ShinyProxy and Docker rootless

Hello !

I have successfully installed ShinyProxy and deployed apps (such as https://github.com/openanalytics/shinyproxy-template) and other apps with Docker.

Now I would like to use Docker in rootless mode (https://docs.docker.com/engine/security/rootless/)

ShinyProxy starts successfully! I am able to log in as a user, but neither of the apps will run. I have this error message :

2021-09-30 13:49:53.083 INFO 1 — [sync-executor-0] o.apache.http.impl.execchain.RetryExec : I/O exception (java.io.IOException) caught when processing request to {}->unix://localhost:80: Permission denied
2021-09-30 13:49:53.083 INFO 1 — [sync-executor-0] o.apache.http.impl.execchain.RetryExec : Retrying request to {}->unix://localhost:80
2021-09-30 13:49:53.115 ERROR 1 — [ XNIO-1 task-3] io.undertow.request : UT005023: Exception handling request to /app/02_euler

It seems the problem is coming from docker.socket but I don’t know how to launch container or configure Dockerfile in order to run correctly apps…

stephane@vm-shiny-test:~/shinyproxy-template$ DOCKER_HOST=unix:///var/run/docker.sock docker ps
Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get “http://%2Fvar%2Frun%2Fdocker.sock/v1.24/containers/json”: dial unix /var/run/docker.sock: connect: permission denied

stephane@vm-shiny-test:~/shinyproxy-template$ echo $XDG_RUNTIME_DIR
/run/user/1000

stephane@vm-shiny-test:~/shinyproxy-template$ DOCKER_HOST=unix:///$XDG_RUNTIME_DIR/docker.sock docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
8c75fde3ad75 mon_shinyproxy “java -noverify -jar…” 22 hours ago Up 22 hours 0.0.0.0:8080->8080/tcp, :::8080->8080/tcp vigorous_galileo

Here is how I’m trying to run container :

stephane@vm-shiny-test:~/ShinyProxy-docker/ShinyProxy-config-examples/02-containerized-docker-engine$ docker run -d -v $XDG_RUNTIME_DIR/docker.sock:/var/run/docker.sock --net sp-example-net -p 8080:8080 --restart always mon_shinyproxy

Maybe I have to modify the Dockerfile of the apps ?

Thanks for your help !

stephane

Hi

ShinyProxy is running under a non-root user, therefore it doesn’t have access to the socket mounted in the container. In order to give it access, you can use the --group-add parameter to the docker run command. You’ll have to provide the id of the group that owns the docker socket.

Hi all,

Thank you for the proposed solution Tobia. This did not work for me, unfortunately, and I still receive the error message described above.

Possible problem:
The rootless docker group on our server is 1000. However, 1000 is also the group of the shinyproxy user in the openanalytics/shinyproxy Docker image. Could this cause any problems?

Potential solution:
I can see that the permissions to the docker.sock are set to root within the containter. Do you think the problem would be solved if I create a docker image with root user instead of using the openanalytics/shinyproxy with the non-root user?

Best,
Robert

I can confirm that this worked. I created a new Dockerfile in which shinyproxy runs as root. Now the docker.sock can be used.

FROM openjdk:11
LABEL product=shinyproxy
COPY application.yml /opt/shinyproxy/application.yml
COPY shinyproxy-2.6.0.jar /opt/shinyproxy/shinyproxy-2.6.0.jar
RUN chmod +x /opt/shinyproxy/shinyproxy-2.6.0.jar
WORKDIR /opt/shinyproxy/
CMD ["java", "-jar", "shinyproxy-2.6.0.jar"]
1 Like