docker container fails to use /var/run/docker.sock

imre84 · February 28, 2026, 7:54pm

hi, I’m trying to set up traefik as per these instructions: https://technotim.com/posts/traefik-3-docker-certificates/

OS: openSUSE MicroOS x86_64
f287fd94caf2889af5c33944ec4d4eb12d272b2f9752fa11dcfc5897e59c0f5f  openSUSE-MicroOS.x86_64-VirtualBox.vdi.xz

this is the error I’m getting:

traefik  | 2026-02-28T19:08:52+01:00 ERR Failed to retrieve information of the docker client and server host error="permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get \"http://%2Fvar%2Frun%2Fdocker.sock/v1.51/version\": dial unix /var/run/docker.sock: connect: permission denied" providerName=docker
traefik  | 2026-02-28T19:08:52+01:00 ERR Provider error, retrying in 1.343197724s error="permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get \"http://%2Fvar%2Frun%2Fdocker.sock/v1.51/version\": dial unix /var/run/docker.sock: connect: permission denied" providerName=docker
traefik  | 2026-02-28T19:08:53+01:00 ERR Failed to retrieve information of the docker client and server host error="permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get \"http://%2Fvar%2Frun%2Fdocker.sock/v1.51/version\": dial unix /var/run/docker.sock: connect: permission denied" providerName=docker
traefik  | 2026-02-28T19:08:53+01:00 ERR Provider error, retrying in 5.417698464s error="permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get \"http://%2Fvar%2Frun%2Fdocker.sock/v1.51/version\": dial unix /var/run/docker.sock: connect: permission denied" providerName=docker
traefik  | 2026-02-28T19:08:58+01:00 ERR Failed to retrieve information of the docker client and server host error="permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get \"http://%2Fvar%2Frun%2Fdocker.sock/v1.51/version\": dial unix /var/run/docker.sock: connect: permission denied" providerName=docker
traefik  | 2026-02-28T19:08:58+01:00 ERR Provider error, retrying in 4.714790344s error="permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get \"http://%2Fvar%2Frun%2Fdocker.sock/v1.51/version\": dial unix /var/run/docker.sock: connect: permission denied" providerName=docker
traefik  | 2026-02-28T19:09:03+01:00 ERR Failed to retrieve information of the docker client and server host error="permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get \"http://%2Fvar%2Frun%2Fdocker.sock/v1.51/version\": dial unix /var/run/docker.sock: connect: permission denied" providerName=docker
traefik  | 2026-02-28T19:09:03+01:00 ERR Provider error, retrying in 9.92899046s error="permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get \"http://%2Fvar%2Frun%2Fdocker.sock/v1.51/version\": dial unix /var/run/docker.sock: connect: permission denied" providerName=docker
traefik  | 2026-02-28T19:09:13+01:00 ERR Failed to retrieve information of the docker client and server host error="permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get \"http://%2Fvar%2Frun%2Fdocker.sock/v1.51/version\": dial unix /var/run/docker.sock: connect: permission denied" providerName=docker
traefik  | 2026-02-28T19:09:13+01:00 ERR Provider error, retrying in 15.283470479s error="permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get \"http://%2Fvar%2Frun%2Fdocker.sock/v1.51/version\": dial unix /var/run/docker.sock: connect: permission denied" providerName=docker

also when I issue curl --unix-socket /var/run/docker.sock http://localhost/_ping on the host it says OK
when I issue it in the traefik container it says curl: (7) Failed to connect to localhost over /var/run/docker.sock after 0 ms: Could not connect to server
as far as I can tell the socket is present:
srw-rw---- 1 root 474 0 Feb 28 19:03 /var/run/docker.sock
and I’m root so I should have rights

to reach this point some files need to be mapped :ro,Z (instead of :ro), I suspect it has something to do with rootfs being read only, but I’m not sure

any help would be appreciated

mhurron · February 28, 2026, 7:59pm

To start with, make sure the package container-selinux-2.246.0-1.1.noarch is installed, and the relabel /var.

imre84 · March 1, 2026, 2:37pm

hello, thank you for your reply, this is where I’m at right now:

