How to fix docker: Got permission denied issue

Asked 23/2, 2018 at 22:38 Answered 16/1 at 6:22

1165

I installed Docker in my machine where I have Ubuntu OS.
When I run:

sudo docker run hello-world

All is ok, but I want to hide the sudo command to make the command shorter.
If I write the command without sudo

docker run hello-world

That displays the following:

docker: Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Post http://%2Fvar%2Frun%2Fdocker.sock/v1.35/containers/create: dial unix /var/run/docker.sock: connect: permission denied. See 'docker run --help'.

The same happens when I try to run:

docker-compose up

How can I resolve this?

Seismology answered 23/2, 2018 at 22:38 Comment(9)

Possible duplicate of Running docker without sudo on Ubuntu 14.04 – Jenette 23/2, 2018 at 22:41

docs.docker.com/install/linux/linux-postinstall/… – Hellcat 26/9, 2018 at 7:46

adder user in docker group and assign permission – Valine 3/3, 2021 at 10:5

Does this answer your question? docker.sock permission denied – Jackhammer 30/6, 2021 at 9:29

Does this answer your question? Docker: Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock – Reverential 23/9, 2021 at 15:47

Read docker official doc : docs.docker.com/engine/install/linux-postinstall for this problem. – Munos 25/9, 2021 at 13:56

This was helpful for me - "For anyone stumbling across this issue on mac... github.com/docker/buildx/issues/415#issuecomment-781240796" – Kassi 1/1, 2022 at 12:10

Run all docker commands with sudo. – Juna 9/12, 2022 at 11:19

Firstly, you should check if docker is set up properly in linux distro/wsl. For this, run "docker ps" in the environment. My guess is that this should also give the same error. Now run "docker run --rm -it --gpus=all nvcr.io/nvidia/k8s/cuda-sample:nbody nbody -gpu -benchmark". That should resolve the issue. Try running "docker ps" once again to verify. – Earn 8/11, 2023 at 1:37

2172

If you want to run docker as non-root user then you need to add it to the docker group.

Create the docker group if it does not exist

$ sudo groupadd docker

Add your user to the docker group.

$ sudo usermod -aG docker $USER

$ newgrp docker

Check if docker can be run without root

$ docker run hello-world

Reboot if still got error

$ reboot

Warning

The docker group grants privileges equivalent to the root user. For details on how this impacts security in your system, see Docker Daemon Attack Surface..

Taken from the docker official documentation: manage-docker-as-a-non-root-user

Mucilaginous answered 23/2, 2018 at 23:40 Comment(17)

@heez a reboot may not have been required, restarting docker was enough for me. sudo systemctl restart docker – Pleading 5/10, 2018 at 23:21

It worked for me without reboot, but I had to restart docker and switch user to my same user to refresh the login. 'sudo systemctl restart docker' then 'su - {your username}' – Agger 25/2, 2019 at 20:24

I have this problem in windows any idea how can I fix it. #55924916 – Nipa 1/5, 2019 at 5:46

After step 2, I had to perform systemctl start docker to make it work – Galvanic 17/5, 2019 at 11:39

@heez: su - $USER can be used to avoid the log out / log in as per this question. – Agathaagathe 7/6, 2019 at 12:58

If you are running Ubuntu 18 and installed docker via snap, you can restart docker via snap which should eliminate the need for a system restart. $sudo snap restart docker – Tennietenniel 20/8, 2019 at 10:57

If running in a VM Machine, you may need to restart the machine: docs.docker.com/v17.09/engine/installation/linux/… – Troutman 11/10, 2019 at 13:41

also docker.help command suggest do newgrp docker, after this I do not need docker service to be restarted and computer reboot, changes take efferct after it – Hereon 1/1, 2020 at 13:1

It seems that the latest version already has a group, so we just need to add user – Cardiac 29/1, 2020 at 17:0

there is an experimental rootless mode:docs.docker.com/engine/security/rootless – Pyrrhic 23/8, 2020 at 21:17

Hello @Mucilaginous when I try to run docker build . I got same error so I tried like this way sudo docker build . it worked is it a wrong way ? – Cribble 26/7, 2021 at 18:50

Why doesn't sudo apt-get install docker take care of this for us? – Agenda 8/2, 2022 at 15:53

