docker.sock permission denied - linux

When I try to run simple docker commands like:
$ docker ps -a
I get an error message:
Got permission denied ... /var/run/docker.sock: connect: permission denied
When I check permissions with
$ ls -al /var/run/
I see this line:
srw-rw---- root docker docker.sock
So, I follow an advice from many forums and add local user to docker group:
$ sudo usermod -aG docker $USER
But it does not help. I still get the very same error message. How can I fix it?

For those new to the shell, the command:
$ sudo usermod -aG docker $USER
needs to have $USER defined in your shell. This is often there by default, but you may need to set the value to your login id in some shells.
Changing the groups of a user does not change existing logins, terminals, and shells that a user has open. To avoid performing a login again, you can simply run:
$ newgrp docker
to get access to that group in your current shell.
Once you have done this, the user effectively has root access on the server, so only do this for users that are trusted with unrestricted sudo access.

Reason: The error message means that the current user can’t access the docker engine, because the user hasn't enough permissions to access the UNIX socket to communicate with the engine.
Quick Fix:
Run the command as root using sudo.
sudo docker ps
Change the permissions of /var/run/docker.sock for the current user.
sudo chown $USER /var/run/docker.sock
Caution: Running sudo chmod 777 /var/run/docker.sock will solve your problem but it will open the docker socket for everyone which is a security vulnerability as pointed out by #AaylaSecura. Hence it shouldn't be used, except for testing purposes on the local system.
Permanent Solution:
Add the current user to the docker group.
sudo usermod -a -G docker $USER
Note: You have to log out and log in again for the changes to take effect.
Refer to this blog to know more about managing Docker as a non-root user.

Make sure your $USER variable is set
$ echo $USER
$ sudo usermod -aG docker $USER
logout
Upon login, restart the docker service
$ sudo systemctl restart docker
$ docker ps

enter the command and explore docker without sudo command
sudo chmod 666 /var/run/docker.sock

As mentioned earlier in the comment the changes won't apply until your re-login. If you were doing a SSH and opening a new terminal, it would have worked in new terminal
But since you were using GUI and opening the new terminal the changes were not applied. That is the reason the error didn't go away
So below command did do its job, its just a re-login was missed
sudo usermod -aG docker $USER

You need to manage docker as a non-root user.
To create the docker group and add your user:
Create the docker group.
$ sudo groupadd docker
Add your user to the docker group.
$ sudo usermod -aG docker $USER
Log out and log back in so that your group membership is re-evaluated.
If testing on a virtual machine, it may be necessary to restart the virtual machine for changes to take effect.
On a desktop Linux environment such as X Windows, log out of your session completely and then log back in.
On Linux, you can also run the following command to activate the changes to groups:
$ newgrp docker
Verify that you can run docker commands without sudo.
$ docker run hello-world

As my user is and AD user, I have to add the AD user to the local group by manually editing /etc/group file. Unforrtunately the adduser commands do not seem to be nsswitch aware and do not recognize a user not locally defined when adding someone to a group.
Then reboot or refresh /etc/group. Now, you can use docker without sudo.
Regards.

***Important Note on these answers: the docker group is not always "docker" sometimes it is "dockerroot", for example the case of Centos 7 installation by
sudo yum install -y docker
The first thing you should do, after installing Docker, is
sudo tail /etc/group
it should say something like
......
sshd:x:74:
postdrop:x:90:
postfix:x:89:
yourusername:x:1000:yourusername
cgred:x:996:
dockerroot:x:995:
In this case, it is "dockerroot" not "docker". So,
sudo usermod -aG dockerroot yourusername
logout

When I try to run simple docker commands like: $ docker ps -a
I get an error message: Got permission denied ... /var/run/docker.sock: connect: permission denied.
[…] How can I fix it?
TL;DR: There are two ways (the first one, also mentioned in the question itself, was extensively addressed by other answers, but comes with security concerns; so I'll elaborate on this issue, and develop the second solution that can also be applicable for this fairly sensible use case).
Just to recall the context, the Docker daemon socket is owned by root:docker:
$ ls -l /var/run/docker.sock
srw-rw---- 1 root docker 0 janv. 28 14:23 /var/run/docker.sock
so with this default setup, one needs to prepend all docker CLI commands by sudo.
To avoid this, one can either:
add one's user account ($USER) to the docker group − but that's quite risky to do this on one's personal workstation, as this would amount to provide all programs run by the user with root permissions without any sudo password prompt nor auditing.
See also:
this page in the official Docker documentation:
https://docs.docker.com/engine/security/#docker-daemon-attack-surface
this page that documents the related exploit:
https://fosterelli.co/privilege-escalation-via-docker.html
one can otherwise prepend sudo automatically without typing sudo docker manually: to this aim, a solution consists in adding the following alias in the ~/.bashrc (see e.g. this thread for details):
__docker() {
if [[ "${BASH_SOURCE[*]}" =~ "bash-completion" ]]; then
docker "$#"
else
sudo docker "$#"
fi
}
alias docker=__docker
Then one can test this by opening a new terminal and typing:
docker run --pul〈TAB〉 # → docker run --pull
# autocompletion works
docker run --pull always --rm -it debian:11 # ask one's password
\docker run --help # bypass the alias (thanks to the \) and ask no password

