I need to run a bash script periodically on a Jetson Nano (so, Ubuntu 18.04). The script should run system updates, pull some Python code from a repository, and run it as a specified user.
So, I created this script:
#! /bin/bash
## system updates
sudo apt update
sudo apt upgrade
## stop previous instances of the Python code
pkill python3
## move to python script folder
cd /home/user_name/projects/my_folder
## pull updates from repo
git stash
git pull
## create dummy folder to check bash script execution to this point
sudo -u user_name mkdir /home/user_name/projects/dummy_folder_00
## launch python script
sudo -u user_name /usr/bin/python3 python_script.py --arg01 --arg02
## create dummy folder to check bash script execution to this point
sudo -u user_name mkdir /home/user_name/projects/dummy_folder_01
I created a cron job running this script as root, by using
sudo crontab -e
and adding the entry
00 13 * * * /home/user_name/projects/my_folder/script.sh
Now, I can see that at the configured time, both the dummy folders are created, and they actually belong to user_name. However, the Python script isn't launched.
I tried creating the cron job as non root user (crontab -e), but at this point even if the Python script gets exectured, I guess I wouldn't be able to run apt update/upgrade.
How can I fix this?
Well, if the dummy folders did get created, that means the sudo statements work, so i'd say theres a 99%+ chance that python was infact started.
I'm guessing the problem is that you havent specified the path for the python file, and your working directory likely isn't what you're expecting it to be.
change:
sudo -u user_name /usr/bin/python3 python_script.py --arg01 --arg02
to something like
sudo -u user_name /usr/bin/python3 /path/to/your/python_script.py --arg01 --arg02
then test.
If that didn't solve the problem , then enable some logging, change the line to:
sudo -u user_name /usr/bin/python3 /path/to/your/python_script.py --arg01 --arg02 \
1> /home/user_name/projects/dummy_folder_00/log.txt 2>&1 ;
and test again, it should log STDOUT and STDERR to that file then.
I installed Docker in my machine where I have Ubuntu OS.
When I run:
sudo docker run hello-world
All is ok, but I want to hide the sudo command to make the command shorter.
If I write the command without sudo
docker run hello-world
That displays the following:
docker: Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Post http://%2Fvar%2Frun%2Fdocker.sock/v1.35/containers/create: dial unix /var/run/docker.sock: connect: permission denied. See 'docker run --help'.
The same happens when I try to run:
docker-compose up
How can I resolve this?
If you want to run docker as non-root user then you need to add it to the docker group.
Create the docker group if it does not exist
$ sudo groupadd docker
Add your user to the docker group.
$ sudo usermod -aG docker $USER
Log in to the new docker group (to avoid having to log out / log in again; but if not enough, try to reboot):
$ newgrp docker
Check if docker can be run without root
$ docker run hello-world
Reboot if still got error
$ reboot
Warning
The docker group grants privileges equivalent to the root user. For details on how this impacts security in your system, see Docker Daemon Attack Surface..
Taken from the docker official documentation:
manage-docker-as-a-non-root-user
After an upgrade I got the permission denied.
Doing the steps of 'mkb' post install steps don't have change anything because my user was already in the 'docker' group; I retry-it twice any way without success.
After an search hour this following solution finaly worked :
sudo chmod 666 /var/run/docker.sock
Solution came from Olshansk.
Look like the upgrade have recreate the socket without enough permission for the 'docker' group.
Problems
This hard chmod open security hole and after each reboot, this error start again and again and you have to re-execute the above command each time. I want a solution once and for all. For that you have two problems :
1) Problem with SystemD : The socket will be create only with owner 'root' and group 'root'.
You can check this first problem with this command :
ls -l /lib/systemd/system/docker.socket
If every this is good, you should see 'root/docker' not 'root/root'.
2 ) Problem with graphical Login : https://superuser.com/questions/1348196/why-my-linux-account-only-belongs-to-one-group
You can check this second problem with this command :
groups
If everything is correct you should see the docker group in the list.
If not try the command
sudo su $USER -c groups
if you see then the docker group it is because of the bug.