In my case changing the owner of the docker.sock file from root to the user trying to run it worked for me. just ran this command: sudo chown $(whoami) /var/run/docker.sock – Nash 4/4, 2022 at 8:17

This issue happened as I installed docker as root user and docker-compose with user permission – Bagwig 21/2, 2023 at 7:27

This helped me sudo chmod 666 /var/run/docker.sock – Dildo 10/3, 2023 at 12:46

newgrp docker requests a Password which I haven't set/don't have. It doesn't accept no password either. – Attention 27/10, 2023 at 9:57

thanks, worked! unfortunately i ran the docker hello-world example and it overwrote my whole setup, don't know why. but i got it working in the end – Precocious 1/3 at 15:6

840

After an upgrade I got the permission denied. Doing the steps of 'mkb' post install steps don't have change anything because my user was already in the 'docker' group; I retry-it twice any way without success.

After an search hour this following solution finaly worked :

sudo chmod 666 /var/run/docker.sock

Solution came from Olshansk.

Look like the upgrade have recreate the socket without enough permission for the 'docker' group.

Problems

This hard chmod open security hole and after each reboot, this error start again and again and you have to re-execute the above command each time. I want a solution once and for all. For that you have two problems :

1 ) Problem with SystemD : The socket will be create only with owner 'root' and group 'root'.

You can check this first problem with this command :
```
ls -l /lib/systemd/system/docker.socket
```
If every this is good, you should see 'root/docker' not 'root/root'.
2 ) Problem with graphical Login : https://superuser.com/questions/1348196/why-my-linux-account-only-belongs-to-one-group

You can check this second problem with this command :
```
groups
```
If everything is correct you should see the docker group in the list. If not try the command
```
sudo su $USER -c groups
```
if you see then the docker group it is because of the bug.

Solutions

If you manage to to get a workaround for the graphical login, this should do the job :

sudo chgrp docker /lib/systemd/system/docker.socket
sudo chmod g+w /lib/systemd/system/docker.socket

But If you can't manage this bug, a not so bad solution could be this :

sudo chgrp $USER /lib/systemd/system/docker.socket
sudo chmod g+w /lib/systemd/system/docker.socket

This work because you are in a graphical environnement and probably the only user on your computer. In both case you need a reboot (or sudo chmod 666 /var/run/docker.sock)

Cryology answered 16/7, 2018 at 13:5 Comment(22)

if docker was installed as per doc on docs.docker.com/install then you never need to deal with any such commands – Superadd 2/11, 2018 at 18:48

@Scott Stensland I have install docker many time 'as per doc'. I think the problem come from a bad interaction with another unidentified package. – Cryology 3/11, 2018 at 8:55

In docker-in-docker, I was incorrectly mounting /var/run/docker.sock from the host without the :ro on the end... as soon as I added that I was good to go – Excrement 12/1, 2019 at 5:35

I was on centos with user centos, sudo chmod 666 /var/run/docker.sock perfectly worked. – Gstring 9/3, 2019 at 21:41

I use ubuntu 18 on EC2 - AWS and prefectly worked. All the others (sudo usermod -aG docker $ USER and other stuff) did not work – Utu 17/8, 2019 at 13:19

This is the fix for my raspberry pi 3b+ – Larkin 23/8, 2019 at 19:8

Thank you! It worked! I have recently installed the latest ubuntu and I-m having LOTS of problems using Py3.7, pip, docker-compose, etc. Why are things still so complicated? – Besought 15/10, 2019 at 8:57

Thanks, it fixed in Ubuntu 18.04 LTS. restating and adding to groud didn't – Prosaism 28/11, 2019 at 14:42

Works on Ubuntu 18.04 LTS – Stagehand 11/1, 2020 at 11:51

Thanks. I was struggling with this issue and no other method seemed to work. Used this command and worked just fine. – Tarp 4/11, 2020 at 0:36

On my setup, normal terminal application on Ubuntu was giving access denied error while terminator was working fine. I have no idea why the issue was happening but it's fixed now since essentially everyone has access to the docker socket. – Charismatic 15/3, 2021 at 13:58

I didnot have to restart my Ubuntu, however this command did the job for me. Now, I can do docker run hello-world without sudo – Marvelofperu 15/5, 2021 at 0:26