With the help of the below command I was able to execute the docker command without sudo
sudo setfacl -m user:$USER:rw /var/run/docker.sock

bash into container as root user
docker exec -it --user root <dc5> bash
create docker group if it's not already created
groupadd -g 999 docker
add user to docker group
usermod -aG docker jenkins
change permissions
chmod 777 /var/run/docker.sock

You have to use pns executer instead of docker.
run the following patch which modifies the configmap and you are all set.
kubectl -n argo patch cm workflow-controller-configmap -p '{"data": {"containerRuntimeExecutor": "pns"}}' ;
ref: https://www.youtube.com/watch?v=XySJb-WmL3Q&list=PLGHfqDpnXFXLHfeapfvtt9URtUF1geuBo&index=2&t=3996s

Related

Docker Permission Denied During Setup

I am attempting to install and use docker for the first time. I have followed the guidelines provided in the answer to this question:
sudo groupadd docker
which at this point returns (as expected):
groupadd: group 'docker' already exists
I then attempt to add the user to the group:
sudo usermod -aG docker $wb_s2s
which only returns
Options:
-b, --badnames allow bad names
-c, --comment COMMENT new value of the GECOS field
-d, --home HOME_DIR new home directory for the user account
-e, --expiredate EXPIRE_DATE set account expiration date to EXPIRE_DATE
-f, --inactive INACTIVE set password inactive after expiration
to INACTIVE
-g, --gid GROUP force use GROUP as new primary group
...
I then try to log out and lock back in and/or restart the computer/docker (I've tried everything). But when I run:
docker run hello-world
I get an error:
docker: Got permission denied while trying to connect to the Docker daemon socket at ... connect: permission denied. See 'docker run --help'.
Can anyone tell me where I went wrong?
When you add your user to the group, the docs meant literally $USER to refer to your user wb_s2s (which is a variable presented in your shell's environment for purposes like this)
adding $ will make it a variable the shell interprets as an empty string
% echo $USER
ti7
% echo $ti7
% echo $whatever
You could use the $USER variable, or just remove the $ from your attempt to add your user to the group
-sudo usermod -aG docker $wb_s2s
+sudo usermod -aG docker wb_s2s

Can't add user to docker group

I'm trying to set docker up on a new system, and when running docker info I get:
docker -v
=> Docker version 18.09.5, build e8ff056
docker info
=> Got permission denied while trying to connect to the Docker daemon
socket at unix:///var/run/docker.sock: Get
http://%2Fvar%2Frun%2Fdocker.sock/v1.39/info: dial unix
/var/run/docker.sock: connect: permission denied
Following the docs, I've tried:
sudo usermod -a -G docker $USER
Which returns no output. When I then run groups:
groups
=> mark adm cdrom sudo dip plugdev lpadmin sambashare
I can see a docker group exists:
less /etc/group | grep docker
=> docker:x:131:mark
And can see that it owns a socket running where the error message states:
ls -la /var/run/ | grep docker
=>
drwx------ 5 root root 120 May 25 14:54 docker
-rw-r--r-- 1 root root 5 May 25 14:54 docker.pid
srw-rw---- 1 root docker 0 May 25 14:54 docker.sock
So why can't I add myself to that group with sudo usermod -a -G docker $USER ?
You need to reload your shell in order to make the changes take effect.
Often you need to reboot your shell process and possibly even restart your computer.
e.g
sudo usermod -aG docker $USER
sudo reboot
See #4Z4T4R answer and give a thumbs
https://stackoverflow.com/a/66297855/7961500
Load changes without quitting your shell
To avoid starting a new shell you can run. (Doesn't seem to work for all environments)
exec su -l $USER
This will create a new subshell with the loaded changes and replace your current shell with it.
If nothing else is working for you.
Another way if you just need to get it working now, is to change your primary group. This is only a temp solution as with any new shell you will need to apply it again.
export my_group=$(id -gn)
newgrp docker
newgrp $my_group
Documentation
You can also look at the offical documentation here
https://docs.docker.com/engine/install/linux-postinstall/
In my case, on Ubuntu 20.04, run sudo reboot after this command:
$ sudo usermod -aG docker $USER
I literally needed to reboot my operating system (and machine) for the change to take effect. Restarting/reloading the bash session did not apply the new setting.
Sure, newgrp docker does the trick "on the fly" without restart/reboot/re-anything... but once the session terminates, POOF you're not in the docker group any longer.
Added this as a formal answer bc it genuinely solved the OP's---and my (identical)---problem.
Credit should go to #Omari Celestine for the suggestion, but because I suck at interpretation, I (and maybe you) need the literal disambiguation that this answer provides.
Its a two step process technically. Run
sudo usermod -aG docker $USER
then,
sg docker -c "bash"
Change the permissions on the /var/run/docker.sock file and restart docker process.
sudo chown jenkins:jenkins /var/run/docker.sock
sudo 644 /var/run/docker.sock
Then,
sudo service docker restart
Before running $docker info, Please make sure that the docker service up.
If not pls start the service by running below command.
$service docker start
Now you check the $docker info

Can you start a process inside a Docker container as root, while having the default user of an exec call be non-root?

