Unable to run Docker commands without sudo user in Ubuntu 16.04 - linux

I am trying to run Docker commands without sudo user, but they are giving me below error:
I following the steps provided online:
Created the docker group --> sudo groupadd docker
Add user to the docker group --> sudo usermod -aG docker $USER
restarted VM --> newgrp docker
sudo setfacl -m user:$USER:rw /var/run/docker.sock
restarted docker:
sudo systemctl daemon-reload`
sudo systemctl restart docker
I also tried modifying the visudo file and added my user privileges as below:
sudo visudo
anand ALL=(ALL:ALL) ALL
anand ALL=(ALL) NOPASSWD: ALL
I even tried changing the owner of my /var/run/docker.sock file to my user. It was with root initially
srw-rw---- 1 root docker 0 Aug 2 12:37 /var/run/docker.sock
I changed owner to below:
srw-rw---- 1 anand anand 0 Aug 2 12:37 /var/run/docker.sock
Finally none of the options seem to work. Kindly suggest some options to fix this issue.

First, you need to check if your user (or user that you want to use with docker) is in docker group. For that, just run this command:
id -nG
If it says that user is in the docker group, then try again running this command if you want to add an active user:
sudo usermod -aG docker ${USER}
or run this if you want to add some other user:
sudo usermod -aG docker other_username
After you add a user to the group, you need to logout and then login again to apply new group changes.

Related

Docker Permission Denied During Setup

I am attempting to install and use docker for the first time. I have followed the guidelines provided in the answer to this question:
sudo groupadd docker
which at this point returns (as expected):
groupadd: group 'docker' already exists
I then attempt to add the user to the group:
sudo usermod -aG docker $wb_s2s
which only returns
Options:
-b, --badnames allow bad names
-c, --comment COMMENT new value of the GECOS field
-d, --home HOME_DIR new home directory for the user account
-e, --expiredate EXPIRE_DATE set account expiration date to EXPIRE_DATE
-f, --inactive INACTIVE set password inactive after expiration
to INACTIVE
-g, --gid GROUP force use GROUP as new primary group
...
I then try to log out and lock back in and/or restart the computer/docker (I've tried everything). But when I run:
docker run hello-world
I get an error:
docker: Got permission denied while trying to connect to the Docker daemon socket at ... connect: permission denied. See 'docker run --help'.
Can anyone tell me where I went wrong?
When you add your user to the group, the docs meant literally $USER to refer to your user wb_s2s (which is a variable presented in your shell's environment for purposes like this)
adding $ will make it a variable the shell interprets as an empty string
% echo $USER
ti7
% echo $ti7
% echo $whatever
You could use the $USER variable, or just remove the $ from your attempt to add your user to the group
-sudo usermod -aG docker $wb_s2s
+sudo usermod -aG docker wb_s2s

How to set up multiple wordpress sites on linux correctly?

I have setup a linode to host few client's WordPress sites.
I added all sites to
var/www/html/site1.com/public_html<br>
var/www/html/site2.com/public_html<br>
var/www/html/site3.com/public_html<br>
and gave the www-data user permission:
sudo chown -R www-data:www-data /var/www/html/site1.com/public_html<br>
sudo chown -R www-data:www-data /var/www/html/site2.com/public_html<br>
sudo chown -R www-data:www-data /var/www/html/site3.com/public_html<br>
Now issue is PHP is able to write across all those folders which means if one site gets compromised , hacker will be able to access other sites public_html via PHP.
What is the best secure way to set this up ?
Step by step guide will help !! Thank you so much.
You have to create separate user for each website like site1, site2, site3
Then assign user and group for each website to get your expected security.
sudo chown -R site1:site1 /var/www/html/site1.com/public_html
sudo chown -R site2:site2 /var/www/html/site2.com/public_html
sudo chown -R site3:site3 /var/www/html/site3.com/public_html
Add user to www-data group so that you wordpreess can run regular operations such as update, delete, install...
sudo usermod -a -G www-data site1
sudo usermod -a -G www-data site3
sudo usermod -a -G www-data site3

