How to fix "dial unix /var/run/docker.sock: connect: permission denied" when group permissions seem correct?

Question

I'm suddenly having issues after an update of Ubuntu 18.04: previously I've used docker without issue on the system, but suddenly I cannot. As far as I can tell, the permissions look correct:

$ docker run hello-world
docker: Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Post http://%2Fvar%2Frun%2Fdocker.sock/v1.35/containers/create: dial unix /var/run/docker.sock: connect: permission denied.
See 'docker run --help'.
$ ls -last /var/run/docker.sock 
0 srw-rw---- 1 root docker 0 Jul 14 09:10 /var/run/docker.sock
$ whoami
brandon
$ cat /etc/group | grep docker
docker:x:995:brandon
nvidia-docker:x:994:

EDIT:

Group information:

$ groups
brandon
$ groups brandon
brandon : brandon adm cdrom sudo dip plugdev games lpadmin sambashare docker
$ whoami
brandon

Update

Since the original post where I upgraded a system from 17.04 to 18.04, I've done two upgrades from 16.04 to 18.04, and neither of the later systems had the issue. So it might be something to do with the 17.04 to 18.04 upgrade process. I've yet to perform a fresh 18.04 installation.

What happens if you run `newgrp docker` and try again from the same terminal? — BMitch, Jul 14 '18 at 23:04
@mviereck @BMitch - `sudo` worked, I had tried earlier but with a script wrapping a docker command, so that failed (oops). `newgrp docker` gives me a shell where running the command without `sudo` works. So is something wonky going on with my login shell? — bbarker, Jul 15 '18 at 01:08
Following up on the `newgrp` lead, the `groups` output seems a bit suspect. — bbarker, Jul 15 '18 at 13:46
Have you tried completely logging off of your Ubuntu session and logging back on again? — sachav, Jul 15 '18 at 14:03
In fact, I just confirmed that logging in remotely to the system works: correct `groups` output is shown for the current user. Previously I'd been doing this through XFCE's terminal — bbarker, Jul 15 '18 at 14:13
Possible duplicate of [Docker can't connect to docker daemon](https://stackoverflow.com/questions/21871479/docker-cant-connect-to-docker-daemon) — David Maze, Jul 15 '18 at 16:55
@DavidMaze - I don't believe so - the `newgrp` suggestion above worked, as did logging into the system via `ssh` — bbarker, Jul 15 '18 at 17:40
@bbarker - with Linux Mint 20.1 (based on Ubuntu 20.04), a reboot was required after "apt install docker.io" and adding myself to the "docker" group. New shell after adding myself to the group would not show me in the docker group via command "id". "newgrp docker" worked as a workaround until the reboot. — skitheo, May 04 '21 at 23:42

Nahshon paz · Answer 1 · 2020-01-13T12:11:13.403

329

sudo setfacl --modify user:<user name or ID>:rw /var/run/docker.sock

It doesn't require a restart and is more secure than usermod or chown.

as @mirekphd pointed out, the user ID is required when the user name only exists inside the container, but not on the host.

edited Jan 13 '20 at 12:11

answered Feb 03 '19 at 14:55

Nahshon paz

4,005
2
21
32

Thanks. As it happens, I still have this buggy system, though I'm not sure for how many more months! As it happens, this works. Will check to see if it persist on reboot. – bbarker Feb 03 '19 at 18:17
6

(It doesn't seem to persist through reboots) – bbarker Feb 03 '19 at 18:32
1

@bbarker https://unix.stackexchange.com/questions/372244/how-can-i-make-acl-settings-on-run-media-persistent Though on many systems this is persistant – Nahshon paz Feb 04 '19 at 19:43
@Tvde1 https://raspberrypi.stackexchange.com/questions/92717/is-there-a-raspbian-package-that-installs-setfacl – Nahshon paz Jun 03 '19 at 11:19
1

setfacl -m jenkins:docker:rw /var/run/docker.sock setfacl: Option -m: Invalid argument near character 9 – Shahar Hamuzim Rajuan Jun 25 '19 at 11:57
1

@ShacharHamuzimRajuan you need to run setfacl --modify for a user, e.g: setfacl -m u:docker:rw or u:jenkins:rw . Or per group (g instead of u). see: https://linux.die.net/man/1/setfacl – Nahshon paz Jun 26 '19 at 18:49
2

Why would I want to use this over adding the user to the docker group? This seems like a short sighted trial and error fix. If there are other permissions necessary the docker group is probably what it is for. Permissions will be adequate for the docker group, and so users that are to use docker should be part of the docker group. Fixing it for only this user and one socket file may lead to further issues now or later on other files. – Kissaki Aug 06 '19 at 08:59
1

