1315

I installed Docker on my Ubuntu machine.

When I run

sudo docker run hello-world

all is ok, but I want to remove the sudo command to make the command shorter.

If I write the command without sudo

docker run hello-world

it displays the following:

docker: Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Post http://%2Fvar%2Frun%2Fdocker.sock/v1.35/containers/create: dial unix /var/run/docker.sock: connect: permission denied. See 'docker run --help'.

The same happens when I try to run:

docker-compose up

How can I resolve this?

Improve this question
9

29 Answers 29

Reset to default
2446

If you want to run Docker as a non-root user, then you need to add your user to the docker group.

  1. Create the docker group if it does not exist:
$ sudo groupadd docker
  1. Add your user to the docker group:
$ sudo usermod -aG docker $USER
  1. Log in to the new docker group (to avoid having to log out and log in again; but if not enough, try to reboot):
$ newgrp docker
  1. Check if Docker can be run without root:
$ docker run hello-world

Reboot if you still get an error:

$ reboot

From the official Docker documentation "Manage Docker as a non-root user":

⚠️ Warning

The docker group grants root-level privileges to the user. For details on how this impacts security in your system, see Docker Daemon Attack Surface.

Improve this answer
18
  • 57
    @heez a reboot may not have been required, restarting docker was enough for me. sudo systemctl restart docker
    – Rattle
    Commented Oct 5, 2018 at 23:21
  • 5
    It worked for me without reboot, but I had to restart docker and switch user to my same user to refresh the login. 'sudo systemctl restart docker' then 'su - {your username}'
    – ammills01
    Commented Feb 25, 2019 at 20:24
  • 1
    I have this problem in windows any idea how can I fix it. stackoverflow.com/questions/55924416/…
    – max
    Commented May 1, 2019 at 5:46
  • 5
    @heez: su - $USER can be used to avoid the log out / log in as per this question.
    – bluenote10
    Commented Jun 7, 2019 at 12:58
  • 2
    also docker.help command suggest do newgrp docker, after this I do not need docker service to be restarted and computer reboot, changes take efferct after it
    – Ivan Bryzzhin
    Commented Jan 1, 2020 at 13:01
907

After an upgrade I got the permission denied. Doing the steps of 'mkb' post install steps don't have change anything because my user was already in the 'docker' group; I retry-it twice any way without success.

After an search hour this following solution finaly worked :

sudo chmod 666 /var/run/docker.sock

Solution came from Olshansk.

Look like the upgrade have recreate the socket without enough permission for the 'docker' group.

Problems

This hard chmod open security hole and after each reboot, this error start again and again and you have to re-execute the above command each time. I want a solution once and for all. For that you have two problems :

  • 1 ) Problem with SystemD : The socket will be create only with owner 'root' and group 'root'.

    You can check this first problem with this command :

    ls -l /lib/systemd/system/docker.socket

    If every this is good, you should see 'root/docker' not 'root/root'.

  • 2 ) Problem with graphical Login : https://superuser.com/questions/1348196/why-my-linux-account-only-belongs-to-one-group

    You can check this second problem with this command :

    groups

    If everything is correct you should see the docker group in the list. If not try the command

    sudo su $USER -c groups

    if you see then the docker group it is because of the bug.

Solutions

If you manage to to get a workaround for the graphical login, this should do the job :

sudo chgrp docker /lib/systemd/system/docker.socket
sudo chmod g+w /lib/systemd/system/docker.socket

But If you can't manage this bug, a not so bad solution could be this :

sudo chgrp $USER /lib/systemd/system/docker.socket
sudo chmod g+w /lib/systemd/system/docker.socket

This work because you are in a graphical environnement and probably the only user on your computer. In both case you need a reboot (or sudo chmod 666 /var/run/docker.sock)

