ShinyProxy and Docker rootless

esteban62 · October 1, 2021, 12:49pm

Hello !

I have successfully installed ShinyProxy and deployed apps (such as https://github.com/openanalytics/shinyproxy-template) and other apps with Docker.

Now I would like to use Docker in rootless mode (https://docs.docker.com/engine/security/rootless/)

ShinyProxy starts successfully! I am able to log in as a user, but neither of the apps will run. I have this error message :

2021-09-30 13:49:53.083 INFO 1 — [sync-executor-0] o.apache.http.impl.execchain.RetryExec : I/O exception (java.io.IOException) caught when processing request to {}->unix://localhost:80: Permission denied
2021-09-30 13:49:53.083 INFO 1 — [sync-executor-0] o.apache.http.impl.execchain.RetryExec : Retrying request to {}->unix://localhost:80
2021-09-30 13:49:53.115 ERROR 1 — [ XNIO-1 task-3] io.undertow.request : UT005023: Exception handling request to /app/02_euler

It seems the problem is coming from docker.socket but I don’t know how to launch container or configure Dockerfile in order to run correctly apps…

stephane@vm-shiny-test:~/shinyproxy-template$ DOCKER_HOST=unix:///var/run/docker.sock docker ps
Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get “http://%2Fvar%2Frun%2Fdocker.sock/v1.24/containers/json”: dial unix /var/run/docker.sock: connect: permission denied

stephane@vm-shiny-test:~/shinyproxy-template$ echo $XDG_RUNTIME_DIR
/run/user/1000

stephane@vm-shiny-test:~/shinyproxy-template$ DOCKER_HOST=unix:///$XDG_RUNTIME_DIR/docker.sock docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
8c75fde3ad75 mon_shinyproxy “java -noverify -jar…” 22 hours ago Up 22 hours 0.0.0.0:8080->8080/tcp, :::8080->8080/tcp vigorous_galileo

Here is how I’m trying to run container :

stephane@vm-shiny-test:~/ShinyProxy-docker/ShinyProxy-config-examples/02-containerized-docker-engine$ docker run -d -v $XDG_RUNTIME_DIR/docker.sock:/var/run/docker.sock --net sp-example-net -p 8080:8080 --restart always mon_shinyproxy

Maybe I have to modify the Dockerfile of the apps ?

Thanks for your help !

stephane

tdekoninck · October 12, 2021, 1:13pm

Hi

ShinyProxy is running under a non-root user, therefore it doesn’t have access to the socket mounted in the container. In order to give it access, you can use the --group-add parameter to the docker run command. You’ll have to provide the id of the group that owns the docker socket.

robertkck · February 15, 2022, 5:21pm

Hi all,

Thank you for the proposed solution Tobia. This did not work for me, unfortunately, and I still receive the error message described above.

Possible problem:
The rootless docker group on our server is 1000. However, 1000 is also the group of the shinyproxy user in the openanalytics/shinyproxy Docker image. Could this cause any problems?

Potential solution:
I can see that the permissions to the docker.sock are set to root within the containter. Do you think the problem would be solved if I create a docker image with root user instead of using the openanalytics/shinyproxy with the non-root user?

Best,
Robert

robertkck · February 16, 2022, 1:45pm

I can confirm that this worked. I created a new Dockerfile in which shinyproxy runs as root. Now the docker.sock can be used.

FROM openjdk:11
LABEL product=shinyproxy
COPY application.yml /opt/shinyproxy/application.yml
COPY shinyproxy-2.6.0.jar /opt/shinyproxy/shinyproxy-2.6.0.jar
RUN chmod +x /opt/shinyproxy/shinyproxy-2.6.0.jar
WORKDIR /opt/shinyproxy/
CMD ["java", "-jar", "shinyproxy-2.6.0.jar"]