docker.sock permission denied

Question

When I try to run simple docker commands like:

$ docker ps -a

I get an error message:

Got permission denied ... /var/run/docker.sock: connect: permission denied

When I check permissions with

$ ls -al /var/run/

I see this line:

srw-rw---- root docker docker.sock

So, I follow an advice from many forums and add local user to docker group:

$ sudo usermod -aG docker $USER

But it does not help. I still get the very same error message. How can I fix it?

Did you re-login after making that change? The change is not available in the same session. Also does `sudo docker ps` work for you? — Tarun Lalwani, Feb 01 '18 at 17:15
`sudo docker ps` works. But I need to work with docker under my local user. — Jacobian, Feb 01 '18 at 17:18
You have to restart the docker daemon, otherwise it won't let members of the docker group to control the docker daemon — Murmel, Feb 01 '18 at 17:20
But please keep in mind, that you are basically giving your $USER root privileges, see: [Manage Docker as a non-root user](https://docs.docker.com/install/linux/linux-postinstall/#manage-docker-as-a-non-root-user), — Murmel, Feb 01 '18 at 17:22
I've just tried `sudo service docker stop` and `sudo service docker start`, but it did not help. — Jacobian, Feb 01 '18 at 17:24
I've seen that reference and did exaсtly what they advise - `sudo usermod -aG docker $USER`. — Jacobian, Feb 01 '18 at 17:25
After changing users/groups you have to relogin, not just open new terminal. — Sergius, Feb 01 '18 at 17:43
To add to the fun, I see that cached ssh sessions (from Mac to Ubuntu in my case) don't pick up the new group memberships created during the lifetime of the parent session. So, "logging in again" doesn't pick up the new groups. `newgrp docker` of course does put one into the group, as does starting a new (parent) ssh session, for example by ssh'ing into the host's IP address rather than its symbolic name. Docker's default error message (in some builds) about `http+docker://localunixsocket` does not help. — Andrew Beals, Aug 04 '20 at 22:35

BMitch · Accepted Answer · 2018-11-30T12:35:32.163

281

For those new to the shell, the command:

$ sudo usermod -aG docker $USER

needs to have $USER defined in your shell. This is often there by default, but you may need to set the value to your login id in some shells.

Changing the groups of a user does not change existing logins, terminals, and shells that a user has open. To avoid performing a login again, you can simply run:

$ newgrp docker

to get access to that group in your current shell.

Once you have done this, the user effectively has root access on the server, so only do this for users that are trusted with unrestricted sudo access.

edited Nov 30 '18 at 12:35

answered Feb 01 '18 at 18:53

BMitch

231,797
42
475
450

1

This did not work for me, but I was using namespaces. I had to use ```--userns=host```. – Mr00Anderson Feb 12 '19 at 19:56
I tried every other trick in this thread, followed the docs, reinstalled Docker to a newer version, rebooted plenty of times, everything I thought about. I am indeed in the docker group, but the default shell won't acknowledge it (maybe a problem with a script in my .profile?). Other than sudoing to the root user, only that `newgrp` command worked. – Bruno Laturner Feb 26 '19 at 20:07
4

@BrunoLaturner If you are on Ubuntu, I've heard of LightDM causing an issue where it drops secondary groups from the login user. – BMitch Feb 26 '19 at 21:02
3

@BMitch are you in NSA spying me? That is my exact config and bug. Thanks! Solved following https://askubuntu.com/q/1057258/259660 – Bruno Laturner Feb 27 '19 at 15:14
Related Red Hat bug for RHEL7 and Fedora 30: https://bugzilla.redhat.com/show_bug.cgi?id=1214104 – Jeremy Sep 08 '19 at 14:15
4

running `newgrp docker ` command is necessary to activate the changes to groups – Jay Modi Dec 06 '19 at 17:38
It seems almost all answers are variations of @BMitch's standard one :) but FWIW−because of Docker's daemon attack surface−, one may want to try the alias-based solution I propose [in my answer](https://stackoverflow.com/a/65956808/9164010): it addresses the same goal (being able to just write `docker run …` in one's terminal) but, to some extent, it would be a safer solution for a personal workstation. – ErikMD Jan 03 '22 at 20:55

Nitish · Answer 2 · 2020-04-30T08:15:32.127

80

Reason: The error message means that the current user can’t access the docker engine, because the user hasn't enough permissions to access the UNIX socket to communicate with the engine.