Can't add user to docker group

I'm trying to set docker up on a new system, and when running docker info I get:
docker -v
=> Docker version 18.09.5, build e8ff056
docker info
=> Got permission denied while trying to connect to the Docker daemon
socket at unix:///var/run/docker.sock: Get
http://%2Fvar%2Frun%2Fdocker.sock/v1.39/info: dial unix
/var/run/docker.sock: connect: permission denied
Following the docs, I've tried:
sudo usermod -a -G docker $USER
Which returns no output. When I then run groups:
groups
=> mark adm cdrom sudo dip plugdev lpadmin sambashare
I can see a docker group exists:
less /etc/group | grep docker
=> docker:x:131:mark
And can see that it owns a socket running where the error message states:
ls -la /var/run/ | grep docker
=>
drwx------ 5 root root 120 May 25 14:54 docker
-rw-r--r-- 1 root root 5 May 25 14:54 docker.pid
srw-rw---- 1 root docker 0 May 25 14:54 docker.sock
So why can't I add myself to that group with sudo usermod -a -G docker $USER ?
You need to reload your shell in order to make the changes take effect.
Often you need to reboot your shell process and possibly even restart your computer.
e.g
sudo usermod -aG docker $USER
sudo reboot
See #4Z4T4R answer and give a thumbs
https://stackoverflow.com/a/66297855/7961500
Load changes without quitting your shell
To avoid starting a new shell you can run. (Doesn't seem to work for all environments)
exec su -l $USER
This will create a new subshell with the loaded changes and replace your current shell with it.
If nothing else is working for you.
Another way if you just need to get it working now, is to change your primary group. This is only a temp solution as with any new shell you will need to apply it again.
export my_group=$(id -gn)
newgrp docker
newgrp $my_group
Documentation
You can also look at the offical documentation here
https://docs.docker.com/engine/install/linux-postinstall/
In my case, on Ubuntu 20.04, run sudo reboot after this command:
$ sudo usermod -aG docker $USER
I literally needed to reboot my operating system (and machine) for the change to take effect. Restarting/reloading the bash session did not apply the new setting.
Sure, newgrp docker does the trick "on the fly" without restart/reboot/re-anything... but once the session terminates, POOF you're not in the docker group any longer.
Added this as a formal answer bc it genuinely solved the OP's---and my (identical)---problem.
Credit should go to #Omari Celestine for the suggestion, but because I suck at interpretation, I (and maybe you) need the literal disambiguation that this answer provides.
Its a two step process technically. Run
sudo usermod -aG docker $USER
then,
sg docker -c "bash"
Change the permissions on the /var/run/docker.sock file and restart docker process.
sudo chown jenkins:jenkins /var/run/docker.sock
sudo 644 /var/run/docker.sock
Then,
sudo service docker restart
Before running $docker info, Please make sure that the docker service up.
If not pls start the service by running below command.
$service docker start
Now you check the $docker info