Solutions
If you manage to to get a workaround for the graphical login, this should do the job :
sudo chgrp docker /lib/systemd/system/docker.socket
sudo chmod g+w /lib/systemd/system/docker.socket
But If you can't manage this bug, a not so bad solution could be this :
sudo chgrp $USER /lib/systemd/system/docker.socket
sudo chmod g+w /lib/systemd/system/docker.socket
This work because you are in a graphical environnement and probably the only user on your computer.
In both case you need a reboot (or an sudo chmod 666 /var/run/docker.sock)
Add docker group
$ sudo groupadd docker
Add your current user to docker group
$ sudo usermod -aG docker $USER
Switch session to docker group
$ newgrp - docker
Run an example to test
$ docker run hello-world
Add current user to docker group
sudo usermod -aG docker $USER
Change the permissions of docker socket to be able to connect
to the docker daemon /var/run/docker.sock
sudo chmod 666 /var/run/docker.sock
I solve this error with the command :
$ sudo chmod 666 /var/run/docker.sock
It only requires the changes in permission of sock file.
sudo chmod 666 /var/run/docker.sock
this will work definitely.
If creating a docker group and adding your user to it doesn't work (the best solution, described in the previous answers), then this one is the second best alternative:
sudo chown $USER /var/run/docker.sock
What it does is changing the ownership of the docker.sock file to your user.
Note: It's a really bad practice to use chmod 666, because it gives permissions to practically everyone to access and modify the docker.sock file.
Fix Docker Issue: (Permission denied)
Create the docker group if it does not exist: sudo groupadd docker
See number of super users in the available system: grep -Po '^sudo.+:\K.*$' /etc/group
Export the user in linux command shell: export USER=demoUser
Add user to the docker group: sudo usermod -aG docker $USER
Run the following command/ Login or logout: newgrp docker
Check if docker runs ok or not: docker run hello-world
Reboot if you still get an error: reboot
If it does not work, run this command:
sudo chmod 660 /var/run/docker.sock
You can always try Manage Docker as a non-root user paragraph in the https://docs.docker.com/install/linux/linux-postinstall/ docs.
After doing this also if the problem persists then you can run the following command to solve it:
sudo chmod 666 /var/run/docker.sock
We always forget about ACLs . See setfacl.
sudo setfacl -m user:$USER:rw /var/run/docker.sock
To fix that issue, I searched where is my docker and docker-compose installed. In my case, docker was installed in /usr/bin/docker and docker-compose was installed in /usr/local/bin/docker-compose path. Then, I write this in my terminal:
To docker:
sudo chmod +x /usr/bin/docker
To docker-compose:
sudo chmod +x /usr/local/bin/docker-compose
Now I don't need write in my commands docker the word sudo
/***********************************************************************/
ERRATA:
The best solution of this issue was commented by #mkasberg. I quote comment:
That might work, you might run into issues down the road. Also, it's a security vulnerability. You'd be better off just adding yourself to the docker group, as the docs say. sudo groupadd docker, sudo usermod -aG docker $USER.
Docs: https://docs.docker.com/install/linux/linux-postinstall/
Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get http://%2Fvar%2Frun%2Fdocker.sock/v1.40/images/json: dial unix /var/run/docker.sock: connect: permission denied
sudo chmod 666 /var/run/docker.sock
This fix my problem.
ubuntu 21.04 systemd socket ownership
Let me preface, this was a perfectly suitable solution for me during local development and I got here searching for ubuntu docker permission error so i'll just leave this here.
I didn't own the unix socket, so I chowned it.
sudo chown $(whoami):$(whoami) /var/run/docker.sock
Another, more permanent solution for your dev environment, is to modify the user ownership of the unix socket creation. This will give your user the ownership, so it'll stick between restarts:
sudo nano /etc/systemd/system/sockets.target.wants/docker.socket
docker.socket:
[Unit]
Description=Docker Socket for the API
[Socket]
ListenStream=/var/run/docker.sock
SocketMode=0660
SocketUser=YOUR_USERNAME_HERE
SocketGroup=docker
[Install]
WantedBy=sockets.target
Seriously guys. Do not add Docker in your groups or modifies the socket posix (without a hardening SELinux), it's a simple way to make a root privesc. Just add an alias in your .bashrc, it's simpler and safer as : alias dc='sudo docker'.