Quick Fix:

Run the command as root using sudo.
```
sudo docker ps
```
Change the permissions of /var/run/docker.sock for the current user.
```
sudo chown $USER /var/run/docker.sock
```

Caution: Running sudo chmod 777 /var/run/docker.sock will solve your problem but it will open the docker socket for everyone which is a security vulnerability as pointed out by @AaylaSecura. Hence it shouldn't be used, except for testing purposes on the local system.

Permanent Solution:

Add the current user to the docker group.

sudo usermod -a -G docker $USER

Note: You have to log out and log in again for the changes to take effect.

Refer to this blog to know more about managing Docker as a non-root user.

edited Apr 30 '20 at 08:15

answered Jun 14 '19 at 06:04

Nitish

968
6
9

7

You're probably missing out on votes because people log out then forget to come back and upvote lols. – John Mee Feb 07 '20 at 07:51
2

I bet they're missing the upvotes cause the "Quick Fix" is a security disaster... The docker socket should never be accessible to world... – Aayla Secura Apr 17 '20 at 04:03
1

@AaylaSecura Yes, you're right. I had added it as a quick fix but again it's a bad practice. I have changed it in the answer now. Feel free to comment if you think It can be improved. – Nitish Apr 18 '20 at 05:37
1

this was the solution that worked for me... thanks!!!, the ownership of the docker.sock file was of root so no logout would ever fix it. – Carlos Aug 09 '20 at 14:15
1

I needed to restart the PC, for some reason logout and login did not work and I spend a lot of time troubleshooting this problem. – Zura Sekhniashvili Aug 18 '22 at 06:53

score 43 · Answer 3 · edited Mar 10 '20 at 00:22

43

Make sure your $USER variable is set

$ echo $USER

$ sudo usermod -aG docker $USER

logout

Upon login, restart the docker service

$ sudo systemctl restart docker

$ docker ps

edited Mar 10 '20 at 00:22

Pang

9,564
146
81
122

answered Mar 02 '19 at 18:08

1nternetz

559
4
7

7

Restarting the Docker daemon was a big one. Always forget to do that after adding user to Docker group :\ – Parth Patel Jul 29 '19 at 23:45
1

There should be no need to restart the daemon, it's root, and already configured the socket to run as docker. The only thing I can think it fixes is if you modified the socket permissions. – BMitch Jan 29 '21 at 18:13
1

A Docker service restart solved the issue after adding the group to the OS environment. Thank you! – Artfaith Sep 08 '22 at 05:55
I had to restart the daemon after creating the docker group. Upvoting this answer. – Ruzihm Dec 09 '22 at 21:01
I actually had to reboot the computer, wtf. Logout and login did not help. `newgrp` worked, but re-login or `sudo systemctl restart docker` did NOT work in my case. weird, but in case somebody else wonders... – ElectRocnic Mar 22 '23 at 19:22

score 11 · Answer 4 · edited May 01 '22 at 17:30

11

enter the command and explore docker without sudo command

sudo chmod 666 /var/run/docker.sock

edited May 01 '22 at 17:30

Sergei Basharov

51,276
73
200
335

answered Feb 02 '22 at 10:27

ashique

935
2
8
26

Remember that anyone who can access the Docker socket can trivially root the entire host; running this command allows any local process to do that. – David Maze Jun 13 '22 at 13:54
Sadly, some operating systems keep changing permissions of this file back to its default :( – java.is.for.desktop Jun 30 '23 at 21:39

score 4 · Answer 5 · answered Feb 01 '18 at 18:24

As mentioned earlier in the comment the changes won't apply until your re-login. If you were doing a SSH and opening a new terminal, it would have worked in new terminal

But since you were using GUI and opening the new terminal the changes were not applied. That is the reason the error didn't go away

So below command did do its job, its just a re-login was missed

sudo usermod -aG docker $USER

score 3 · Answer 6 · answered Jun 15 '20 at 05:11

You need to manage docker as a non-root user. To create the docker group and add your user:

Create the docker group.

$ sudo groupadd docker
Add your user to the docker group.

$ sudo usermod -aG docker $USER
Log out and log back in so that your group membership is re-evaluated.

If testing on a virtual machine, it may be necessary to restart the virtual machine for changes to take effect.

On a desktop Linux environment such as X Windows, log out of your session completely and then log back in.

On Linux, you can also run the following command to activate the changes to groups:

$ newgrp docker

Verify that you can run docker commands without sudo.

