open /.docker/.token_seed: permission denied

[rittneje]

While testing out the 0.8.1 rootless image, I encountered the following build error:

error: failed to solve: rpc error: code = Unknown desc = open /.docker/.token_seed: permission denied

From looking at the source code it appears that the token seed file logic is only checking against syscall.EPERM and not syscall.EACCES, so a permission failure is fatal. You should switch to os.IsPermission(err) instead of using errors.Is(err, syscall.EPERM), since this will account for both syscall.EPERM and syscall.EACCES.

[tonistiigi]

Thanks for the report. How did you hit this?

[rittneje]

In my Dockerfile, the /.docker folder was created by root. (It was really created as a side effect of a COPY instruction, which ignores the contextual uid/gid, unlike RUN.) Consequently, uid 1000 did not have write permission to the folder, so attempting to create the /.docker/.token_seed file failed.

[theokrammer]

I had the same error, though for me this occurs when accessing an image directly from docker hub using 'FROM ...'. Not sure it has anything to do with this, and the error disappears after i manually run a 'docker pull ...'. It is not limited to the image used here (alpine) but for everything. Is this happening for anybody else? I am on macOS Big Sur if that matters.

[karlismelderis]

I got same error.
For now docker pull ... helped but I'm not sure yet if error is gone for good.

[tonistiigi]

#2050

[rittneje]

@tonistiigi I don't think this issue is fixed. The PR you linked seems unrelated.

[tonistiigi]

@rittneje maybe indeed. #1745 is also related. But if your issue is that something(not docker itself) corrupted your docker config and now it is unreadable to docker binary then there isn't really anything we can do about it. The config dir needs to be fixed.

The PRs cover similar cases that could appear from system crashes or readonly volumes. As these are cases that can appear without explicit config directory corruption.

[rittneje]

My docker config was not corrupted. The uid running buildkit just does not have write permission to the directory. #1745 missed checking for syscall.EACCES, hence this bug.

[tonistiigi]

Docker config is per-user. The user invoking docker should always have access to their own config dir.

[rittneje]

They should have read access. Needing write access outside docker login is pretty unexpected to be honest. And in any case you already added support for it being on a read-only file system. Also, with the DOCKER_CONFIG environment variable in play, the config dir may not necessarily belong to the user anyway.

[ninanung]

I'm getting same error from Docker for Apple silicon.

[AliF50]

I had to manually pull the images like the user's mentioned here to fix the issue.

I am on macOS Big Sur 11.5.1 and docker version 20.10.8, build 3967b7d.

[Cartmanishere]

Faced the same issue so just added rw permission to the required files.

chmod 666 .token_seed .token_seed.lock

Not sure what's the impact of this but solved my error for now.

[spuder]

@Cartmanishere 666 means that anyone on your computer could read and write to that file.
On my machine the permissions are currently 600

-rw-------  1 root  staff  74 Dec 24 11:53 /Users/spuder/.docker/.token_seed

A safer option would be 660

chmod 660 .token_seed .token_seed.lock

[Shahriar-Sazid]

I faced the same problem then prepended sudo before the command and that fixed the problem