@Kissaki you're right, for robust prod/staging envs you'd want to carefully manage a group rather than a user and a file. This is obviously a dev/test issue where people just want to get on with things, with some user that needs temporary, immediate access. Access control lists are meant to be more precise and secure than groups; in this case this just skips the reboot that usemod requires. It's also more secure than chown, I've seen some clusters crashing with that sudo chmod 777 /var/run/docker.sock trick that somebody posted below – Nahshon paz Aug 13 '19 at 13:10
The `Invalid argument near character` error is caused by missing user name (e.g. you used `jenkins` on the host, but such user exists only inside a docker container). To avoid the problem, just use UID instead of user name. – mirekphd Jan 12 '20 at 17:37
So basically `sudo setfacl --modify user:$(whoami):rw /var/run/docker.sock` ... why not name it? – 0xC0000022L Oct 04 '20 at 20:06
@0xC0000022L as mirekphd mentioned sometimes it's gotta be the user ID – Nahshon paz Oct 18 '20 at 10:07
@DanielRch. https://unix.stackexchange.com/questions/372244/how-can-i-make-acl-settings-on-run-media-persistent Though on many systems this is persistant – Nahshon paz Jul 28 '21 at 20:46
The chosen correct answer here is more complete for prod ready images: https://stackoverflow.com/questions/53126950/permission-denied-to-docker-daemon-socket-at-unix-var-run-docker-sock?rq=1 – Nahshon paz Dec 05 '22 at 07:52

score 114 · Answer 2 · answered Sep 09 '18 at 14:27

114

add the user to the docker group.

sudo usermod -aG docker $USER
sudo reboot

answered Sep 09 '18 at 14:27

Karen Danielyan

1,560
1
9
13

5

Maybe I am missing something, but the output of 'groups brandon' already includes 'docker', in my case, as indicated above. But this is generally good advice. – bbarker Sep 09 '18 at 14:31
5

Reboot helps :) – digz6666 Jun 18 '19 at 06:13
18

Creating a new user session (logging out and back in) is enough to update the user sessions groups. No reboot required. – Kissaki Aug 06 '19 at 09:00
2

Instead of rebooting, you can just restart the docker daemon *sudo systemctl restart docker* – martyglaubitz Oct 15 '20 at 16:37
1

restarting the docker daemon and logging out/in weren't sufficient for me. A reboot was. – craq Jul 05 '22 at 23:03
If on WSL, close out, and run from powershell `wsl --shutdown` to full close out of WSL. – Chris Collett Sep 09 '22 at 18:17

score 82 · Answer 3 · answered Nov 10 '21 at 11:50

82

Just try to give the right permission to docker.sock file by:

sudo chmod 666 /var/run/docker.sock

answered Nov 10 '21 at 11:50

Pejman Kheyri

4,044
9
32
39

4

this worked for me on Win10 WSL 2 and Ubuntu 20.04 – pmko Nov 29 '21 at 02:27
3

This worked for me on Ubuntu 20.04.2 LTS – Vishrant Mar 10 '22 at 22:47
1

magically this worked for me on Ubuntu Server – Markiian Benovskyi Jun 15 '22 at 08:38
3

this worked on Ubuntu 22.04.1 LTS – orb Nov 10 '22 at 00:48
3

Note that this allows any user on your system to control Docker. If you have a mulit-user system, it's probably not what you want. – paul Dec 03 '22 at 19:17
This is very insecure. It could potentially allow someone to take control of the underlying Docker host if user namespaces are not used. – Paul Calabro Feb 15 '23 at 16:00
@PaulCalabro That's why it's 666 bro. Cause it's dangerous and insecure! Ha ha ha – Uncle Iroh Jun 08 '23 at 17:38

score 29 · Answer 4 · edited Aug 23 '21 at 01:58

29

The way to fix it is to run:

sudo addgroup --system docker
sudo adduser $USER docker
newgrp docker

that works for me :)

edited Aug 23 '21 at 01:58

Jules

1,677
1
19
25

answered Jan 28 '21 at 13:42

Fahd Rahali

451
4
6

7

newgrp docker was the step missing from the guide I was following in my case – van Dec 04 '21 at 14:54

score 20 · Answer 5 · answered Aug 19 '20 at 16:48

20

Ubuntu 18:04

sudo setfacl --modify user:$USER:rw /var/run/docker.sock

answered Aug 19 '20 at 16:48

Alex Sandro

301
2
2

What does that do? – Kris Jun 06 '22 at 23:32

Praveen Kumar K S · Answer 6 · 2022-06-01T18:56:21.033

9

It looks like a permission issue:

sudo addgroup --system docker
sudo adduser $USER docker
newgrp docker
sudo setfacl -m "g:docker:rw" /var/run/docker.sock

or Simply use this command below, which will fix this issue.

sudo chmod -x /var/run/docker.sock

edited Jun 01 '22 at 18:56

answered Feb 06 '21 at 17:24

Praveen Kumar K S

3,024
1
24
31

Goldus · Answer 7 · 2020-12-26T23:04:34.570

Somehow, i found this page when i have't correct permissons on my docker.sock after my Docker installation. So, if you have the same issue, you can read this:

$ sudo adduser $USER docker does not work because the group is "root" not "docker"

$ ls -l /var/run/docker.sock srw-rw---- 1 root root 0 Jul 11 09:48 /var/run/docker.sock so it should be $ sudo adduser $USER root

from a non-snap installed machine, the group is "docker"

