I am attempting to install and use docker for the first time. I have followed the guidelines provided in the answer to this question:
sudo groupadd docker
which at this point returns (as expected):
groupadd: group 'docker' already exists
I then attempt to add the user to the group:
sudo usermod -aG docker $wb_s2s
which only returns
Options:
-b, --badnames allow bad names
-c, --comment COMMENT new value of the GECOS field
-d, --home HOME_DIR new home directory for the user account
-e, --expiredate EXPIRE_DATE set account expiration date to EXPIRE_DATE
-f, --inactive INACTIVE set password inactive after expiration
to INACTIVE
-g, --gid GROUP force use GROUP as new primary group
...
I then try to log out and lock back in and/or restart the computer/docker (I've tried everything). But when I run:
docker run hello-world
I get an error:
docker: Got permission denied while trying to connect to the Docker daemon socket at ... connect: permission denied. See 'docker run --help'.
Can anyone tell me where I went wrong?
When you add your user to the group, the docs meant literally $USER to refer to your user wb_s2s (which is a variable presented in your shell's environment for purposes like this)
adding $ will make it a variable the shell interprets as an empty string
% echo $USER
ti7
% echo $ti7
% echo $whatever
You could use the $USER variable, or just remove the $ from your attempt to add your user to the group
-sudo usermod -aG docker $wb_s2s
+sudo usermod -aG docker wb_s2s
Related
There are commands that require users to be in a group to execute.
I am running a non-interactive bash script script.sh like below
#!/bin/bash
sudo usermod -aG $USER docker
# this line requires user logging to succeed
docker ps
When invoking the script for the first time bash script.sh, the line docker ps will complain insufficient permission since the new group membership modified by line sudo usermod -aG $USER docker requires the user to re-log into the shell to take effect.
My question: is there a way I can trigger the re-log in an non-interactive way?
When you make changes to users like adding, removing groups, you will have to logout from the current session and then, you will be able to use the docker command without any problem.
Another solution if you are working with terminal can use the su command.
For example, your script can be like this:
#!/bin/bash
sudo usermod -aG $USER docker
su - $USER #this line is used to login with the $USER as a login shell
The docker ps command will not work in this script, I forgot to mention that when you run su - $USER you will have to type that command inside that login shell.
But, there is another solution for that, you can use the -c option for su command. For example:
su - $USER -c "docker ps"
Or if you want to use several command you can try using a semicolon at the end of each script:
su - $USER -c "docker ps;docker images;..."
Or if you will have several commands, you can save them inside a file and send the text as parameter of the -c option:
In your text file might be (dockerscripts.txt):
docker ps
docker images
docker info
And the su command might be:
su - $USER -c "$(cat dockerscripts.txt)"
A tip for checking the current groups of a logged user is to use the command groups
So, if you try this:
sudo usermod -aG $USER docker
groups # this will display the current groups of $USER but the `docker` group will not be there yet
su - $USER
After that command you will be in the login shell, so you will have to type the command groups and when you run it, this will display the current groups of $USER including the docker group.
Note: When you logout from the login shell su - $USER the group will not be there again, so If you want to use the docker command you will have to use su - $USER again. The effective way for working with the new group is to log out from the session (if you are working with a desktop environment).
You can check this link fore more useful information: newgrp command in Linux
How can I check if the current user has all privileges to use useradd and groupadd for creation of users and groups?
I don't want to request root privileges (e.g. requireing to be root or calling sudo) for my bash script unnecessarily. Instead I just want to ensure that the privileges are there to just use those commands.
The commands:
$ ls -l $(which useradd) $(which groupadd)
-rwxr-xr-x 1 root root 93136 Mai 28 2020 /usr/sbin/groupadd
-rwxr-xr-x 1 root root 147160 Mai 28 2020 /usr/sbin/useradd
As useradd and groupadd commands need some extra priviledges to run, you can setup access to sudo for specific commands like useradd and groupadd like below :-
Please go through it once, it will make most of the things clear to you
Controlling Access To sudo
The /etc/sudoers file configures the programs that users can access using sudo, along with whether or not a password will be needed.
The system administrator adds users to this file using the /usr/sbin/visudo command. Each non-comment line in the file has two parts:
A username ("<USER_NAME>"), or a group name ("%<GROUP_NAME>").
