[GH-ISSUE #556] Issue: Unable to execute docker build within a Github Action workflow #376

New issue

Closed

opened 2026-03-01 21:42:49 +03:00 by kerem · 13 comments

kerem commented 2026-03-01 21:42:49 +03:00

Owner

Copy link

Originally created by @jaypipes on GitHub (Mar 7, 2021).
Original GitHub issue: https://github.com/nektos/act/issues/556

Act version

act version 0.2.20

Note this is on Fedora 33 with Docker version 19.03.13.

Expected behaviour

I want to be able to execute docker build from a github action workflow without getting permissions failure.

Actual behaviour

Workflow and/or repository

workflow

name: build-docker

on: [push]

jobs:
  build:
    runs-on: ubuntu-latest

    steps:
    - uses: actions/checkout@v2

    - run: docker build -f hack/Dockerfile.build -t my-build .

Steps to reproduce

act output

Log

[jaypipes@thelio sqltoast]$ act
[build-docker/build] 🚀  Start image=catthehacker/ubuntu:act-latest
[build-docker/build]   🐳  docker run image=catthehacker/ubuntu:act-latest entrypoint=["/usr/bin/tail" "-f" "/dev/null"] cmd=[]
[build-docker/build]   🐳  docker cp src=/home/jaypipes/src/github.com/jaypipes/sqltoast/. dst=/github/workspace
[build-docker/build] ⭐  Run actions/checkout@v2
[build-docker/build]   ✅  Success - actions/checkout@v2
[build-docker/build] ⭐  Run docker build -f hack/Dockerfile.build -t my-build .
| Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Post http://%2Fvar%2Frun%2Fdocker.sock/v1.24/build?buildargs=%7B%7D&cachefrom=%5B%5D&cgroupparent=&cpuperiod=0&cpuquota=0&cpusetcpus=&cpusetmems=&cpushares=0&dockerfile=hack%2FDockerfile.build&labels=%7B%7D&memory=0&memswap=0&networkmode=default&rm=1&shmsize=0&t=my-build&target=&ulimits=null&version=1: dial unix /var/run/docker.sock: connect: permission denied
[build-docker/build]   ❌  Failure - docker build -f hack/Dockerfile.build -t my-build .
Error: exit with `FAILURE`: 1

Originally created by @jaypipes on GitHub (Mar 7, 2021). Original GitHub issue: https://github.com/nektos/act/issues/556 <!-- - Make sure you are able to reproduce it on the [latest version](https://github.com/nektos/act/releases) - Search the existing issues. - Refer to [README](https://github.com/nektos/act/blob/master/README.md). --> ## Act version <!-- Paste output of `act --version` --> ```none act version 0.2.20 ``` **Note this is on Fedora 33 with Docker version 19.03.13.** ## Expected behaviour <!-- Describe how whole process should go and finish --> I want to be able to execute `docker build` from a github action workflow without getting permissions failure. ## Actual behaviour <!-- Describe what happened --> ## Workflow and/or repository <details> <summary>workflow</summary> ```yaml name: build-docker on: [push] jobs: build: runs-on: ubuntu-latest steps: - uses: actions/checkout@v2 - run: docker build -f hack/Dockerfile.build -t my-build . ``` </details> ## Steps to reproduce <!-- Make sure to include command you used to run `act` e.g.: 1. Clone example repo (https://github.com/cplee/github-actions-demo) 2. Enter cloned repo directory 3. Run `act -s SUPER_SECRET=im-a-value` --> ## `act` output <!-- Paste output from your terminal, use `-v` or `--verbose` for richer output --> <details> <summary>Log</summary> ```none [jaypipes@thelio sqltoast]$ act [build-docker/build] 🚀 Start image=catthehacker/ubuntu:act-latest [build-docker/build] 🐳 docker run image=catthehacker/ubuntu:act-latest entrypoint=["/usr/bin/tail" "-f" "/dev/null"] cmd=[] [build-docker/build] 🐳 docker cp src=/home/jaypipes/src/github.com/jaypipes/sqltoast/. dst=/github/workspace [build-docker/build] ⭐ Run actions/checkout@v2 [build-docker/build] ✅ Success - actions/checkout@v2 [build-docker/build] ⭐ Run docker build -f hack/Dockerfile.build -t my-build . | Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Post http://%2Fvar%2Frun%2Fdocker.sock/v1.24/build?buildargs=%7B%7D&cachefrom=%5B%5D&cgroupparent=&cpuperiod=0&cpuquota=0&cpusetcpus=&cpusetmems=&cpushares=0&dockerfile=hack%2FDockerfile.build&labels=%7B%7D&memory=0&memswap=0&networkmode=default&rm=1&shmsize=0&t=my-build&target=&ulimits=null&version=1: dial unix /var/run/docker.sock: connect: permission denied [build-docker/build] ❌ Failure - docker build -f hack/Dockerfile.build -t my-build . Error: exit with `FAILURE`: 1 ``` </details>

kerem 2026-03-01 21:42:49 +03:00

• closed this issue
• added the
  kind/bug
  meta/resolved
  labels

kerem commented 2026-03-01 21:42:50 +03:00

Author

Owner

Copy link

@catthehacker commented on GitHub (Mar 7, 2021):

Could you provide output of ls -l /var/run/docker.sock?