lightdm and kwallet ship with a bug that seems to not pass the supplementary groups at login. To solve this, I also, beside sudo usermod -aG docker $USER, had to comment out
auth optional pam_kwallet.so
auth optional pam_kwallet5.so
to
#auth optional pam_kwallet.so
#auth optional pam_kwallet5.so
in /etc/pam.d/lightdm before rebooting, for the docker-group to actually have effect.
bug: https://bugs.launchpad.net/lightdm/+bug/1781418 and here: https://bugzilla.redhat.com/show_bug.cgi?id=1581495
Rebooting the machine worked for me.
$ reboot
This work for me:
Get inside the container and modify the file's ACL
sudo usermod -aG docker $USER
sudo setfacl --modify user:$USER:rw /var/run/docker.sock
It's a better solution than use chmod.
use this command
sudo usermod -aG docker $USER
then restart your computer this worked for me.
you can follow these steps and this will work for you:
create a docker group sudo groupadd docker
add your user to this group sudo usermod -aG docker $USER
list the groups to make sure that docker group created successfully by running this command groups
run the following command also to change the session for docker group newgrp docker
change the group ownership for file docker.socksudo chown root:docker /var/run/docker.sock
change the ownership for .docker directory sudo chown "$USER":"$USER" /home/"$USER"/.docker -R
finally sudo chmod g+rwx "$HOME/.docker" -R
After that test you can run docker ps -a
I ran into a similar problem as well, but where the container I wanted to create needed to mount /var/run/docker.sock as a volume (Portainer Agent), while running it all under a different namespace. Normally a container does not care about which namespace it is started in -- that is sort of the point -- but since access was made from a different namespace, this had to be circumvented.
Adding --userns=host to the run command for the container enabled it to use the attain the correct permissions.
Quite a specific use case, but after more research hours than I want to admit I just thought I should share it with the world if someone else ends up in this situation :)
i try this commend with sudo commend and it was ok.sudo docker pull hello-world or sudo docker run hello-world
In the Linux environment, after installing docker and docker-compose reboot is required for work docker better to avoid this issue.
$ sudo systemctl restart docker
It is definitely not the case the question was about, but as it is the first search result while googling the error message, I'll leave it here.
First of all, check if docker service is running using the following command:
systemctl status docker.service
If it is not running, try starting it:
sudo systemctl start docker.service
... and check the status again:
systemctl status docker.service
If it has not started, investigate the reason. Probably, you have modified a config file and made an error (like I did while modifying /etc/docker/daemon.json)
The Docker daemon binds to a Unix socket instead of a TCP port.
By default that Unix socket is owned by the user root and other users can only access it using sudo. The Docker daemon always runs as the root user.
If you don’t want to preface the docker command with sudo, create a Unix group called docker and add users to it. When the Docker daemon starts, it creates a Unix socket accessible by members of the docker group.
To create the docker group and add your user:
Create the docker group
sudo groupadd docker
Add your user to the docker group
sudo usermod -aG docker $USER
Log out and log back in so that your group membership is re-evaluated.
If testing on a virtual machine, it may be necessary to restart the virtual machine for changes to take effect.
On a desktop Linux environment such as X Windows, log out of your session completely and then log back in.
On Linux, you can also run the following command to activate the changes to groups:
newgrp docker
Verify that you can run docker commands without sudo. The below command downloads a test image and runs it in a container. When the container runs, it prints an informational message and exits
docker run hello-world
If you initially ran Docker CLI commands using sudo before adding your user to the docker group, you may see the following error, which indicates that your ~/.docker/ directory was created with incorrect permissions due to the sudo commands.