A list of machine names where a program may be run, or the keyword ALL. Following an equal sign (=), a list of user identities the command may be run as, enclosed in round brackets (parenthesis); the wildcard ALL may also appear. Finally, a list of applications that may be run as the named users; the keyword ALL is a wildcard.
The following examples should help make this clear:
<USER_NAME> ALL=(ALL) ALL
# User <USER_NAME> can execute any command as any user, but must know the password to the <USER_NAME> account.
<USER_NAME> ALL=(root) shutdown
# User <USER_NAME> can execute only command shutdown, but must know the password to the <USER_NAME> account.
<USER_NAME> ALL=(root) NOPASSWD: /usr/bin/id
# User <USER_NAME> can execute only the application /usr/bin/id; no password will be needed.
<USER_NAME> ALL=() NOPASSWD: /usr/bin/id
# User <USER_NAME> can execute only the application /usr/bin/id; no password will be needed.
Once the system administrator has entered the necessary setup into the /etc/sudoers file, users can safely access privileged system resources and activities like this:
$ sudo useradd username
No awkward quoting on the command line, just prefix the command you want with the word sudo. If you want to run the command as a user other than root, just add the -u username switch:
$ sudo -u <USER_NAME> useradd username
There will be a log entry written to the /var/log/secure file to show who did the deed.
Of course, the sysadmin can configure sudo not to request a password. In this case, the command is immediately executed although the audit trail entry will still be written.
Reference :- Sudo Tutorial
Please reach in the comments section for any help
Will be glad to help !!!
Assuming that you need root or sudo to add new users (same for group), you can check if the user has sudo rights, by checking if he is in the corresponding groups.
getent group sudo // shows all users in groupd sudo
Dont know what system/distro you are on - but on arch for example sudoers are in group wheel...
On Linux debian-linux 5.10.0-6-amd64 #1 SMP Debian 5.10.28-1 (2021-04-09) x86_64 GNU/Linux,
you can try this way in your script.
groupadd 2>/dev/null ; if test $? -eq 2 ; then echo ok ; else echo bad ; fi
If you can access groupadd or useradd, the return value is 2 because there is missings arguments.
If you can't acess groupadd or useradd, the return value is 127.
I'm trying to set docker up on a new system, and when running docker info I get:
docker -v
=> Docker version 18.09.5, build e8ff056
docker info
=> Got permission denied while trying to connect to the Docker daemon
socket at unix:///var/run/docker.sock: Get
http://%2Fvar%2Frun%2Fdocker.sock/v1.39/info: dial unix
/var/run/docker.sock: connect: permission denied
Following the docs, I've tried:
sudo usermod -a -G docker $USER
Which returns no output. When I then run groups:
groups
=> mark adm cdrom sudo dip plugdev lpadmin sambashare
I can see a docker group exists:
less /etc/group | grep docker
=> docker:x:131:mark
And can see that it owns a socket running where the error message states:
ls -la /var/run/ | grep docker
=>
drwx------ 5 root root 120 May 25 14:54 docker
-rw-r--r-- 1 root root 5 May 25 14:54 docker.pid
srw-rw---- 1 root docker 0 May 25 14:54 docker.sock
So why can't I add myself to that group with sudo usermod -a -G docker $USER ?
You need to reload your shell in order to make the changes take effect.
Often you need to reboot your shell process and possibly even restart your computer.
e.g
sudo usermod -aG docker $USER
sudo reboot
See #4Z4T4R answer and give a thumbs
https://stackoverflow.com/a/66297855/7961500
Load changes without quitting your shell
To avoid starting a new shell you can run. (Doesn't seem to work for all environments)
exec su -l $USER
This will create a new subshell with the loaded changes and replace your current shell with it.
If nothing else is working for you.
Another way if you just need to get it working now, is to change your primary group. This is only a temp solution as with any new shell you will need to apply it again.
export my_group=$(id -gn)
newgrp docker
newgrp $my_group
Documentation
You can also look at the offical documentation here
https://docs.docker.com/engine/install/linux-postinstall/
In my case, on Ubuntu 20.04, run sudo reboot after this command:
$ sudo usermod -aG docker $USER
I literally needed to reboot my operating system (and machine) for the change to take effect. Restarting/reloading the bash session did not apply the new setting.