$ docker compose down
[+] down 1/1
 ✔ Container traefik Removed
$ docker compose up -d --force-recreate
[+] up 1/1
 ✔ Container traefik Started
$ docker compose logs --follow
traefik exited with code 139 (restarting)
traefik exited with code 139 (restarting)
traefik exited with code 139 (restarting)
traefik exited with code 139 (restarting)
^C
$ curl --unix-socket /var/run/docker.sock http://localhost/_ping
OK
$ docker compose down
[+] down 1/1
 ✔ Container traefik Removed

docker-compose.yml:

services:
  traefik:
    image: traefik:latest
    container_name: traefik
    restart: unless-stopped
    security_opt:
      - no-new-privileges:true
    networks:
      - proxy
    ports:
      - 80:80
      - 443:443
      # - 443:443/tcp # Uncomment if you want HTTP3
      # - 443:443/udp # Uncomment if you want HTTP3
    environment:
      MYADDR_PRIVATE_KEYS_MAPPING: ${MYADDR_PRIVATE_KEYS_MAPPING}
      TRAEFIK_DASHBOARD_CREDENTIALS: ${TRAEFIK_DASHBOARD_CREDENTIALS}
    env_file: .env # use .env
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./traefik.yml:/traefik.yml:ro,Z
      - ./data/acme.json:/acme.json
      # - ./config.yml:/config.yml:ro
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.traefik.entrypoints=http"
      - "traefik.http.routers.traefik.rule=Host(`traefik-dashboard.example.myaddr.tools`)"
      - "traefik.http.middlewares.traefik-auth.basicauth.users=${TRAEFIK_DASHBOARD_CREDENTIALS}"
      - "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https"
      - "traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto=https"
      - "traefik.http.routers.traefik.middlewares=traefik-https-redirect"
      - "traefik.http.routers.traefik-secure.entrypoints=https"
      - "traefik.http.routers.traefik-secure.rule=Host(`traefik-dashboard.example.myaddr.tools`)"
      - "traefik.http.routers.traefik-secure.middlewares=traefik-auth"
      - "traefik.http.routers.traefik-secure.tls=true"
      - "traefik.http.routers.traefik-secure.tls.certresolver=myaddr"
      - "traefik.http.routers.traefik-secure.tls.domains[0].main=example.myaddr.tools"
      - "traefik.http.routers.traefik-secure.tls.domains[0].sans=*.example.myaddr.tools"
      - "traefik.http.routers.traefik-secure.service=api@internal"

networks:
  proxy:
    external: true

traefik.yml:

log:
  level: "DEBUG" #debug
api:
  insecure: true #debug
  debug: true #debug
  dashboard: true
  disableDashboardAd: true
entryPoints:
  http:
    address: ":80"
    http:
      redirections:
        entryPoint:
          to: https
          scheme: https
  https:
    address: ":443"
serversTransport:
  insecureSkipVerify: true
providers:
  docker:
    endpoint: "unix:///var/run/docker.sock"
    exposedByDefault: false
  # file:
  #   filename: /config.yml
certificatesResolvers:
  myaddr:
    acme:
      email: pentek.imre@gmail.com
      storage: /acme.json
      # caServer: https://acme-v02.api.letsencrypt.org/directory # prod (default)
      caServer: https://acme-staging-v02.api.letsencrypt.org/directory # staging
      dnsChallenge:
        provider: myaddr
        #disablePropagationCheck: true # uncomment this if you have issues pulling certificates through cloudflare, By setting this flag to true disables the need to wait for the propagation of the TXT record to all authoritative name servers.
        #delayBeforeCheck: 60s # uncomment along with disablePropagationCheck if needed to ensure the TXT record is ready before verification is attempted 
        resolvers:
          - "116.203.95.251:53"

acme.json:

-rw-------. 1 root root 0 Mar  1 15:05 data/acme.json

imre84 · March 1, 2026, 9:02pm

$ docker run --rm hello-world
Unable to find image 'hello-world:latest' locally
latest: Pulling from library/hello-world
17eec7bbc9d7: Pull complete 
ea52d2000f90: Download complete 
Digest: sha256:ef54e839ef541993b4e87f25e752f7cf4238fa55f017957c2eb44077083d7a6a
Status: Downloaded newer image for hello-world:latest
$ docker run --rm hello-world
$ echo $?
139

so it’s not my config I guess…

mhurron · March 2, 2026, 5:34pm

So did you verify container-selinux-2.246.0-1.1.noarch was installed?
Did you relabel /var?

Also, how did you install docker? Because -
srw-rw---- 1 root 474 0 Feb 28 19:03 /var/run/docker.sock

the group should not be showing up as just a gid.

imre84 · March 2, 2026, 6:16pm

yes

inside the container it’s just a gid. on the host system I see the group: srw-rw----. 1 root docker 0 Mar 2 18:12 /var/run/docker.sock
I installed it by issuing sudo stransactional-update pkg install docker docker-compose then rebooting