WARNING: Error loading config file: /home/user/.docker/config.json -
stat /home/user/.docker/config.json: permission denied
To fix this problem, either remove the ~/.docker/ directory (it is recreated automatically, but any custom settings are lost), or change its ownership and permissions using the following commands:
sudo chown "$USER":"$USER" /home/"$USER"/.docker -R
sudo chmod g+rwx "$HOME/.docker" -R
All other post installation steps for docker on linux can be found here https://docs.docker.com/engine/install/linux-postinstall/
The most straightforward solution is to type
sudo chmod 666 /var/run/docker.sock
every time you boot your machine. However, this method defeats any system security that may be in place and opens up the Docker socket to everybody. If this is acceptable to you -e.g.: the only user of your machine- then use it.
Nevertheless, it will be required every time you boot your machine, you can make it run with booting by adding
start on startup
task
exec chmod 666 /var/run/docker.sock
to the /etc/init/docker-chmod.conf file.
I tried all the described methods and nothing helped to solve the problem. The solution was to use the --use-drivers parameter when running selenoid and selenoid-ui. Below is the full listing of my Dockerfile.
FROM selenoid/chrome
USER root
RUN apt-get update
RUN apt-get -y install docker.io
RUN curl -s https://aerokube.com/cm/bash | bash
RUN ./cm selenoid start --vnc --use-drivers
RUN ./cm selenoid-ui start --use-drivers
EXPOSE 4444 8080
CMD ["-conf", "/etc/selenoid/browsers.json", "-video-output-dir", "/opt/selenoid/video/"]
In my case it was the process itself (CI server agent) that was trying to run a docker command wasn't able to run it, but when I tried to run same command from within the same user it worked.
Restarting the daemon that runs CI server agent solved the problem.
The reason why command wasn't working from within agent before is because the agent was running before I installed docker and granted docker group permissions, and agent process used cached old permissions and was failing. Restarting the process dropped the cache and make things work out.
As a shortest answer for linux user ->
Simply try any command as super user with "sudo"
Eg:- sudo docker-compose up
After Docker Installation on Centos. While running below command I got below error.
[centos#aiops-dev-cassandra3 ~]$ docker run hello-world
docker: Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Post http://%2Fvar%2Frun%2Fdocker.soc k/v1.40/containers/create: dial unix /var/run/docker.sock: connect: permission denied.
See 'docker run --help'.
Change Group and Permission for docker.socket
[centos#aiops-dev-cassandra3 ~]$ ls -l /lib/systemd/system/docker.socket
-rw-r--r--. 1 root root 197 Nov 13 07:25 /lib/systemd/system/docker.socket
[centos#aiops-dev-cassandra3 ~]$ sudo chgrp docker /lib/systemd/system/docker.socket
[centos#aiops-dev-cassandra3 ~]$ sudo chmod 666 /var/run/docker.sock
[centos#aiops-dev-cassandra3 ~]$ ls -lrth /var/run/docker.sock
srw-rw-rw-. 1 root docker 0 Nov 20 11:59 /var/run/docker.sock
[centos#aiops-dev-cassandra3 ~]$
Verify by using below docker command
[centos#aiops-dev-cassandra3 ~]$ docker run hello-world
Unable to find image 'hello-world:latest' locally
latest: Pulling from library/hello-world
1b930d010525: Pull complete
Digest: sha256:c3b4ada4687bbaa170745b3e4dd8ac3f194ca95b2d0518b417fb47e5879d9b5f
Status: Downloaded newer image for hello-world:latest
Hello from Docker!
This message shows that your installation appears to be working correctly.
To generate this message, Docker took the following steps:
1. The Docker client contacted the Docker daemon.
2. The Docker daemon pulled the "hello-world" image from the Docker Hub.
(amd64)
3. The Docker daemon created a new container from that image which runs the
executable that produces the output you are currently reading.
4. The Docker daemon streamed that output to the Docker client, which sent it
to your terminal.