# ls -l /var/run/docker.sock srw-rw---- 1 root docker 0 Jul 3 04:18 /var/run/docker.sock The correct way is, according to docker.help you have to run the followings BEFORE sudo snap install docker

$ sudo addgroup --system docker $ sudo adduser $USER docker $ newgrp docker then the group will be "docker"

$ ls -l /var/run/docker.sock srw-rw---- 1 root docker 0 Jul 11 10:59 /var/run/docker.sock

Source: https://github.com/docker-archive/docker-snap/issues/1 (yes, first issue :D)

The easyest way to fix it is to run:

$ sudo setfacl -m "g:docker:rw" /var/run/docker.sock

And then, as it already metioned, run following commands for your user:

$sudo addgroup --system docker
$sudo adduser $USER docker
$newgrp docker

That's it :) Have fun!

score 6 · Answer 8 · answered Feb 07 '19 at 07:12

6

I did the quick fix and it worked immediately.

sudo chmod 777 /var/run/docker.sock

answered Feb 07 '19 at 07:12

parth

229
2
1

27

That may look like an easy solution in case you're just playing around with Docker on a dev environment, but that's a very bad idea for the security of your system. – yoann-h Feb 24 '19 at 01:57
2

sudo setfacl -m user:brandon:rw /var/run/docker.sock gives just the one user the permissions it needs. – Nahshon paz Mar 14 '19 at 10:35
4

No, don't do this. – Afshin Mehrabani Jul 21 '20 at 18:57
3

when suggesting something that is insecure please write a warning – medic17 Jun 13 '21 at 10:37

score 2 · Answer 9 · answered Feb 07 '19 at 12:50

Specific to Ubuntu, there is a known issue with lightdm that removes secondary groups from the user as part of the GUI login. You can follow that issue here: https://bugs.launchpad.net/lightdm/+bug/1781418

You can try switching off of lightdm or apply the workaround mentioned in the bug report:

[Comment out the below lines from /etc/pam.d/lightdm:]
auth optional pam_kwallet.so
auth optional pam_kwallet5.so

Temporary options include logging into your machine with something like an ssh or su -l command, or running the newgrp docker command. These will only affect the current shell and would need to be done again with each new terminal.

Outside of this issue, the general commands to give a user direct access to the docker socket (and therefore root access to the host) are:

sudo usermod -aG docker $(id -un) # you can often use $USER in place of the id command
newgrp docker # affects the current shell, logging out should affect all shells

score 2 · Answer 10 · answered Aug 19 '21 at 05:35

I was able to solve this on my Linux Machine using the below command.

> sudo setfacl --modify user:$USER:rw /var/run/docker.sock

Note: Please checck if you have sudo access. Otherwise this command will fail.

How to check sudo access?

$ whoami
> rahul
$ groups
> useracc
$ groups useracc
> Here you can see sudo and other access details.

Omkesh Sajjanwar · Answer 11 · 2023-04-19T09:50:16.863

2

For ubuntu 20.04

Step1 : Check Ubuntu user

echo $USER

Step2 : give rw permission to docker

sudo setfacl --modify user:<user_name>:rw /var/run/docker.sock

Example

Getting error

Solution

edited Apr 19 '23 at 09:50

answered Apr 19 '23 at 09:37

Omkesh Sajjanwar

575
8
13

score 1 · Answer 12 · answered Dec 23 '21 at 15:10

1

I fixed this issue by using the following command:

sudo chmod -x /var/run/docker.sock

answered Dec 23 '21 at 15:10

ahmnouira

1,607
13
8

score 0 · Answer 13 · edited May 10 '21 at 12:38

Please note: not only group name is important, but apparently also gid of the groups. So if docker group on host system has gid of i.e. 995,

cat /etc/group | grep docker  
docker:x:995:brandon

You must make sure gid of docker group You can do this as a part of a launch script, or simply by using exec and doing it manually:

groupmod -g 995 docker

Hope it helps anyone who comes here, it took me a while to find this answear.

score 0 · Answer 14 · edited Mar 29 '23 at 13:03

This issue is resolved by following the process below

Check whether the "docker" group is created or not

cmd: cat /etc/group | grep docker

output: docker:x:995
Check the permissions of "/var/run/docker.sock" file

cmd: ls -l /var/run/docker.sock

output: rw-rw---- 1 root root 0 Jul 14 09:10 /var/run/docker.sock
add docker group to "/var/run/docker.sock" file

cmd: sudo setfacl -m "g:docker:rw" /var/run/docker.sock

output: rw-rw---- 1 root docker 0 Jul 14 09:10 /var/run/docker.sock

Now it will work, if possible restart the docker service.
To restart the docker service

cmd: sudo systemctl restart docker

score -1 · Answer 15 · answered Mar 14 '23 at 14:30

-1

ubuntu 20.x +

sudo usermod -aG docker $USER

exit the current terminal and open another terminal and start using docker, docker compose.

answered Mar 14 '23 at 14:30

Gajendra D Ambi

3,832
26
30

How to fix "dial unix /var/run/docker.sock: connect: permission denied" when group permissions seem correct?

15 Answers15

Linked