<!-- gh-comment-id:792356069 --> @catthehacker commented on GitHub (Mar 7, 2021): Could you provide output of `ls -l /var/run/docker.sock`?

kerem commented 2026-03-01 21:42:50 +03:00

Author

Owner

Copy link

@jaypipes commented on GitHub (Mar 8, 2021):

Could you provide output of ls -l /var/run/docker.sock?

Hi @catthehacker, thanks for looking into this!

[jaypipes@thelio ~]$ ls -l /var/run/docker.sock 
srw-rw----. 1 root docker 0 Mar  8 05:18 /var/run/docker.sock

<!-- gh-comment-id:792751412 --> @jaypipes commented on GitHub (Mar 8, 2021): > Could you provide output of `ls -l /var/run/docker.sock`? Hi @catthehacker, thanks for looking into this! ``` [jaypipes@thelio ~]$ ls -l /var/run/docker.sock srw-rw----. 1 root docker 0 Mar 8 05:18 /var/run/docker.sock ```

kerem commented 2026-03-01 21:42:50 +03:00

Author

Owner

Copy link

@jaypipes commented on GitHub (Mar 8, 2021):

@catthehacker also, FWIW, running docker on Fedora, I almost always have to pass the :z flag at the end of any volume mounts, otherwise I get permissions errors from selinux content labels not being properly applied from host to container filesystem. See https://www.projectatomic.io/blog/2015/06/using-volumes-with-docker-can-cause-problems-with-selinux/ for more details. Adding :z or :Z to my mount specs always fixes the problem.

I looked in the act codebase briefly and think that adding the :z flag here:

github.com/nektos/act@8de7b956b7/pkg/runner/step_context.go (L214)

and here:

github.com/nektos/act@8de7b956b7/pkg/runner/run_context.go (L86)

might do the trick...

<!-- gh-comment-id:792757659 --> @jaypipes commented on GitHub (Mar 8, 2021): @catthehacker also, FWIW, running `docker` on Fedora, I almost always have to pass the `:z` flag at the end of any volume mounts, otherwise I get permissions errors from selinux content labels not being properly applied from host to container filesystem. See https://www.projectatomic.io/blog/2015/06/using-volumes-with-docker-can-cause-problems-with-selinux/ for more details. Adding `:z` or `:Z` to my mount specs always fixes the problem. I looked in the `act` codebase briefly and think that adding the `:z` flag here: https://github.com/nektos/act/blob/8de7b956b781bd4bb97bf6136d30e789501b17b4/pkg/runner/step_context.go#L214 and here: https://github.com/nektos/act/blob/8de7b956b781bd4bb97bf6136d30e789501b17b4/pkg/runner/run_context.go#L86 might do the trick...

kerem commented 2026-03-01 21:42:50 +03:00

Author

Owner

Copy link

@catthehacker commented on GitHub (Mar 8, 2021):

Seems like using :Z is not an option or we could break a lot of stuff and :z/:Z/:ro require to be volumes and not bind mounts otherwise those are ignored (https://docs.docker.com/storage/bind-mounts/#configure-the-selinux-label). I'll try to set up Fedora environment for myself and test it out how to deal with it.

Although from documentation and this comment it seems that the proper way is to modify host paths instead of using :z.

<!-- gh-comment-id:792806125 --> @catthehacker commented on GitHub (Mar 8, 2021): Seems like using `:Z` is not an option or we could break a lot of stuff and `:z`/`:Z`/`:ro` require to be volumes and not bind mounts otherwise those are ignored (https://docs.docker.com/storage/bind-mounts/#configure-the-selinux-label). I'll try to set up Fedora environment for myself and test it out how to deal with it. Although from documentation and [this comment](https://github.com/moby/moby/issues/32579#issuecomment-788389016) it seems that the proper way is to modify host paths instead of using `:z`.

kerem commented 2026-03-01 21:42:50 +03:00

Author

Owner

Copy link

@jaypipes commented on GitHub (Mar 9, 2021):

Seems like using :Z is not an option or we could break a lot of stuff and :z/:Z/:ro require to be volumes and not bind mounts otherwise those are ignored (https://docs.docker.com/storage/bind-mounts/#configure-the-selinux-label). I'll try to set up Fedora environment for myself and test it out how to deal with it.

