Forums
Home Product Q&A Discussion groups Articles Ask a question Search
Learning
Events

Forums

Articles
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Permission denied while trying to connect to the Docker daemon socket

Dani Asztalos
Dani Asztalos May 22, 2024

I am running docker compose in Bitbucket Pipelines. In the compose file I have Traefik set up like this:

  traefik:
    image: traefik:v2.11
    container_name: traefik
    command:
      - "--log.level=DEBUG"
      - "--api.insecure=true"
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
      - "--entryPoints.web.address=:80"
    ports:
      - "80:80"
      - "8080:8080"
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock:ro"

It works on my computer locally, however, I get the following error when running it in Bitbucket Pipelines:

level=error msg="Failed to retrieve information of the docker client and server host: permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get \"http://%2Fvar%2Frun%2Fdocker.sock/v1.24/version\": dial unix /var/run/docker.sock: connect: permission denied" providerName=docker
level=error msg="Provider connection error permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get \"http://%2Fvar%2Frun%2Fdocker.sock/v1.24/version\": dial unix /var/run/docker.sock: connect: permission denied, retrying in 556.184722ms" providerName=docker

How can I access the docker.sock?

Answer
Watch
Like Be the first to like this
1126 views

1 answer

1 accepted

1 vote
Answer accepted
Patrik S
Patrik S
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
May 23, 2024

Hello @Dani Asztalos ,

thank you for reaching out to Community!

Bitbucket Pipelines gives your build access to a Docker daemon when you define a docker service in the step: 

- step:
   script:
     - docker version
   services:
     - docker

However, this daemon is not accessed using the default UNIX socket under 

/var/run/docker.sock

Instead, the pipelines docker daemon is configured to listen to client connections over a TCP socket on localhost and port 2375 : 

tcp://localhost:2375

 This can be confirmed by printing the $DOCKER_HOST variable as part of your build:

$ echo $DOCKER_HOST
 tcp://localhost:2375 

Now talking specifically about your use-case, you want to have access to the daemon in a docker in docker (dind) environment (you're inside the build container, and spinning up a traefik container from which you want access to the daemon).

In that scenario, Pipelines exposes the variable BITBUCKET_DOCKER_HOST_INTERNAL so you can access the daemon from a dind container. This variable maps to the private IP address of the docker daemon.

Following is an example docker run command using that variable to access the daemon from inside a container:

- step:
  name: Access daemon from inside container
  script:
    - docker info
    - echo $DOCKER_HOST
    - echo $BITBUCKET_DOCKER_HOST_INTERNAL
    - docker run --env=DOCKER_HOST="tcp://host.docker.internal:2375" --add-host="host.docker.internal:$BITBUCKET_DOCKER_HOST_INTERNAL" --entrypoint=/usr/local/bin/docker docker info
  services: 
    - docker

Where the arguments of docker run are : 

  • --env=DOCKER_HOST : configures the default socket that docker will try to connect as the domain tcp://host.docker.internal:2375
  • --add-host : adds a domain to IP address mapping in the container being created, so the domain host.docker.internal points to the docker daemon private IP address exposed on the variable $BITBUCKET_DOCKER_HOST_INTERNAL

Since your build is spinning up the container using composer, you can use the above example as a reference for the necessary mappings/variables and then adapt it to your composer YAML setup.

I hope that information helps! Should you have any questions, feel free to ask.

Thank you, @Dani Asztalos !

Patrik S

View More Comments
Dani Asztalos
Dani Asztalos May 26, 2024

Thank you @Patrik S, with your help I was able to pass docker as a tcp url to Traefik.

See the highlighted lines in the compose.yaml below.

 

traefik:
  image: traefik:v2.11
  container_name: traefik
  command:
    - "--log.level=DEBUG"
    - "--api.insecure=true"
    - "--providers.docker=true"
    - "--providers.docker.endpoint=tcp://host.docker.internal:2375"  # <-----
    - "--providers.docker.exposedbydefault=false"
    - "--entryPoints.web.address=:80"
  ports:
    - "80:80"
    - "8080:8080"
  extra_hosts:
    - "host.docker.internal:$BITBUCKET_DOCKER_HOST_INTERNAL"  # <-----
Like
Patrik S
Patrik S
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
May 27, 2024

Hey @Dani Asztalos ,

You're very welcome!

Happy to hear that using the docker TCP socket did the trick :)

Feel free to reach out to the community if you ever need help.

Patrik S

Like Sabine Mayer likes this
Reply

Suggest an answer

Log in or Sign up to answer
Bitbucket
Bitbucket
DEPLOYMENT TYPE
CLOUD
PRODUCT PLAN
STANDARD
PERMISSIONS LEVEL
Product Admin
TAGS
AUG Leaders

Atlassian Community Events

    See all events
    Community
    Forums
    FAQs Forums guidelines
    Learning
    About learning Resources
    Events
    Copyright © 2025 Atlassian
    Privacy Policy Terms Security
    Welcome illustration

    Welcome to the new Atlassian Community

    Online forums and learning are now in one easy-to-use experience.

    By continuing, you accept the updated Community Terms of Use and acknowledge the Privacy Policy. Your public name, photo, and achievements may be publicly visible and available in search engines.