Sure, newgrp docker does the trick "on the fly" without restart/reboot/re-anything... but once the session terminates, POOF you're not in the docker group any longer.
Added this as a formal answer bc it genuinely solved the OP's---and my (identical)---problem.
Credit should go to #Omari Celestine for the suggestion, but because I suck at interpretation, I (and maybe you) need the literal disambiguation that this answer provides.
Its a two step process technically. Run
sudo usermod -aG docker $USER
then,
sg docker -c "bash"
Change the permissions on the /var/run/docker.sock file and restart docker process.
sudo chown jenkins:jenkins /var/run/docker.sock
sudo 644 /var/run/docker.sock
Then,
sudo service docker restart
Before running $docker info, Please make sure that the docker service up.
If not pls start the service by running below command.
$service docker start
Now you check the $docker info
When I try to run simple docker commands like:
$ docker ps -a
I get an error message:
Got permission denied ... /var/run/docker.sock: connect: permission denied
When I check permissions with
$ ls -al /var/run/
I see this line:
srw-rw---- root docker docker.sock
So, I follow an advice from many forums and add local user to docker group:
$ sudo usermod -aG docker $USER
But it does not help. I still get the very same error message. How can I fix it?
For those new to the shell, the command:
$ sudo usermod -aG docker $USER
needs to have $USER defined in your shell. This is often there by default, but you may need to set the value to your login id in some shells.
Changing the groups of a user does not change existing logins, terminals, and shells that a user has open. To avoid performing a login again, you can simply run:
$ newgrp docker
to get access to that group in your current shell.
Once you have done this, the user effectively has root access on the server, so only do this for users that are trusted with unrestricted sudo access.
Reason: The error message means that the current user can’t access the docker engine, because the user hasn't enough permissions to access the UNIX socket to communicate with the engine.
Quick Fix:
Run the command as root using sudo.
sudo docker ps
Change the permissions of /var/run/docker.sock for the current user.
sudo chown $USER /var/run/docker.sock
Caution: Running sudo chmod 777 /var/run/docker.sock will solve your problem but it will open the docker socket for everyone which is a security vulnerability as pointed out by #AaylaSecura. Hence it shouldn't be used, except for testing purposes on the local system.
Permanent Solution:
Add the current user to the docker group.
sudo usermod -a -G docker $USER
Note: You have to log out and log in again for the changes to take effect.
Refer to this blog to know more about managing Docker as a non-root user.
Make sure your $USER variable is set
$ echo $USER
$ sudo usermod -aG docker $USER
logout
Upon login, restart the docker service
$ sudo systemctl restart docker
$ docker ps
enter the command and explore docker without sudo command
sudo chmod 666 /var/run/docker.sock
As mentioned earlier in the comment the changes won't apply until your re-login. If you were doing a SSH and opening a new terminal, it would have worked in new terminal
But since you were using GUI and opening the new terminal the changes were not applied. That is the reason the error didn't go away
So below command did do its job, its just a re-login was missed
sudo usermod -aG docker $USER
You need to manage docker as a non-root user.
To create the docker group and add your user:
Create the docker group.
$ sudo groupadd docker
Add your user to the docker group.
$ sudo usermod -aG docker $USER
Log out and log back in so that your group membership is re-evaluated.
If testing on a virtual machine, it may be necessary to restart the virtual machine for changes to take effect.
On a desktop Linux environment such as X Windows, log out of your session completely and then log back in.
On Linux, you can also run the following command to activate the changes to groups:
$ newgrp docker
Verify that you can run docker commands without sudo.
$ docker run hello-world
As my user is and AD user, I have to add the AD user to the local group by manually editing /etc/group file. Unforrtunately the adduser commands do not seem to be nsswitch aware and do not recognize a user not locally defined when adding someone to a group.
Then reboot or refresh /etc/group. Now, you can use docker without sudo.
Regards.
