Filebeat permission denied docker sock

Hi all!

I've encountered an issue with the filebeat 6.1.2 docker when using the add Docker metadata processor. When I turn this on in the filebeat configuration the following error appears:

2018/01/18 10:42:36.931693 beat.go:635: CRIT Exiting: error initializing publisher: error initializing processors: Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get http://%2Fvar%2Frun%2Fdocker.sock/v1.22/containers/json?limit=0: dial unix /var/run/docker.sock: connect: permission denied
Exiting: error initializing publisher: error initializing processors: Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get http://%2Fvar%2Frun%2Fdocker.sock/v1.22/containers/json?limit=0: dial unix /var/run/docker.sock: connect: permission denied

I know this processor is still in beta phase but it worked in the 6.0.0beta image and would like to use it in this new version. All other configuration works as expected when I disable this processor so the container works fine. Do I need to configure something else?

Thanks in advance.

Hi @twan,

Filebeat container runs as filebeat user, you may need to run it as root, with docker run -u root, or relax permission for the docker socket. Just take into account that ownership checks are in place for filebeat.yml, so you may want to pass --strict.perms=false parameter to filebeat

Hi Carlos!

That was the fix thanks! I was assuming that filebeat needed to run under the filebeat user in order for it to work. Now I run the container with user root and it works.

(offtopic question) If you have an permission problem for Elasticsearch, could this also be done for Elasticsearch? Or does that specifically needs to run with the Elasticsearch user?

I'm afraid I don't have the answer for that one, try in the Elasticsearch forum

Ah alright, no problem Thanks again!