Any particular reason the code uses bind mounts instead of (or, rather, in addition to) volumes?

Although from documentation and this comment it seems that the proper way is to modify host paths instead of using :z.

Sorry, I read that issue and particular comment a number of times and I'm still scratching my head as to what the solution actually would entail here. Mind elaborating?

Thanks again for your help @catthehacker!

<!-- gh-comment-id:793186615 --> @jaypipes commented on GitHub (Mar 9, 2021): > Seems like using `:Z` is not an option or we could break a lot of stuff and `:z`/`:Z`/`:ro` require to be volumes and not bind mounts otherwise those are ignored (https://docs.docker.com/storage/bind-mounts/#configure-the-selinux-label). I'll try to set up Fedora environment for myself and test it out how to deal with it. Any particular reason the code uses bind mounts instead of (or, rather, in addition to) volumes? > Although from documentation and [this comment](https://github.com/moby/moby/issues/32579#issuecomment-788389016) it seems that the proper way is to modify host paths instead of using `:z`. Sorry, I read that issue and particular comment a number of times and I'm still scratching my head as to what the solution actually would entail here. Mind elaborating? Thanks again for your help @catthehacker!

kerem commented 2026-03-01 21:42:50 +03:00

Author

Owner

Copy link

@jaypipes commented on GitHub (Mar 23, 2021):

Sorry, I read that issue and particular comment a number of times and I'm still scratching my head as to what the solution actually would entail here. Mind elaborating?

@catthehacker any updates on this?

<!-- gh-comment-id:805006385 --> @jaypipes commented on GitHub (Mar 23, 2021): > Sorry, I read that issue and particular comment a number of times and I'm still scratching my head as to what the solution actually would entail here. Mind elaborating? @catthehacker any updates on this?

kerem commented 2026-03-01 21:42:51 +03:00

Author

Owner

Copy link

@catthehacker commented on GitHub (Mar 24, 2021):

@jaypipes Sorry, I never used Linux distro with selinux so can't help with that. As for the mounts/binds I have yet to try and figure it out since I didn't had much time lately.

<!-- gh-comment-id:806004575 --> @catthehacker commented on GitHub (Mar 24, 2021): @jaypipes Sorry, I never used Linux distro with `selinux` so can't help with that. As for the mounts/binds I have yet to try and figure it out since I didn't had much time lately.

kerem commented 2026-03-01 21:42:51 +03:00

Author

Owner

Copy link

@jaypipes commented on GitHub (Mar 30, 2021):

@catthehacker OK, so I ended up just turning off SELinux entirely and that has solved this issue. Honestly, for development desktops, I have a feeling that SELinux is just more bother than anything useful. :) Closing issue out...

<!-- gh-comment-id:810168436 --> @jaypipes commented on GitHub (Mar 30, 2021): @catthehacker OK, so I ended up just turning off SELinux entirely and that has solved this issue. Honestly, for development desktops, I have a feeling that SELinux is just more bother than anything useful. :) Closing issue out...

kerem commented 2026-03-01 21:42:51 +03:00

Author

Owner

Copy link

@LouKordos commented on GitHub (Jun 5, 2021):

I'm on Arch Linux and the issue is still present for me... Is there any quick fix for this? I'm on the latest master commit.

<!-- gh-comment-id:855287238 --> @LouKordos commented on GitHub (Jun 5, 2021): I'm on Arch Linux and the issue is still present for me... Is there any quick fix for this? I'm on the latest `master` commit.

kerem commented 2026-03-01 21:42:51 +03:00

Author

Owner

Copy link

@catthehacker commented on GitHub (Jun 5, 2021):

Turn off SELinux

<!-- gh-comment-id:855292055 --> @catthehacker commented on GitHub (Jun 5, 2021): Turn off SELinux

kerem commented 2026-03-01 21:42:51 +03:00

Author

Owner

Copy link

@LouKordos commented on GitHub (Jun 6, 2021):

I'm running Arch Linux, and sestatus says command not found, so I'm 99% sure it's not installed, which makes sense since it's not Redhat.