***Important Note on these answers: the docker group is not always "docker" sometimes it is "dockerroot", for example the case of Centos 7 installation by
sudo yum install -y docker
The first thing you should do, after installing Docker, is
sudo tail /etc/group
it should say something like
......
sshd:x:74:
postdrop:x:90:
postfix:x:89:
yourusername:x:1000:yourusername
cgred:x:996:
dockerroot:x:995:
In this case, it is "dockerroot" not "docker". So,
sudo usermod -aG dockerroot yourusername
logout
When I try to run simple docker commands like: $ docker ps -a
I get an error message: Got permission denied ... /var/run/docker.sock: connect: permission denied.
[…] How can I fix it?
TL;DR: There are two ways (the first one, also mentioned in the question itself, was extensively addressed by other answers, but comes with security concerns; so I'll elaborate on this issue, and develop the second solution that can also be applicable for this fairly sensible use case).
Just to recall the context, the Docker daemon socket is owned by root:docker:
$ ls -l /var/run/docker.sock
srw-rw---- 1 root docker 0 janv. 28 14:23 /var/run/docker.sock
so with this default setup, one needs to prepend all docker CLI commands by sudo.
To avoid this, one can either:
add one's user account ($USER) to the docker group − but that's quite risky to do this on one's personal workstation, as this would amount to provide all programs run by the user with root permissions without any sudo password prompt nor auditing.
See also:
this page in the official Docker documentation:
https://docs.docker.com/engine/security/#docker-daemon-attack-surface
this page that documents the related exploit:
https://fosterelli.co/privilege-escalation-via-docker.html
one can otherwise prepend sudo automatically without typing sudo docker manually: to this aim, a solution consists in adding the following alias in the ~/.bashrc (see e.g. this thread for details):
__docker() {
if [[ "${BASH_SOURCE[*]}" =~ "bash-completion" ]]; then
docker "$#"
else
sudo docker "$#"
fi
}
alias docker=__docker
Then one can test this by opening a new terminal and typing:
docker run --pul〈TAB〉 # → docker run --pull
# autocompletion works
docker run --pull always --rm -it debian:11 # ask one's password
\docker run --help # bypass the alias (thanks to the \) and ask no password
With the help of the below command I was able to execute the docker command without sudo
sudo setfacl -m user:$USER:rw /var/run/docker.sock
bash into container as root user
docker exec -it --user root <dc5> bash
create docker group if it's not already created
groupadd -g 999 docker
add user to docker group
usermod -aG docker jenkins
change permissions
chmod 777 /var/run/docker.sock
You have to use pns executer instead of docker.
run the following patch which modifies the configmap and you are all set.
kubectl -n argo patch cm workflow-controller-configmap -p '{"data": {"containerRuntimeExecutor": "pns"}}' ;
ref: https://www.youtube.com/watch?v=XySJb-WmL3Q&list=PLGHfqDpnXFXLHfeapfvtt9URtUF1geuBo&index=2&t=3996s
In my docker container I am running a command as a specific user like this from entrypoint.sh:
sudo -u appuser "$#"
This works fine, however, it doesn't set any of the environment variables that get created by using the --link option while running the container.
Question
Is it possible to set all environment variables that exist for a root user to some other specific user (in this example appuser)
Note: related question to this discussion. This is the reason I can't just use the USER command How to give non-root user in Docker container access to a volume mounted on the host
The sudo command, because it is designed as a tool for privilege escalation, intentionally sanitizes the environment before switching to a new user id. If you take a look at the sudo man page, you'll find:
-E, --preserve-env
Indicates to the security policy that the user wishes to preserve their existing
environment variables. The security policy may return an error if the user does not
have permission to preserve the environment.
So instead of sudo -u appuser somecommand, just use sudo -E -u appuser somecommand.
The runuser command is provided by the util-linux package in recent versions of Ubuntu, and does not perform any environment initialization by default. For example:
$ docker pull ubuntu
$ docker run -it --rm ubuntu /bin/bash
root#ded49ffde72e:/# runuser --help
Usage:
runuser [options] -u <user> <command>
runuser [options] [-] [<user> [<argument>...]]
[...]
This is with Ubuntu Xenial (but the runuser command also appears to be available on ubuntu:vivid, but is not available under ubuntu:trusty).
So your options are:
Use sudo -E, or
Use a more recent Ubuntu image