docker.sock permission denied

When I try to run simple docker commands like:
$ docker ps -a
I get an error message:
Got permission denied ... /var/run/docker.sock: connect: permission denied
When I check permissions with
$ ls -al /var/run/
I see this line:
srw-rw---- root docker docker.sock
So, I follow an advice from many forums and add local user to docker group:
$ sudo usermod -aG docker $USER
But it does not help. I still get the very same error message. How can I fix it?
For those new to the shell, the command:
$ sudo usermod -aG docker $USER
needs to have $USER defined in your shell. This is often there by default, but you may need to set the value to your login id in some shells.
Changing the groups of a user does not change existing logins, terminals, and shells that a user has open. To avoid performing a login again, you can simply run:
$ newgrp docker
to get access to that group in your current shell.
Once you have done this, the user effectively has root access on the server, so only do this for users that are trusted with unrestricted sudo access.
Reason: The error message means that the current user can’t access the docker engine, because the user hasn't enough permissions to access the UNIX socket to communicate with the engine.
Quick Fix:
Run the command as root using sudo.
sudo docker ps
Change the permissions of /var/run/docker.sock for the current user.
sudo chown $USER /var/run/docker.sock
Caution: Running sudo chmod 777 /var/run/docker.sock will solve your problem but it will open the docker socket for everyone which is a security vulnerability as pointed out by #AaylaSecura. Hence it shouldn't be used, except for testing purposes on the local system.
Permanent Solution:
Add the current user to the docker group.
sudo usermod -a -G docker $USER
Note: You have to log out and log in again for the changes to take effect.
Refer to this blog to know more about managing Docker as a non-root user.
Make sure your $USER variable is set
$ echo $USER
$ sudo usermod -aG docker $USER
logout
Upon login, restart the docker service
$ sudo systemctl restart docker
$ docker ps
enter the command and explore docker without sudo command
sudo chmod 666 /var/run/docker.sock
As mentioned earlier in the comment the changes won't apply until your re-login. If you were doing a SSH and opening a new terminal, it would have worked in new terminal
But since you were using GUI and opening the new terminal the changes were not applied. That is the reason the error didn't go away
So below command did do its job, its just a re-login was missed
sudo usermod -aG docker $USER
You need to manage docker as a non-root user.
To create the docker group and add your user:
Create the docker group.
$ sudo groupadd docker
Add your user to the docker group.
$ sudo usermod -aG docker $USER
Log out and log back in so that your group membership is re-evaluated.
If testing on a virtual machine, it may be necessary to restart the virtual machine for changes to take effect.
On a desktop Linux environment such as X Windows, log out of your session completely and then log back in.
On Linux, you can also run the following command to activate the changes to groups:
$ newgrp docker
Verify that you can run docker commands without sudo.
$ docker run hello-world
As my user is and AD user, I have to add the AD user to the local group by manually editing /etc/group file. Unforrtunately the adduser commands do not seem to be nsswitch aware and do not recognize a user not locally defined when adding someone to a group.
Then reboot or refresh /etc/group. Now, you can use docker without sudo.
Regards.
***Important Note on these answers: the docker group is not always "docker" sometimes it is "dockerroot", for example the case of Centos 7 installation by
sudo yum install -y docker
The first thing you should do, after installing Docker, is
sudo tail /etc/group
it should say something like
......
sshd:x:74:
postdrop:x:90:
postfix:x:89:
yourusername:x:1000:yourusername
cgred:x:996:
dockerroot:x:995:
In this case, it is "dockerroot" not "docker". So,
sudo usermod -aG dockerroot yourusername
logout
When I try to run simple docker commands like: $ docker ps -a
I get an error message: Got permission denied ... /var/run/docker.sock: connect: permission denied.
[…] How can I fix it?
TL;DR: There are two ways (the first one, also mentioned in the question itself, was extensively addressed by other answers, but comes with security concerns; so I'll elaborate on this issue, and develop the second solution that can also be applicable for this fairly sensible use case).
Just to recall the context, the Docker daemon socket is owned by root:docker:
$ ls -l /var/run/docker.sock
srw-rw---- 1 root docker 0 janv. 28 14:23 /var/run/docker.sock
so with this default setup, one needs to prepend all docker CLI commands by sudo.
To avoid this, one can either:
add one's user account ($USER) to the docker group − but that's quite risky to do this on one's personal workstation, as this would amount to provide all programs run by the user with root permissions without any sudo password prompt nor auditing.
See also:
this page in the official Docker documentation:
https://docs.docker.com/engine/security/#docker-daemon-attack-surface
this page that documents the related exploit:
https://fosterelli.co/privilege-escalation-via-docker.html
one can otherwise prepend sudo automatically without typing sudo docker manually: to this aim, a solution consists in adding the following alias in the ~/.bashrc (see e.g. this thread for details):
__docker() {
if [[ "${BASH_SOURCE[*]}" =~ "bash-completion" ]]; then
docker "$#"
else
sudo docker "$#"
fi
}
alias docker=__docker
Then one can test this by opening a new terminal and typing:
docker run --pul〈TAB〉 # → docker run --pull
# autocompletion works
docker run --pull always --rm -it debian:11 # ask one's password
\docker run --help # bypass the alias (thanks to the \) and ask no password
With the help of the below command I was able to execute the docker command without sudo
sudo setfacl -m user:$USER:rw /var/run/docker.sock
bash into container as root user
docker exec -it --user root <dc5> bash
create docker group if it's not already created
groupadd -g 999 docker
add user to docker group
usermod -aG docker jenkins
change permissions
chmod 777 /var/run/docker.sock
You have to use pns executer instead of docker.
run the following patch which modifies the configmap and you are all set.
kubectl -n argo patch cm workflow-controller-configmap -p '{"data": {"containerRuntimeExecutor": "pns"}}' ;
ref: https://www.youtube.com/watch?v=XySJb-WmL3Q&list=PLGHfqDpnXFXLHfeapfvtt9URtUF1geuBo&index=2&t=3996s

Problems with file ownership in a linux group

I have an ubuntu ec2 server.
I have a user, ubuntu created by aws for which I have the ssh key.
I have a team of 4 developers who have their own users and separate keys. Lets call them dev1, dev2, dev3, dev4.
Now I created a group called devs in which I added all 4 developer users. dev1 - dev4.
Problem I am facing is when dev1 upload/create a file via ftp on server machine, dev2 is not able to edit the file or upload another version of same file created by dev1, even though they are in same group, because its ownership lies with dev1.
How can I solve this problem. I want everyone in my group devs to be able to modify add or create files, in my /var/www/html/ folder, regardless of who created that file.
Can I give group ownership in linux be default? As far as I know ownership can always be with users not the group. Is there a simple and straightforward solution to this?
group structure -
You can see 4 users in group devs
The steps that you have to follow are:
Create the group:
sudo groupadd devs
Create the users:
sudo useradd dev1
sudo useradd dev2
sudo useradd dev3
sudo useradd dev4
Set a password for the users:
sudo passwd dev1
sudo passwd dev2
sudo passwd dev3
sudo passwd dev4
Insert the users in the "devs" group:
sudo usermod -a -G devs dev1
sudo usermod -a -G devs dev2
sudo usermod -a -G devs dev3
sudo usermod -a -G devs dev4
Check that the interested folder (/var/www/html) has the right permissions.
For example, I created 2 users (dev1 and dev2) for a test and inserted them in the group "devs". I created a file with the user "dev2".
These are the permissions:
rw-rw-r-- 1 dev2 devs 10 Sep 6 20:46 test.txt
The owner is "dev2" but the group is "devs". The permissions in my file for the group are "rw" (read/write) so, all the members of the group can read/write.
For more info about the linux file permissions: https://www.linux.com/learn/understanding-linux-file-permissions

Resources