Improve this answer
22
  • 5
    if docker was installed as per doc on docs.docker.com/install then you never need to deal with any such commands
    – Scott Stensland
    Commented Nov 2, 2018 at 18:48
  • 9
    @Scott Stensland I have install docker many time 'as per doc'. I think the problem come from a bad interaction with another unidentified package.
    – Galigator
    Commented Nov 3, 2018 at 8:55
  • 1
    In docker-in-docker, I was incorrectly mounting /var/run/docker.sock from the host without the :ro on the end... as soon as I added that I was good to go
    – jakebrinkmann
    Commented Jan 12, 2019 at 5:35
  • 3
    I use ubuntu 18 on EC2 - AWS and prefectly worked. All the others (sudo usermod -aG docker $ USER and other stuff) did not work
    – cherah30
    Commented Aug 17, 2019 at 13:19
  • 1
    Thanks, it fixed in Ubuntu 18.04 LTS. restating and adding to groud didn't
    – Deepansh Parmani
    Commented Nov 28, 2019 at 14:42
81
  1. Add current user to docker group
sudo usermod -aG docker $USER
  1. Change the permissions of docker socket to be able to connect to the docker daemon /var/run/docker.sock
sudo chmod 660 /var/run/docker.sock
Improve this answer
3
  • 2
    this solution worked for me for this problem docker: Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Post http://%2Fvar%2Frun%2Fdocker.sock/v1.40/containers/create: dial unix /var/run/docker.sock: connect: permission denied.
    – Ariful Haque
    Commented May 15, 2021 at 0:27
  • 6
    Absolutely not! Never give permission to the world! Permission on the docker socket should be 660, and as long as your user is in the docker group, you'll be fine.
    – Auspex
    Commented Nov 23, 2022 at 13:45
  • 1
    @Auspex, this was 4 years ago! please feel free to update the solution and I will be more than happy to update it :)
    – 0x3bfc
    Commented Nov 23, 2022 at 14:16
61
  1. Add docker group
$ sudo groupadd docker
  1. Add your current user to docker group
$ sudo usermod -aG docker $USER
  1. Switch session to docker group
$ newgrp - docker
  1. Run an example to test
$ docker run hello-world
Improve this answer
1
  • The newgrp command prompted for a password and didn't accept my user password. Instead su - $USER worked to avoid logging out/in.
    – bluenote10
    Commented Jun 7, 2019 at 13:00
44

If creating a docker group and adding your user to it doesn't work (the best solution, described in the previous answers), then this one is the second best alternative:

sudo chown $USER /var/run/docker.sock

What it does is changing the ownership of the docker.sock file to your user.

Note: It's a really bad practice to use chmod 666, because it gives permissions to practically everyone to access and modify the docker.sock file.

Improve this answer
31

We always forget about ACLs . See setfacl.

sudo setfacl -m user:$USER:rw /var/run/docker.sock
Improve this answer
3
  • 3
    in case its complaining that facl not found, install with sudo apt install acl
    – tushortz
    Commented Aug 9, 2021 at 1:27
  • 1
    I'm getting "setfacl: Option -m: Invalid argument near character 6" this error.
    – Muhammad Faizan Fareed
    Commented Sep 25, 2021 at 13:38
  • 1
    .sock is a socket file, these are temporary files and you'd have to run the same command every time. Setting default in the parent folder would work, but this is /var/run, and we don't want non-privileged users to have rw access over every file in /var/run.
    – Jeter-work
    Commented Feb 10, 2022 at 19:50
15

Fix Docker Issue: (Permission denied)

  • Create the docker group if it does not exist: sudo groupadd docker
  • See number of super users in the available system: grep -Po '^sudo.+:\K.*$' /etc/group
  • Export the user in linux command shell: export USER=demoUser
  • Add user to the docker group: sudo usermod -aG docker $USER
  • Run the following command/ Login or logout: newgrp docker
  • Check if docker runs ok or not: docker run hello-world
  • Reboot if you still get an error: reboot

If it does not work, run this command:

sudo chmod 660 /var/run/docker.sock

Improve this answer
6
  • 9
    Blindly 777 shouldn't be used
    – Akshay Hegde
    Commented Jun 23, 2021 at 20:14
  • @Akshay Hedge Why? I used the 777 option and it worked😅
    – Purushothaman Srikanth
    Commented Sep 13, 2021 at 9:52
  • 2
    @PurushothamanSrikanth 777 means that anyone can do anything with those files
    – Akshay Hegde
    Commented Sep 13, 2021 at 10:07
  • 1
    Don't use 777! Use 660 or 640
    – spuder
    Commented Dec 24, 2021 at 19:19
  • 2
    if 660 didn't work, you might have needed sudo chgrp docker /var/run/docker.sock but please stop blindly perpetuating the insane concept of giving docker access to the world. It's not as @AkshayHegde said that anyone can do anything to "those files", it's that anyone can do anything to your entire system once they have control of the docker socket
    – Auspex
    Commented Nov 23, 2022 at 13:50
13

You can always try Manage Docker as a non-root user paragraph in the https://docs.docker.com/install/linux/linux-postinstall/ docs.

