I've installed Docker on Windows 2019 Server, but I can only interact with it from an administrative shell

Question

I've been following these instructions to get Docker installed on a brand new Windows 2019 Server.

As long as I use an administrative account, I can login and run whatever I want:

C:\Windows\system32>docker run hello-world

Hello from Docker!
This message shows that your installation appears to be working correctly.

But if I try to run the same command from a non-administrator shell I get this error message:

C:\Users\sysUKNG>docker run helloworld docker: error during connect: Post http://%2F%2F.%2Fpipe%2Fdocker_engine/v1.40/containers/create: open //./pipe/docker_engine: Access is denied. In the default daemon configuration on Windows, the docker client must be run elevated to connect. This error may also indicate that the docker daemon is not running. See 'docker run --help'.

Is Microsoft expecting Docker users to only interact with the Docker Daemon from an elevated account? I guess this kind of makes sense if you assume that the purpose of Docker is to run long-lasting servers. It's logical that you'd want only an administrator to be able to start and stop these kinds of things.

However, I'm trying to run a large number of batch processes which get triggered by a scheduler run from a non-administrative service account. I really don't want my scheduler to have to run elevated.

In Docker for Linux I can make any user I want to have access to to Docker part of the "docker-users" group. Does Windows have an equivalent way to allow any user to have this kind of access? My server has no group with a similar name, but I do have "Hyper-V Administrators", which it says gives the account "Complete and unrestricted access", which is not exactly what I want.

Ideally I want a certain group of users to be able to start and stop a process that runs on Docker for Windows inside a Windows container.

This page suggests that the solution has something to do with opening a TCP port, but I'm using the Windows Server version of Docker. It doesn't have the same control panel that you normally get with Docker Desktop for Windows.

Another page suggests that I can only run Docker commands from an elevated shell? I too want to run some Docker stuff from Jenkins jobs.

score 2 · Answer 1 · answered Apr 29 '21 at 12:24

create a group "docker-users". Needs to be run after each reboot.

$account="MY-SERVER-NAME\docker-users"
$npipe = "\\.\pipe\docker_engine"
$dInfo = New-Object "System.IO.DirectoryInfo" -ArgumentList $npipe
$dSec = $dInfo.GetAccessControl()
$fullControl =[System.Security.AccessControl.FileSystemRights]::FullControl
$allow =[System.Security.AccessControl.AccessControlType]::Allow
$rule = New-Object "System.Security.AccessControl.FileSystemAccessRule" -ArgumentList $account,$fullControl,$allow
$dSec.AddAccessRule($rule)
$dInfo.SetAccessControl($dSec)

I think I grabbed this idea from here : https://dille.name/blog/2017/11/29/using-the-docker-named-pipe-as-a-non-admin-for-windowscontainers/

I've installed Docker on Windows 2019 Server, but I can only interact with it from an administrative shell

1 Answers1