I'm basically trying to run crond -f as root, while having the default user be something different.
Since the crontabs it runs use sensitive information from other files on the image, I want to give root access to these files, start the crond process, then switch the user to a newly created one. This way the cronjobs will be able to get the information they need, while securing the sensitive files in the container from anyone who may get exec access.
have tried a couple things like this:
USER root
CMD ["./runCrons.sh"]
USER newuser
But this does not run the crond process as root, but as newuser.
If anyone has a solution it would save me some digging and experimentation.
While building the Docker image, create a user which belongs to sudo group and is allowed to run all sudo commands without a password.
Consider the below example which creates a docker image called test with user named myuser with sudo pass:
$ cat Dockerfile
FROM debian:latest
ENV user_name myuser
RUN apt-get update
RUN apt-get install -y sudo
RUN useradd --create-home -s /bin/bash ${user_name}
RUN echo "${user_name} ALL=(ALL) NOPASSWD:ALL" > /etc/sudoers.d/${user_name}
WORKDIR /home/${user_name}
USER ${user_name}
CMD /bin/bash
Then build the image:
docker build -t test .
Now to fix cron permissions issues for standard user, make sure all commands used on cron scripts start with sudo, like below.
CMD ["sudo ./runCrons.sh"]
Since no password is expected when using sudo, everything should execute fine and you should be good to go.

Docker mounting volume. Permission denied

I have a problem with creating new files in mounted docker volume.
Firstly after installation docker i added my user to docker group.
sudo usermod -aG docker $USER
Created as my $USER folder:
mkdir -p /srv/redis
And starting container:
docker run -d -v /srv/redis:/data --name myredis redis
when i want to create file in /srv/redis as a user which created container I have a problem with access.
mkdir /srv/redis/redisTest
mkdir: cannot create directory ‘/srv/redis/redisTest’: Permission denied
I tried to search in other threads but i didn't find appropriate solution.
The question title does not reflect the real problem in my opinion.
mkdir /srv/redis/redisTest
mkdir: cannot create directory ‘/srv/redis/redisTest’: Permission denied
This problem occurs very likely because when you run:
docker run -d -v /srv/redis:/data --name myredis redis
the directory /srv/redis ownership changes to root. You can check that by
ls -lah /srv/redis
This is normal consequence of mounting external directory to docker. To regain access you have to run
sudo chown -R $USER /srv/redis
I think /srv/redis/redisTest directory is created by user inside redis container, so it belong to redis container user.
Have you already check using ls -l to see that /srv/redis/redisTest directory belong to $USER?
This could also be related (as I just found out) to having SELinux activated. This answer on the DevOps Stack Exchange worked for me:
The solution is to simply append a :z to the [docker] run volume argument so that this:
docker run -v /host/foobar:/src_dir /bin/bash
becomes this:
docker run -it -v /host/foobar:/src_dir:z /bin/bash

How to set copy all environment variables from root user to another specific user

In my docker container I am running a command as a specific user like this from entrypoint.sh:
sudo -u appuser "$#"
This works fine, however, it doesn't set any of the environment variables that get created by using the --link option while running the container.
Question
Is it possible to set all environment variables that exist for a root user to some other specific user (in this example appuser)
Note: related question to this discussion. This is the reason I can't just use the USER command How to give non-root user in Docker container access to a volume mounted on the host
The sudo command, because it is designed as a tool for privilege escalation, intentionally sanitizes the environment before switching to a new user id. If you take a look at the sudo man page, you'll find:
-E, --preserve-env
Indicates to the security policy that the user wishes to preserve their existing
environment variables. The security policy may return an error if the user does not
have permission to preserve the environment.
So instead of sudo -u appuser somecommand, just use sudo -E -u appuser somecommand.
The runuser command is provided by the util-linux package in recent versions of Ubuntu, and does not perform any environment initialization by default. For example:
$ docker pull ubuntu
$ docker run -it --rm ubuntu /bin/bash
root#ded49ffde72e:/# runuser --help
Usage:
runuser [options] -u <user> <command>
runuser [options] [-] [<user> [<argument>...]]
[...]
This is with Ubuntu Xenial (but the runuser command also appears to be available on ubuntu:vivid, but is not available under ubuntu:trusty).
So your options are:
Use sudo -E, or
Use a more recent Ubuntu image

Resources