To try something more ambitious, you can run an Ubuntu container with:
$ docker run -it ubuntu bash
Share images, automate workflows, and more with a free Docker ID:
https://hub.docker.com/
For more examples and ideas, visit:
https://docs.docker.com/get-started/
[centos#aiops-dev-cassandra3 ~]$
After you installed docker, created 'docker' group and added user to it, edit docker service unit file:
sudo nano /usr/lib/systemd/system/docker.service
Add two lines into the section [Service]:
SupplementaryGroups=docker
ExecStartPost=/bin/chmod 666 /var/run/docker.sock
Save the file (Ctrl-X, y, Enter)
Run and enable the Docker service:
sudo systemctl daemon-reload
sudo systemctl start docker
sudo systemctl enable docker
I have installed Mongodb 3.0 using this tutorial -
https://docs.mongodb.com/v3.0/tutorial/install-mongodb-on-amazon/
It has installed fine. I have also given permissions to 'ec2-user' to all the data and log folders ie var/lib/mongo and var/log/mongodb but and have set conf file as well.
Now thing is that mongodb server always fails to start with command
sudo service mongod start
it just say failed, nothing else.
While if I run command -
mongod --dbpath var/lib/mongo
it starts the mongodb server correctly (though I have mentioned same dbpath in .conf file as well)
What is it I am doing wrong here?
When you run sudo mongod it does not load a config file at all, it literally starts with the compiled in defaults - port 27017, database path of /data/db etc. - that is why you got the error about not being able to find that folder. The "Ubuntu default" is only used when you point it at the config file (if you start using the service command, this is done for you behind the scenes).
Next you ran it like this:
sudo mongod -f /etc/mongodb.conf
If there weren't problems before, then there will be now - you have run the process, with your normal config (pointing at your usual dbpath and log) as the root user. That means that there are going to now be a number of files in that normal MongoDB folder with the user:group of root:root.
This will cause errors when you try to start it as a normal service again, because the mongodb user (which the service will attempt to run as) will not have permission to access those root:root files, and most notably, it will probably not be able to write to the log file to give you any information.
Therefore, to run it as a normal service, we need to fix those permissions. First, make sure MongoDB is not currently running as root, then:
cd /var/log/mongodb
sudo chown -R mongodb:mongodb .
cd /var/lib/mongodb
sudo chown -R mongodb:mongodb .
That should fix it up (assuming the user:group is mongodb:mongodb), though it's probably best to verify with an ls -al or similar to be sure. Once this is done you should be able to get the service to start successfully again.
If you’re starting mongod as a service using:
sudo service mongod start
Make sure the directories defined for logpath, dbpath, and pidfilepath in your mongod.conf exist and are owned by mongod:mongod.
I want to run Python script with Jython.
the result show correctly, but at the same time there is an warning message, "sys-package-mgr*: can't create package cache dir"
How could I solve this problem?
thanks in advance~~~
You can change the location of the cache directory to a place that you have read & write access to by setting the "python.cachedir" option when starting jython, e.g.:
jython -Dpython.cachedir=*your cachedir directory here*
or:
java -jar my_standalone_jython.jar -Dpython.cachedir=*your cachedir directory here*
You can read about the python.cachedir option here:
http://www.jython.org/archive/21/docs/registry.html
1) By changing permissions to allow writing to the directory in the error message.
2) By setting python.cachedir.skip = true
You can read this:
http://www.jython.org/jythonbook/en/1.0/ModulesPackages.html#module-search-path-compilation-and-loading
for further insights.
Making directories world writable admittedly makes the problem "go away", however, it introduces a huge security hole. Anyone could introduce code to the now world writable directory that would be executed in the users' jpython environment.
Setting the cachedir to skip would presumably result in a performance drop (why implement a caching scheme other than to improve performace).
Instead I did the following:
I created a new group (in my case eclipse, but it could have been jpython). I added the users of jpython to that group.
$ sudo groupadd eclipse
I then changed the group of my eclipse plugins folder and its children to 'eclipse'.
/opt/eclipse/plugins $ sudo chgrp -R eclipse *
Then I changed the group permissions as follows
/opt/eclipse/plugins $ sudo chmod -R g+w *
/opt/eclipse/plugins $ find * -type d -print | sudo xargs chmod g+s
This added group writable, and set the S_GID bit on all directories recursively. This last bit causes new directories created to have the same group id as their parent.
The final touch was change the umask for the eclipse users set to 007.
$ sudo vi /etc/login.def
change UMASK to 007 (from 022).
UMASK=007
The easiest fix I found so far was to do:
$ sudo chmod -R 777 /opt/jython/cachedir