$ docker version Client: Version: 1.10.3 API version: 1.22 Go version: go1.5.3 Git commit: 20f81dd Built: Thu Mar 10 15:59:07 2016 OS/Arch: linux/amd64 Server: Version: ucp/1.0.4 API version: 1.22 Go version: go1.5.3 Git commit: 6c1ef68 Built: OS/Arch: linux/amd64
We use a
bash script on a CI server to deploy containers to our UCP controller. The script has access to the client bundle for the user and as such acts on their behalf. As part of the script, we use the
docker inspect command to read the values of certain labels set on the image to be deployed, which are used to set some options to
We label the images with
com.docker.ucp.access.label=ucp-users during build to restrict who can deploy containers from those images.
The default access is set to “View Only” for all users, but a certain team gives the ‘ucp-users’ permission.
When the script is run as an admin user, i.e. the client bundle being used belongs to an admin user, the
docker inspect <image> command completes successfully.
But when the script is run as a user whom we have verified has the ‘ucp-users’ permission (as shown on their profile page), the
docker inspect <image> command fails with the following error message:
Error response from daemon: access denied
If we specify the
--type option like this:
docker inspect --type image <image>, the command successfully returns the expected data on the image.
docker inspect <image> should work without specifying the
--type image option just like when pointing to a non-UCP Docker endpoint.