:46 [INFO]: Error: Docker is unreachable. Docker needs to be running to build inside a container.
And also, if I run docker ps in terminal, the error info occured:
dial unix /var/run/docker.sock: connect: permission denied
This indicates that Cloud9 IDE user does not have the necessary permissions to access the Docker socket.
Solution: Using setfacl
The setfacl command can be used to modify the access control list for the Docker socket, granting specific permissions to a user.
This method is secure and doesn't require a system restart.
Step 1: Apply the setfacl Command
Run the following command in your terminal:
sudo setfacl --modify user:ec2-user:rw /var/run/docker.sock
This command grants the ec2-user read and write access to the Docker socket.
Step 2: Test the Configuration
After applying the command, test it by running a Docker command, such as:
docker ps
If the command executes successfully without permission errors, the issue is resolved.
Conclusion
Using setfacl to adjust file permissions is an efficient and secure way to resolve Docker permission issues on AWS EC2 instances. This approach is especially useful as it avoids altering group memberships or user ownerships and doesn't require system restarts.