$ docker run hello-world

score 1 · Answer 7 · answered Sep 08 '21 at 15:05

***Important Note on these answers: the docker group is not always "docker" sometimes it is "dockerroot", for example the case of Centos 7 installation by

sudo yum install -y docker

The first thing you should do, after installing Docker, is

sudo tail /etc/group

it should say something like

......
sshd:x:74:
postdrop:x:90:
postfix:x:89:
yourusername:x:1000:yourusername
cgred:x:996:
dockerroot:x:995:

In this case, it is "dockerroot" not "docker". So,

sudo usermod -aG dockerroot yourusername
logout

This is the correct answer for centos. There's no `docker` group. — Brian Minton, Apr 21 '23 at 20:17

score 0 · Answer 8 · answered May 16 '18 at 14:21

As my user is and AD user, I have to add the AD user to the local group by manually editing /etc/group file. Unforrtunately the adduser commands do not seem to be nsswitch aware and do not recognize a user not locally defined when adding someone to a group.

Then reboot or refresh /etc/group. Now, you can use docker without sudo.

Regards.

ErikMD · Answer 9 · 2022-01-03T21:50:36.517

When I try to run simple docker commands like: $ docker ps -a

I get an error message: Got permission denied ... /var/run/docker.sock: connect: permission denied.

[…] How can I fix it?

TL;DR: There are two ways (the first one, also mentioned in the question itself, was extensively addressed by other answers, but comes with security concerns; so I'll elaborate on this issue, and develop the second solution that can also be applicable for this fairly sensible use case).

Just to recall the context, the Docker daemon socket is owned by root:docker:

$ ls -l /var/run/docker.sock
srw-rw---- 1 root docker 0 janv. 28 14:23 /var/run/docker.sock

so with this default setup, one needs to prepend all docker CLI commands by sudo.

To avoid this, one can either:

add one's user account ($USER) to the docker group − but that's quite risky to do this on one's personal workstation, as this would amount to provide all programs run by the user with root permissions without any sudo password prompt nor auditing.

See also:
- this page in the official Docker documentation:
  https://docs.docker.com/engine/security/#docker-daemon-attack-surface
- this page that documents the related exploit:
  https://fosterelli.co/privilege-escalation-via-docker.html

one can otherwise prepend sudo automatically without typing sudo docker manually: to this aim, a solution consists in adding the following alias in the ~/.bashrc (see e.g. this thread for details):

__docker() {
    if [[ "${BASH_SOURCE[*]}" =~ "bash-completion" ]]; then
        docker "$@"
    else
        sudo docker "$@"
    fi
}
alias docker=__docker

Then one can test this by opening a new terminal and typing:

docker run --pul〈TAB〉 # → docker run --pull
                       # autocompletion works
docker run --pull always --rm -it debian:11  # ask one's password
\docker run --help  # bypass the alias (thanks to the \) and ask no password

@SridharSarnobat I rollbacked your edit since running `sudo chmod a+rx /var/run/docker.sock` is definitely not a summary of my answer, nor a proper solution… — ErikMD, Jan 03 '22 at 16:18
I don't know why I got a downvote: I sincerely believe that adding a mere `.bashrc` alias as I propose in my answer is a better trade-off than [the currently accepted solution](https://stackoverflow.com/a/48569858/9164010), because (1) it's safer from a security perspective (no user process can sneakily become root because of Docker's daemon attack surface), and (2) it achieves the same goal: we can just write `docker run -it ubuntu` or so in one's terminal… — ErikMD, Jan 03 '22 at 20:44

score 0 · Answer 10 · answered Nov 13 '22 at 06:50

0

With the help of the below command I was able to execute the docker command without sudo

sudo setfacl -m user:$USER:rw /var/run/docker.sock

answered Nov 13 '22 at 06:50

Senthuran

1,583
2
15
19

score -2 · Answer 11 · edited May 09 '20 at 14:31

-2

bash into container as root user docker exec -it --user root <dc5> bash

create docker group if it's not already created groupadd -g 999 docker

add user to docker group usermod -aG docker jenkins

change permissions chmod 777 /var/run/docker.sock

edited May 09 '20 at 14:31

Tom Carrick

6,349
13
54
78

answered May 09 '20 at 13:54

Nitin Rachabathuni

13
2

2

I strongly recommend against changing the permissions on `docker.sock`. This gives every user and process on the host full root access without a password and minimal logging of their actions. – BMitch Jan 03 '22 at 21:10

score -2 · Answer 12 · answered Jun 08 '21 at 15:33

You have to use pns executer instead of docker. run the following patch which modifies the configmap and you are all set.

kubectl -n argo patch cm workflow-controller-configmap -p '{"data": {"containerRuntimeExecutor": "pns"}}' ;

ref: https://www.youtube.com/watch?v=XySJb-WmL3Q&list=PLGHfqDpnXFXLHfeapfvtt9URtUF1geuBo&index=2&t=3996s

docker.sock permission denied

12 Answers12

Linked

Related