1178

On Docker's documentation pages, all example commands are shown without sudo, like this one:

docker ps

On Ubuntu, the binary is called docker.io. It also does not work without sudo:

sudo docker.io ps

How can I configure Docker so that I don't need to prefix every Docker command with sudo?

10
  • 2
    Don't forget to enable ufw ;)
    – Rinzwind
    Commented Jun 6, 2014 at 8:29
  • 2
    On Ubuntu 14.04 there is also 'docker' binary. Commented Sep 7, 2014 at 8:55
  • 2
    Recommended installation is not the docker in default ubuntu repos; instead, instructions here ( docs.docker.com/engine/installation/linux/ubuntulinux ), recommend using the docker repo. Remove all the existing docker stuff, and verify you're getting the one from the right source: apt-cache policy docker-engine (apt url should be from dockerproject.org)
    – michael
    Commented Sep 24, 2016 at 6:30
  • 4
    How about an alias:? That way, you still use sudo, with password protection. alias docker="sudo docker " Commented Mar 22, 2018 at 17:34
  • 1
    What junk is this for requiring root to do simple things such as docker info. Like docker info needs raw access to all my file and devices and ports to run.
    – Rolf
    Commented Feb 27, 2021 at 10:57

5 Answers 5

1492
+100

Good news: the new Docker version 19.03 (currently experimental) will be able to run rootless negating the problems that can occur using a root user. No more messing with elevated permissions, root, and anything that might open up your machine when you did not want to.

Video about this from [DockerCon 2019] Hardening Docker daemon with Rootless mode

A few Caveats to the rootless Docker mode

Docker engineers say the rootless mode cannot be considered a replacement for the complete suite of Docker engine features. Some limitation to the rootless mode include:

  • cgroups resource controls, apparmor security profiles, checkpoint/restore, overlay networks etc. do not work on rootless mode.
  • Exposing ports from containers currently requires manual socat helper process.
  • Only Ubuntu-based distros support overlay filesystems in rootless mode.
  • Rootless mode is currently only provided for nightly builds that may not be as stable as you are used to.

As of Docker 19.3 this is obsolete (and more dangerous than need be):

The Docker manual has this to say about it:

Giving non-root access

The docker daemon always runs as the root user, and since Docker version 0.5.2, the docker daemon binds to a Unix socket instead of a TCP port. By default that Unix socket is owned by the user root, and so, by default, you can access it with sudo.

Starting in version 0.5.3, if you (or your Docker installer) create a Unix group called docker and add users to it, then the docker daemon will make the ownership of the Unix socket read/writable by the docker group when the daemon starts. The docker daemon must always run as the root user, but if you run the docker client as a user in the docker group then you don't need to add sudo to all the client commands. As of 0.9.0, you can specify that a group other than docker should own the Unix socket with the -G option.

Warning: The docker group (or the group specified with -G) is root-equivalent; see Docker Daemon Attack Surface details and this blogpost on Why we don't let non-root users run Docker in CentOS, Fedora, or RHEL (thanks michael-n).

In the recent release of the experimental rootless mode on GitHub, engineers mention rootless mode allows running dockerd as an unprivileged user, using user_namespaces(7), mount_namespaces(7), network_namespaces(7).

Users need to run dockerd-rootless.sh instead of dockerd.

$ dockerd-rootless.sh --experimental

As Rootless mode is experimental, users need to always run dockerd-rootless.sh with –experimental.


Important to read: post-installation steps for Linux (it also links to Docker Daemon Attack Surface details).

Manage Docker as a non-root user

The docker daemon binds to a Unix socket instead of a TCP port. By default that Unix socket is owned by the user root and other users can only access it using sudo. The docker daemon always runs as the root user.

If you don’t want to use sudo when you use the docker command, create a Unix group called docker and add users to it. When the docker daemon starts, it makes the ownership of the Unix socket read/writable by the docker group.


  • Add the docker group if it doesn't already exist:

     sudo groupadd docker
    
  • Add the connected user "$USER" to the docker group. Change the user name to match your preferred user if you do not want to use your current user:

     sudo gpasswd -a $USER docker
    
  • Either do a newgrp docker or log out/in to activate the changes to groups.

  • You can use

     docker run hello-world
    

    to check if you can run Docker without sudo.

25
  • 6
    Yeah, but every privileged process opens up potential for exploit. Is docker hooking that deep into the operating system to really mandate that level of privileges?
    – matanox
    Commented Jan 10, 2015 at 14:24
  • 4
    newgrp docker didn't work for me, i had to log out. Commented Mar 14, 2015 at 19:29
  • 70
    It's worth pointing out that this gives that user unrestricted, non-password protected root access. See details of the vulnerability here Commented Apr 22, 2015 at 20:57
  • 8
    if you use docker login, you may find that the .docker folder created in your home folder, belongs to root. thus you would encounter this warning when running docker commands: WARNING: Error loading config file:/home/myuser/.docker/config.json - stat /home/myuser/.docker/config.json: permission denied. I made my user's .docker folder accessible without sudo like so: sudo chgrp -hR docker ~/.docker && sudo chown -R myuser ~/.docker. the chgrp didn't seem to help though, so probably I should only recommend the chown step.
    – Birchlabs
    Commented Jul 28, 2017 at 11:24
  • 16
    I had to restart Ubunutu. Logging out didn't work. Commented Nov 10, 2019 at 3:18
443

To run docker command without sudo, you need to add your user (who has root privileges) to docker group. For this run following command:

 sudo usermod -aG docker $USER

Now, have the user logout then login again. This solution is well explained here with proper installation process.