<!-- gh-comment-id:855353518 --> @LouKordos commented on GitHub (Jun 6, 2021): I'm running Arch Linux, and `sestatus` says `command not found`, so I'm 99% sure it's not installed, which makes sense since it's not Redhat.

kerem commented 2026-03-01 21:42:51 +03:00

Author

Owner

Copy link

@catthehacker commented on GitHub (Jun 6, 2021):

Please create new issue then

<!-- gh-comment-id:855363032 --> @catthehacker commented on GitHub (Jun 6, 2021): Please create new issue then

kerem commented 2026-03-01 21:42:51 +03:00

Author

Owner

Copy link

@LouKordos commented on GitHub (Jun 6, 2021):

Done

<!-- gh-comment-id:855364701 --> @LouKordos commented on GitHub (Jun 6, 2021): Done

kerem referenced this issue 2026-03-01 21:51:11 +03:00

[PR #413] [MERGED] Adds ability to use container images from matrices. #1441

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

dependabot/go_modules/github.com/go-git/go-git/v5-5.18.0

dependabot/go_modules/dependencies-08815e2262

mergify/configuration-deprecated-update

dependabot/github_actions/dependencies-a3a104477f

chore/simplify-ci-and-makefile

dependabot/go_modules/golang.org/x/crypto-0.45.0

dependabot/go_modules/github.com/go-viper/mapstructure/v2-2.4.0

panekj/ci/improve-jobs

fix-skip-non-yaml-files-in-dir

normalize-pull-rebuild-flags

fix-no-recurse-by-default

2517-poor-error-for-incomplete-action-step

2472-make-use-new-action-cache-the-new-default-for-downloading-actions

act-tart

act-lxc

act-oidc

act-dind

avoid-slash-in-actor

dependabot/go_modules/github.com/docker/docker-26.1.4incompatible

meta-keep-filetime

local-repository-action-cache

pr-merger

update-docker-deps

follow_local_action_symlink

boltdb-lock-in-handler

use-socket-path

no-pull-no-rebuild

path-issues

fix/env

feat/podman

refactor/testdata

v0.2.87

v0.2.86

v0.2.85

v0.2.84

v0.2.83

v0.2.82

v0.2.81

v0.2.80

v0.2.79

v0.2.78

v0.2.77

v0.2.76

v0.2.75

v0.2.74

v0.2.73

v0.2.72

v0.2.71

v0.2.70

v0.2.69

v0.2.68

v0.2.67

v0.2.66

v0.2.65

v0.2.64

v0.2.63

v0.2.62

v0.2.61

v0.2.60

v0.2.59

v0.2.58

v0.2.57

v0.2.56

v0.2.55

v0.2.54

v0.2.53

v0.2.52

v0.2.51

v0.2.50

v0.2.49

v0.2.48

v0.2.47

v0.2.46

v0.2.45

v0.2.44

v0.2.43

v0.2.42

v0.2.41

v0.2.40

v0.2.39

v0.2.38

v0.2.37

v0.2.36

v0.2.35

v0.2.34

v0.2.33

v0.2.32

v0.2.31

v0.2.30

v0.2.29

v0.2.28

v0.2.27

v0.2.26

v0.2.25

v0.2.24

v0.2.23

v0.2.22

v0.2.21

v0.2.20

v0.2.19

v0.2.18

v0.2.17

v0.2.16

v0.2.15

v0.2.14

v0.2.13

v0.2.12

v0.2.11

v0.2.10

v0.2.9

v0.2.8

v0.2.7

v0.2.6

v0.2.5

v0.2.4

v0.2.3

v0.2.2

v0.2.1

v0.2.0

v0.1.3

v0.1.2

v0.1.1

v0.1.0

v0.0.5

v0.0.4

v0.0.3

v0.0.2

v0.0.1

Labels

Clear labels   

area/action

  

area/cli

  

area/docs

  

area/image

  

area/runner

  

area/workflow

  

backlog

  

confirmed/not-planned

  

kind/bug

  

kind/discussion

  

kind/external

  

kind/feature-request

  

kind/question

  

meta/duplicate

  

meta/invalid

  

meta/need-more-info

  

meta/resolved

  

meta/wontfix

  

meta/workaround

  

needs-work

  

pull-request

Mirrored from GitHub Pull Request

  

review/not-planned

  

size/M

  

size/XL

  

size/XXL

  

stale

  

stale-exempt

No labels

area/action

area/cli

area/docs

area/image

area/runner

area/workflow

backlog

confirmed/not-planned

kind/bug

kind/discussion

kind/external

kind/feature-request

kind/question

meta/duplicate

meta/invalid

meta/need-more-info

meta/resolved

meta/wontfix

meta/workaround

needs-work

pull-request

review/not-planned

size/M

size/XL

size/XXL

stale

stale-exempt

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/act#376

No description provided.