I was connected to vm from windows 10 and was getting the same error of authentication. It was solved by changing the permission sudo chmod 666 /var/run/docker.sock. Thanks @Cryology !! – Kelsi 24/1, 2022 at 12:5

@Kelsi This was the 'do not use solution', the true solution is at the end of the post. – Cryology 24/1, 2022 at 20:45

Hi, should the line sudo chgrp $USER /lib/systemd/system/docker.socket really be sudo chown $USER /lib/systemd/system/docker.socket? The User is not a group, right? And then sudo chmod g+w /lib/systemd/system/docker.socket is probably sudo chmod u+w /lib/systemd/system/docker.socket... – Nagle 29/4, 2022 at 7:59

@zaphod, maybe $USER is not the group, but on many distribution a group with the name of the user is create when installing the system. – Cryology 29/4, 2022 at 9:29

I found that using sudo chmod o+wr /var/run/docker.sock works much better as opposed to 666. Not sure why, but on my system it will stop working after a while. – Bethlehem 16/6, 2022 at 12:50

@Olshansk here. Appreciate the shoutout :) – Brace 21/8, 2022 at 17:12

@Galigator: group of /lib/systemd/system/docker.socket is expected to be root. – Belief 27/11, 2022 at 1:56

@Belief No, see freedesktop.org/software/systemd/man/systemd.socket.html , depending of your configuration in /lib/systemd/system/docker.service you can have group/user != root, If nothing is specified and an no-root user run the process then by default (no group/users specified) it will be not root. – Cryology 27/11, 2022 at 13:35

Hi @Galigator: See CIS Docker Benchmark 1.3.1 page 95 workbench.cisecurity.org/files/3353 : "You should verify that the docker.socket file ownership and group ownership are correctly set to root." "The docker.socket file contains sensitive parameters that may alter the behavior of the Docker remote API. For this reason, it should be owned and group owned by root in order to ensure that it is not modified by less privileged users." – Belief 27/11, 2022 at 22:35

@Belief this resource is private and so should be draft. Also it look like a recommendation for server deployment not end user desktop. – Cryology 28/11, 2022 at 8:42

Add current user to docker group

sudo usermod -aG docker $USER

Change the permissions of docker socket to be able to connect to the docker daemon /var/run/docker.sock

sudo chmod 660 /var/run/docker.sock

Timeconsuming answered 6/3, 2019 at 13:18 Comment(4)

this solution worked for me for this problem docker: Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Post http://%2Fvar%2Frun%2Fdocker.sock/v1.40/containers/create: dial unix /var/run/docker.sock: connect: permission denied. – Marvelofperu 15/5, 2021 at 0:27

Absolutely not! Never give permission to the world! Permission on the docker socket should be 660, and as long as your user is in the docker group, you'll be fine. – Panathenaea 23/11, 2022 at 13:45

@Auspex, this was 4 years ago! please feel free to update the solution and I will be more than happy to update it :) – Timeconsuming 23/11, 2022 at 14:16

I'm not updating it. There are numerous correct answers here. I know it was four years ago, but you are recommending that people open up their entire systems to hackers, and that's worth a revival. You clearly don't have a clue just how dangerous making the docker socket world writable is. – Panathenaea 23/11, 2022 at 14:48

Add docker group

$ sudo groupadd docker

Add your current user to docker group

$ sudo usermod -aG docker $USER

Switch session to docker group

$ newgrp - docker

Run an example to test

$ docker run hello-world

Wrestle answered 20/3, 2019 at 7:31 Comment(1)

The newgrp command prompted for a password and didn't accept my user password. Instead su - $USER worked to avoid logging out/in. – Agathaagathe 7/6, 2019 at 13:0

If creating a docker group and adding your user to it doesn't work (the best solution, described in the previous answers), then this one is the second best alternative:

sudo chown $USER /var/run/docker.sock

What it does is changing the ownership of the docker.sock file to your user.

Note: It's a really bad practice to use chmod 666, because it gives permissions to practically everyone to access and modify the docker.sock file.

Wittenberg answered 25/7, 2022 at 11:41 Comment(0)

We always forget about ACLs . See setfacl.

sudo setfacl -m user:$USER:rw /var/run/docker.sock`**

Assuasive answered 9/2, 2021 at 23:24 Comment(3)

in case its complaining that facl not found, install with sudo apt install acl – Geraud 9/8, 2021 at 1:27

I'm getting "setfacl: Option -m: Invalid argument near character 6" this error. – Munos 25/9, 2021 at 13:38

.sock is a socket file, these are temporary files and you'd have to run the same command every time. Setting default in the parent folder would work, but this is /var/run, and we don't want non-privileged users to have rw access over every file in /var/run. – Nolin 10/2, 2022 at 19:50

Fix Docker Issue: (Permission denied)

Create the docker group if it does not exist: sudo groupadd docker
See number of super users in the available system: grep -Po '^sudo.+:\K.*$' /etc/group
Export the user in linux command shell: export USER=demoUser
Add user to the docker group: sudo usermod -aG docker $USER
Run the following command/ Login or logout: newgrp docker
Check if docker runs ok or not: docker run hello-world
Reboot if you still get an error: reboot

If it does not work, run this command:

sudo chmod 660 /var/run/docker.sock

Dysphoria answered 2/6, 2021 at 7:58 Comment(6)

Blindly 777 shouldn't be used – Barbican 23/6, 2021 at 20:14

@Akshay Hedge Why? I used the 777 option and it worked😅 – Aerobe 13/9, 2021 at 9:52

@PurushothamanSrikanth 777 means that anyone can do anything with those files – Barbican 13/9, 2021 at 10:7

Don't use 777! Use 660 or 640 – Sedition 24/12, 2021 at 19:19

660 doesn't work. For me it was set per default. – Eduard 12/5, 2022 at 11:51

if 660 didn't work, you might have needed sudo chgrp docker /var/run/docker.sock but please stop blindly perpetuating the insane concept of giving docker access to the world. It's not as @AkshayHegde said that anyone can do anything to "those files", it's that anyone can do anything to your entire system once they have control of the docker socket – Panathenaea 23/11, 2022 at 13:50

You can always try Manage Docker as a non-root user paragraph in the https://docs.docker.com/install/linux/linux-postinstall/ docs.

After doing this also if the problem persists then you can run the following command to solve it:

sudo chmod 666 /var/run/docker.sock

Emancipation answered 17/12, 2019 at 12:46 Comment(5)

Making the docker socket readable or writable to everyone (with chmod 666) is a security disaster... This should never be recommended. – Dom 17/4, 2020 at 4:6

@AaylaSecura Thanks for giving us heads up but could you also please briefly explain why readable or writable sockets are disaster? – Chlamydeous 4/7, 2020 at 17:43

Anyone who can talk to the docker socket is effectively root on the host system! See this for example: fosterelli.co/privilege-escalation-via-docker and many other resources on docker privilege escalation. Making the socket world writable effectively gives all UNIX users root privileges. – Dom 4/7, 2020 at 19:29

Do not assign 666 permissions. 660 or 640 should be more than enough. – Sedition 24/12, 2021 at 19:21

To fix that issue, I searched where is my docker and docker-compose installed. In my case, docker was installed in /usr/bin/docker and docker-compose was installed in /usr/local/bin/docker-compose path. Then, I write this in my terminal:

To docker:

sudo chmod +x /usr/bin/docker

To docker-compose:

sudo chmod +x /usr/local/bin/docker-compose

Now I don't need write in my commands docker the word sudo

/***********************************************************************/

ERRATA:

The best solution of this issue was commented by @mkasberg. I quote comment:

That might work, you might run into issues down the road. Also, it's a security vulnerability. You'd be better off just adding yourself to the docker group, as the docs say. sudo groupadd docker, sudo usermod -aG docker $USER. Docs: https://docs.docker.com/install/linux/linux-postinstall/

Seismology answered 23/2, 2018 at 22:38 Comment(4)

That might work, you might run into issues down the road. Also, it's a security vulnerability. You'd be better off just adding yourself to the docker group, as the docs say. sudo groupadd docker, sudo usermod -aG docker $USER. – Jenette 23/2, 2018 at 22:43

Hey @mkasberg! Thanks for your comment! I maked a errata to cited your solution. Thanks a lot! – Seismology 23/2, 2018 at 23:38

this does not work – Toilette 2/6, 2023 at 17:15

I had to also run newgrp docker after the usermod command, otherwise it doesn't work. – Desantis 25/6, 2023 at 6:46

ubuntu 21.04 systemd socket ownership

Let me preface, this was a perfectly suitable solution for me during local development and I got here searching for ubuntu docker permission error so i'll just leave this here.

I didn't own the unix socket, so I chowned it.

sudo chown $(whoami):$(whoami) /var/run/docker.sock

Another, more permanent solution for your dev environment, is to modify the user ownership of the unix socket creation. This will give your user the ownership, so it'll stick between restarts:

sudo nano /etc/systemd/system/sockets.target.wants/docker.socket

docker.socket:

[Unit]
Description=Docker Socket for the API

[Socket]
ListenStream=/var/run/docker.sock
SocketMode=0660
SocketUser=YOUR_USERNAME_HERE
SocketGroup=docker

[Install]
WantedBy=sockets.target

Schleswigholstein answered 25/1, 2022 at 14:20 Comment(3)

A really different solution than all others. – Cryology 22/4, 2022 at 20:0

Doesn't work, not even after sudo systemctl restart docker. – Eduard 12/5, 2022 at 11:52

I really don't think setting your user as the socket owner is the right answer, but upvoted because this seems to be the only answer that actually looks in the right place. – Panathenaea 23/11, 2022 at 13:59

Seriously guys. Do not add Docker in your groups or modify the socket posix (without a hardening SELinux), it's a simple way to make a root privesc. Just add an alias in your .bashrc. It's simpler and safer as: alias dc='sudo docker'.

Amphora answered 4/11, 2019 at 14:15 Comment(1)

Maybe you could speak about : podman.io . But running in root seem to be usecase for developers. – Cryology 5/1, 2021 at 11:41

This work for me:

Get inside the container and modify the file's ACL

sudo usermod -aG docker $USER
sudo setfacl --modify user:$USER:rw /var/run/docker.sock

It's a better solution than use chmod.

Emmalineemmalyn answered 25/1, 2021 at 14:15 Comment(1)

.sock files are socket files and temporary by nature. You'd have to set this every time docker starts. – Nolin 10/2, 2022 at 19:51

lightdm and kwallet ship with a bug that seems to not pass the supplementary groups at login. To solve this, I also, beside sudo usermod -aG docker $USER, had to comment out

auth optional pam_kwallet.so
auth optional pam_kwallet5.so

#auth optional pam_kwallet.so
#auth optional pam_kwallet5.so

in /etc/pam.d/lightdm before rebooting, for the docker-group to actually have effect.

bug: https://bugs.launchpad.net/lightdm/+bug/1781418 and here: https://bugzilla.redhat.com/show_bug.cgi?id=1581495

Trengganu answered 12/12, 2018 at 15:33 Comment(0)

you can follow these steps and this will work for you:

create a docker group sudo groupadd docker
add your user to this group sudo usermod -aG docker $USER
list the groups to make sure that docker group created successfully by running this command groups
run the following command also to change the session for docker group newgrp docker
change the group ownership for file docker.socksudo chown root:docker /var/run/docker.sock
change the ownership for .docker directory sudo chown "$USER":"$USER" /home/"$USER"/.docker -R
finally sudo chmod g+rwx "$HOME/.docker" -R

After that test you can run docker ps -a

Dichromaticism answered 9/4, 2020 at 5:41 Comment(1)

I wanted an answer that doesn't require rebooting. This was the only answer that provided that. The "trick" is to chown the docker.sock file. – Masked 13/6, 2020 at 14:38

Rebooting the machine worked for me.

$ reboot

Headed answered 1/11, 2020 at 16:13 Comment(1)

this is worst solution since it will not work and restart the system :( – Pamper 27/12, 2022 at 9:32

I ran into a similar problem as well, but where the container I wanted to create needed to mount /var/run/docker.sock as a volume (Portainer Agent), while running it all under a different namespace. Normally a container does not care about which namespace it is started in -- that is sort of the point -- but since access was made from a different namespace, this had to be circumvented.

Adding --userns=host to the run command for the container enabled it to use the attain the correct permissions.

Quite a specific use case, but after more research hours than I want to admit I just thought I should share it with the world if someone else ends up in this situation :)

Laundryman answered 12/11, 2020 at 15:0 Comment(0)

The Docker daemon binds to a Unix socket instead of a TCP port. By default that Unix socket is owned by the user root and other users can only access it using sudo. The Docker daemon always runs as the root user.

If you don’t want to preface the docker command with sudo, create a Unix group called docker and add users to it. When the Docker daemon starts, it creates a Unix socket accessible by members of the docker group.

To create the docker group and add your user:

Create the docker group
```
sudo groupadd docker
```
Add your user to the docker group
```
sudo usermod -aG docker $USER
```
Log out and log back in so that your group membership is re-evaluated.

If testing on a virtual machine, it may be necessary to restart the virtual machine for changes to take effect.

On a desktop Linux environment such as X Windows, log out of your session completely and then log back in.

On Linux, you can also run the following command to activate the changes to groups:
```
newgrp docker 
```
Verify that you can run docker commands without sudo. The below command downloads a test image and runs it in a container. When the container runs, it prints an informational message and exits
```
docker run hello-world
```

If you initially ran Docker CLI commands using sudo before adding your user to the docker group, you may see the following error, which indicates that your ~/.docker/ directory was created with incorrect permissions due to the sudo commands.

WARNING: Error loading config file: /home/user/.docker/config.json -
stat /home/user/.docker/config.json: permission denied

To fix this problem, either remove the ~/.docker/ directory (it is recreated automatically, but any custom settings are lost), or change its ownership and permissions using the following commands:

sudo chown "$USER":"$USER" /home/"$USER"/.docker -R

sudo chmod g+rwx "$HOME/.docker" -R

All other post installation steps for docker on linux can be found here https://docs.docker.com/engine/install/linux-postinstall/

Wilhelminawilhelmine answered 6/3, 2021 at 9:29 Comment(0)

i try this commend with sudo commend and it was ok.sudo docker pull hello-world or sudo docker run hello-world

Promising answered 19/3, 2021 at 13:44 Comment(1)

That will always work. The OP was having trouble doing it without sudo -- which should work as long as you're in the docker group – Panathenaea 23/11, 2022 at 14:41

You just need the check permissions for this file /var/run/docker.sock it should be 666 chmod 666 /var/run/docker.sock

Trunk answered 16/1 at 6:22 Comment(1)

Just add sudo to the above command – Runkel 18/2 at 20:59

It is definitely not the case the question was about, but as it is the first search result while googling the error message, I'll leave it here.

First of all, check if docker service is running using the following command:

systemctl status docker.service

If it is not running, try starting it:

sudo systemctl start docker.service

... and check the status again:

systemctl status docker.service

If it has not started, investigate the reason. Probably, you have modified a config file and made an error (like I did while modifying /etc/docker/daemon.json)

Solecism answered 10/12, 2020 at 9:32 Comment(0)

In the Linux environment, after installing docker and docker-compose reboot is required for work docker better to avoid this issue

$ sudo systemctl restart docker

Blocked answered 21/2, 2022 at 9:2 Comment(1)

Just installed docker on Ubuntu. Restarting didn't solve the "permission denied". – Judah 11/5, 2022 at 3:44

I tried all the described methods and nothing helped to solve the problem. The solution was to use the --use-drivers parameter when running selenoid and selenoid-ui. Below is the full listing of my Dockerfile.

FROM selenoid/chrome
USER root
RUN apt-get update
RUN apt-get -y install docker.io
RUN curl -s https://aerokube.com/cm/bash | bash
RUN ./cm selenoid start --vnc --use-drivers
RUN ./cm selenoid-ui start --use-drivers
EXPOSE 4444 8080
CMD ["-conf", "/etc/selenoid/browsers.json", "-video-output-dir", "/opt/selenoid/video/"]

Necrophilia answered 26/4, 2022 at 14:33 Comment(0)

In my case it was the process itself (CI server agent) that was trying to run a docker command wasn't able to run it, but when I tried to run same command from within the same user it worked.

Restarting the daemon that runs CI server agent solved the problem.

The reason why command wasn't working from within agent before is because the agent was running before I installed docker and granted docker group permissions, and agent process used cached old permissions and was failing. Restarting the process dropped the cache and make things work out.

Noncooperation answered 13/5, 2022 at 17:13 Comment(0)

Docker already created a guide to Run the Docker daemon as a non-root user (Rootless mode).

Rootless mode allows running the Docker daemon and containers as a non-root user to mitigate potential vulnerabilities in the daemon and the container runtime.