11
  • 44
    after add user to group , run this command: sg group_name -c "bash"
    – madjardi
    Commented Apr 9, 2016 at 2:12
  • 8
    you do not need to restart the OS for this change to take place! That will bomb all running containers! Just have the user that you just added log out then in.
    – Tommy
    Commented Sep 12, 2016 at 15:22
  • 8
    How is that command different to "sudo gpasswd -a ${USER} docker" in other answer? If at all... Commented Mar 9, 2017 at 15:22
  • 32
    Could you please add the warning given by the docs: " The docker group [...] is root-equivalent", so people have a chance to think about it
    – Murmel
    Commented Apr 24, 2017 at 21:28
  • 9
    Same effect as the 2 year older accepted answer, but without the warnings about the security risks Commented Apr 12, 2019 at 6:33
160

The mechanism by which adding a user to group docker grants permission to run docker is to get access to the socket of docker at /var/run/docker.sock. If the filesystem that contains /var/run has been mounted with ACLs enabled, this can also be achieved via ACLs.

sudo setfacl -m user:$USER:rw /var/run/docker.sock

I'm only including this for completeness.

In general, I recommend to avoid ACLs whenever a good alternative based on groups is available: It is better if the privileges in a system can be understood by looking at group memberships only. Having to scan the file system for ACL entries in order to understand system privileges is an additional burden for security audits.

Warning 1: This has the same root equivalence as adding $USER to the docker group. You can still start a container in a way that has root access to the host filesystem.

Warning 2: ACLs are significantly more difficult for security audits than group-based security. Probably avoid ACLs if possible when you can use groups instead, at least in audit-relevant environments.

10
  • 10
    It worked on 16.04
    – edib
    Commented Dec 12, 2017 at 8:22
  • 2
    Much better way imo. The group docker is root-equivalent and that is always a sign of danger. And I don't see any disadvantage to taking ownership of this one file.
    – xeruf
    Commented Mar 3, 2018 at 0:54
  • 11
    @Xerus if I understand correctly, whoever can write to this socket can get root-equivalent privileges too. So giving someone access to this socket via ACL has the same security effect as adding that person to the docker group. Commented Apr 23, 2018 at 15:26
  • 2
    Do the job for me on Ubuntu 20.04 Commented Feb 25, 2021 at 11:51
  • 2
    worked on 22.04 Commented May 11, 2022 at 14:05
57

After creating the docker group and adding my user to it with

sudo groupadd docker
sudo usermod -aG docker $USER

... I still had to give the /var/run/docker.sock socket and /var/run/docker directory the proper permissions to make it work:

sudo chown root:docker /var/run/docker.sock
sudo chown -R root:docker /var/run/docker

Logout and login again (with that user) then you'll be able to run docker commands without sudo:

docker run hello-world

BTW: This was fixed in Ubuntu 21.10 and is only necessary for Ubuntu versions lower than that.
Update 2024-12-11: Apparently this is an issue again with newer versions of Ubuntu (according to @overbyte - see comment).

5
  • 2
    I get chown: changing ownership of '/var/run/docker/netns/ingress_sbox': Operation not permitted
    – Soerendip
    Commented Oct 8, 2021 at 15:58
  • @Soren I just tried it right now again with Ubuntu 20.04 and all my commands from above work fine. If you use the chown command with sudo you shouldn't get any error messages. Try to reboot, log into the root accout and run the two chown commands (no sudo needed). Then logout from the root user account and into your normal user account and try to use docker without sudo. Does it work now?
    – miu
    Commented Oct 10, 2021 at 3:23
  • Worked for me with just adding the group and adding the user to the group, but after reboot. Im on Pop!_OS 20.04 LTS. One might want to reboot, try it out and only if it doesnt work use this solution. Commented Jan 29, 2023 at 12:29
  • @Soren this is because you are trying to chown while the docker daemon is running. Stop docker with systemctl stop docker then run the commands of this solution and start it again with systemctl start docker
    – A.Casanova
    Commented May 3, 2023 at 8:23
  • Still an issue in 24.10 - maybe a regression?
    – overbyte
    Commented Dec 10 at 11:29
9

Docker containers need to be run by a superuser. You can add yourself to the docker group (e.g. by running sudo usermod -aG docker $USER), but this makes it easy for anyone with access to the $USER account to gain root access to the machine (e.g. by mounting a root volume in a privileged container).

A more security-conscious way of running Docker containers as a non-root user would be to use Podman. From its website:

Podman is a daemonless container engine for developing, managing, and running OCI Containers on your Linux System. Containers can either be run as root or in rootless mode. Simply put: alias docker=podman.

Another alternative is Singularity, which is more commonly deployed in HPC environments.

3
  • Please provide info on why docker containers must be run as a root user. Commented Jul 18, 2021 at 21:44
  • 1
    @GaTechThomas See docs.docker.com/engine/install/linux-postinstall/…. "The Docker daemon binds to a Unix socket instead of a TCP port. By default that Unix socket is owned by the user root and other users can only access it using sudo. The Docker daemon always runs as the root user." My knowledge does not go deeper than this.
    – ostrokach
    Commented Jul 19, 2021 at 14:10
  • 2
    Docker can be run without root permisssions. See the section Run the Docker daemon as a non-root user (Rootless mode) docs.docker.com/engine/security/rootless Commented Feb 27, 2022 at 8:01

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .