Docker Community Forums

Share and learn in the Docker community.

Access denied to inspect images unless type explicitly specified


(Alm. Brand Docker admins) #1

Troubleshooting info

$ docker version
Client:
 Version:      1.10.3
 API version:  1.22
 Go version:   go1.5.3
 Git commit:   20f81dd
 Built:        Thu Mar 10 15:59:07 2016
 OS/Arch:      linux/amd64

Server:
 Version:      ucp/1.0.4
 API version:  1.22
 Go version:   go1.5.3
 Git commit:   6c1ef68
 Built:        
 OS/Arch:      linux/amd64

Situation

We use a bash script on a CI server to deploy containers to our UCP controller. The script has access to the client bundle for the user and as such acts on their behalf. As part of the script, we use the docker inspect command to read the values of certain labels set on the image to be deployed, which are used to set some options to docker run.

We label the images with com.docker.ucp.access.label=ucp-users during build to restrict who can deploy containers from those images.

The default access is set to “View Only” for all users, but a certain team gives the ‘ucp-users’ permission.

Problem

When the script is run as an admin user, i.e. the client bundle being used belongs to an admin user, the docker inspect <image> command completes successfully.

But when the script is run as a user whom we have verified has the ‘ucp-users’ permission (as shown on their profile page), the docker inspect <image> command fails with the following error message:

Error response from daemon: access denied

Workaround

If we specify the --type option like this: docker inspect --type image <image>, the command successfully returns the expected data on the image.

Expectations

docker inspect <image> should work without specifying the --type image option just like when pointing to a non-UCP Docker endpoint.


(Vivek Saraswat) #2

Hmm, how are you specifying the image? Is it just the image name/id? Or are you pairing it with the image tag?


(Alm. Brand Docker admins) #3

Yes, I’m pairing the image with a tag. I’ll provide the full commandline here, as it’s hardly a sensitive piece of information. It is worth mentioning that on the UCP endpoint I’m running these commands against, my user has the “View Only” permission due to auth settings. The image is labeled with com.docker.ucp.access.label=ucp-users, and I don’t have any specific permissions to that resource label.

$ . env.sh
$ docker inspect lspregistrydocker001.alm.brand.dk/integration/odata-router:c0f3da0
[]
Error response from daemon: access denied
$ docker inspect --type image lspregistrydocker001.alm.brand.dk/integration/odata-router:c0f3da0
[
    {
        "Id": "sha256:f720979556d7dee366f006666517bcbb139a39e4cd3111155721a178b9c90a43",
        "RepoTags": [
...
    }
]

The results are the same without specifying a tag:

$ docker inspect lspregistrydocker001.alm.brand.dk/integration/odata-router
[]
Error response from daemon: access denied
$ docker inspect --type image lspregistrydocker001.alm.brand.dk/integration/odata-router
[
    {
        "Id": "sha256:f720979556d7dee366f006666517bcbb139a39e4cd3111155721a178b9c90a43",
        "RepoTags": [
...
    }
]

(Vivek Saraswat) #4

Hmm. My first thought was that docker inspect might be checking for a container instead of an image when you don’t specify --image. Then, if the container doesn’t exist you would get an access denied because UCP doesn’t want to leak container IDs to the system. Otherwise, you could use inspect to sniff out invisible containers.

However, it seems to be occurring when you are using the tag as well. Let me look further into it…