Lemnos answered 13/9, 2023 at 18:37 Comment(0)

-1

After Docker Installation on Centos. While running below command I got below error.

[centos@aiops-dev-cassandra3 ~]$ docker run hello-world
docker: Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Post http://%2Fvar%2Frun%2Fdocker.soc k/v1.40/containers/create: dial unix /var/run/docker.sock: connect: permission denied.
See 'docker run --help'.

Change Group and Permission for docker.socket

[centos@aiops-dev-cassandra3 ~]$ ls -l /lib/systemd/system/docker.socket
-rw-r--r--. 1 root root 197 Nov 13 07:25 /lib/systemd/system/docker.socket
[centos@aiops-dev-cassandra3 ~]$ sudo chgrp docker /lib/systemd/system/docker.socket
[centos@aiops-dev-cassandra3 ~]$ sudo chmod 666 /var/run/docker.sock
[centos@aiops-dev-cassandra3 ~]$ ls -lrth /var/run/docker.sock
srw-rw-rw-. 1 root docker 0 Nov 20 11:59 /var/run/docker.sock
[centos@aiops-dev-cassandra3 ~]$

Verify by using below docker command

[centos@aiops-dev-cassandra3 ~]$ docker run hello-world
Unable to find image 'hello-world:latest' locally
latest: Pulling from library/hello-world
1b930d010525: Pull complete
Digest: sha256:c3b4ada4687bbaa170745b3e4dd8ac3f194ca95b2d0518b417fb47e5879d9b5f
Status: Downloaded newer image for hello-world:latest

Hello from Docker!
This message shows that your installation appears to be working correctly.

To generate this message, Docker took the following steps:
 1. The Docker client contacted the Docker daemon.
 2. The Docker daemon pulled the "hello-world" image from the Docker Hub.
    (amd64)
 3. The Docker daemon created a new container from that image which runs the
    executable that produces the output you are currently reading.
 4. The Docker daemon streamed that output to the Docker client, which sent it
    to your terminal.

To try something more ambitious, you can run an Ubuntu container with:
 $ docker run -it ubuntu bash

Share images, automate workflows, and more with a free Docker ID:
 https://hub.docker.com/

For more examples and ideas, visit:
 https://docs.docker.com/get-started/

[centos@aiops-dev-cassandra3 ~]$

Erinaceous answered 20/11, 2019 at 12:13 Comment(1)

Absolutely not! Never give permission to the world! Permission on the docker socket should be 660, and as long as your user is in the docker group, you'll be fine. – Panathenaea 23/11, 2022 at 14:43

-1

After you installed docker, created 'docker' group and added user to it, edit docker service unit file:

sudo nano /usr/lib/systemd/system/docker.service

Add two lines into the section [Service]:

SupplementaryGroups=docker    
ExecStartPost=/bin/chmod 666 /var/run/docker.sock

Save the file (Ctrl-X, y, Enter)

Run and enable the Docker service:

sudo systemctl daemon-reload
sudo systemctl start docker
sudo systemctl enable docker

Recreation answered 14/6, 2020 at 17:21 Comment(2)

Almost right. Never give permission to the world! Permission on the docker socket should be 660, and as long as your user is in the docker group, you'll be fine. – Panathenaea 23/11, 2022 at 14:44

what's the purpose of SupplementaryGroups=docker ? – Outgoings 8/3, 2023 at 11:1

-1

The most straightforward solution is to type

sudo chmod 640 /var/run/docker.sock every time you boot your machine. However, this method defeats any system security that may be in place and opens up the Docker socket to everybody. If this is acceptable to you -e.g.: the only user of your machine- then use it.

Nevertheless, it will be required every time you boot your machine, you can make it run with booting by adding

start on startup
task
exec chmod 640 /var/run/docker.sock

to the /etc/init/docker-chmod.conf file.

Philanthropy answered 21/9, 2021 at 12:57 Comment(2)

666 Is excessive permissions. 660 or 640 should be more than enough – Sedition 24/12, 2021 at 19:19

I updated it to 640. Thanks for raising the concern. – Philanthropy 20/2 at 9:20

-7

A simple hack is to execute as a "Super User".

To access the super user or root user, follow:

At user@computer:

$sudo su

After you enter your password, you'll be at root@computer:

$docker run hello-world

Nightgown answered 25/11, 2020 at 16:38 Comment(0)

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++