TIL = Things, or Today I Learned

An experiment in Learning in Public.

Home

Powershell - Grant user access to Docker Pipe without Admin rights

Aim:

  • able to run docker commands without Administrator privileges.
  • Preparation for running docker commands in GitHub Actions that's running on Self-hosted runners. See GitHub Actions - Self-hosted Windows Runners - enable docker buildGitHub Actions - Self-hosted Windows Runners - enable docker build
    Aim: able to run docker build in a GitHub Action that's running on Self-hosted runners.

    When running docker build as part of a step in a GitHub action, we're greeted with the error


    error durin...

When running docker build on local dev machine, we're greeted with the error:

error during connect: In the default daemon configuration on Windows, the docker client must be run with elevated privileges to connect.: Post http://%2F%2F.%2Fpipe%2Fdocker_engine/v1.24/images/create?fromImage=mcr.microsoft.com%2Fwindows%2Fnanoserver&tag=1809: open //./pipe/docker_engine: The system cannot find the file specified.

Troubleshooting

  1. Is the docker service running? Check with PS > Get-Service docker Output is
Status	Name	DisplayName
------	----	-----------
Running	Docker	Docker Engine
  1. Who can access this pipe docker_engine? Run [System.IO.Directory]::GetAccessControl("\\.\pipe\docker_engine") | Format-Table. Output is
PS C:\Users\user> [System.IO.Directory]::GetAccessControl("\\.\pipe\docker_engine") | Format-Table

Path Owner       Access
---- -----       ------
     domain\user NT AUTHORITY\SYSTEM Allow  FullControl...
  1. Who can access this pipe docker_engine_windows? Run [System.IO.Directory]::GetAccessControl("\\.\pipe\docker_engine_windows") | Format-Table. Output is
PS C:\Users\user> [System.IO.Directory]::GetAccessControl("\\.\pipe\docker_engine_windows") | Format-Table

Path Owner                  Access
---- -----                  ------
     BUILTIN\Administrators NT AUTHORITY\SYSTEM Allow  FullControl...

The Fix

Grant the user access only to the Docker Pipe as in https://github.com/tfenster/dockeraccesshelper and not to the whole machine.

# GrantAccessToDockerPipe.ps1
# account that's to be granted access. When on laptop, I use juliusg.
$account="juliusg" 
$npipe = "\\.\pipe\docker_engine"
$dInfo = New-Object "System.IO.DirectoryInfo" -ArgumentList $npipe
$dSec = $dInfo.GetAccessControl()
$fullControl =[System.Security.AccessControl.FileSystemRights]::FullControl
$allow =[System.Security.AccessControl.AccessControlType]::Allow
$rule = New-Object "System.Security.AccessControl.FileSystemAccessRule" -ArgumentList $account,$fullControl,$allow
$dSec.AddAccessRule($rule)
$dInfo.SetAccessControl($dSec)

Testing

Open PowerShell and run that script.

In another PowerShell window, check the following:

  1. Is the docker service running? Check with PS > Get-Service docker Output is
Status	Name	DisplayName
------	----	-----------
Running	Docker	Docker Engine
  1. If it's not running, restart it with PS > Get-Service docker | Restart-Service and not with dockerd. dockerd starts new instance of the Docker Daemon)

References