After doing this also if the problem persists then you can run the following command to solve it:

sudo chmod 666 /var/run/docker.sock
Improve this answer
5
  • 13
    Making the docker socket readable or writable to everyone (with chmod 666) is a security disaster... This should never be recommended.
    – Aayla Secura
    Commented Apr 17, 2020 at 4:06
  • @AaylaSecura Thanks for giving us heads up but could you also please briefly explain why readable or writable sockets are disaster?
    – Hmerac
    Commented Jul 4, 2020 at 17:43
  • 2
    Anyone who can talk to the docker socket is effectively root on the host system! See this for example: fosterelli.co/privilege-escalation-via-docker and many other resources on docker privilege escalation. Making the socket world writable effectively gives all UNIX users root privileges.
    – Aayla Secura
    Commented Jul 4, 2020 at 19:29
  • 1
    Do not assign 666 permissions. 660 or 640 should be more than enough.
    – spuder
    Commented Dec 24, 2021 at 19:21
  • 2
    Absolutely not! Never give permission to the world! Permission on the docker socket should be 660, and as long as your user is in the docker group, you'll be fine.
    – Auspex
    Commented Nov 23, 2022 at 13:47
12

To fix that issue, I searched where is my docker and docker-compose installed. In my case, docker was installed in /usr/bin/docker and docker-compose was installed in /usr/local/bin/docker-compose path. Then, I write this in my terminal:

To docker:

sudo chmod +x /usr/bin/docker

To docker-compose:

sudo chmod +x /usr/local/bin/docker-compose

Now I don't need write in my commands docker the word sudo

/***********************************************************************/

ERRATA:

The best solution of this issue was commented by @mkasberg. I quote comment:

That might work, you might run into issues down the road. Also, it's a security vulnerability. You'd be better off just adding yourself to the docker group, as the docs say. sudo groupadd docker, sudo usermod -aG docker $USER. Docs: https://docs.docker.com/install/linux/linux-postinstall/

Improve this answer
4
  • 3
    That might work, you might run into issues down the road. Also, it's a security vulnerability. You'd be better off just adding yourself to the docker group, as the docs say. sudo groupadd docker, sudo usermod -aG docker $USER.
    – mkasberg
    Commented Feb 23, 2018 at 22:43
  • Hey @mkasberg! Thanks for your comment! I maked a errata to cited your solution. Thanks a lot!
    – Carlos Andres
    Commented Feb 23, 2018 at 23:38
  • this does not work
    – KansaiRobot
    Commented Jun 2, 2023 at 17:15
  • I had to also run newgrp docker after the usermod command, otherwise it doesn't work.
    – Raleigh L.
    Commented Jun 25, 2023 at 6:46
9

ubuntu 21.04 systemd socket ownership

Let me preface, this was a perfectly suitable solution for me during local development and I got here searching for ubuntu docker permission error so i'll just leave this here.

I didn't own the unix socket, so I chowned it.

sudo chown $(whoami):$(whoami) /var/run/docker.sock

Another, more permanent solution for your dev environment, is to modify the user ownership of the unix socket creation. This will give your user the ownership, so it'll stick between restarts:

sudo nano /etc/systemd/system/sockets.target.wants/docker.socket

docker.socket:

[Unit]
Description=Docker Socket for the API

[Socket]
ListenStream=/var/run/docker.sock
SocketMode=0660
SocketUser=YOUR_USERNAME_HERE
SocketGroup=docker

[Install]
WantedBy=sockets.target
Improve this answer
3
  • 2
    A really different solution than all others.
    – Galigator
    Commented Apr 22, 2022 at 20:00
  • Doesn't work, not even after sudo systemctl restart docker.
    – Danijel
    Commented May 12, 2022 at 11:52
  • I really don't think setting your user as the socket owner is the right answer, but upvoted because this seems to be the only answer that actually looks in the right place.
    – Auspex
    Commented Nov 23, 2022 at 13:59
5

Seriously guys. Do not add Docker in your groups or modify the socket posix (without a hardening SELinux), it's a simple way to make a root privesc. Just add an alias in your .bashrc. It's simpler and safer as: alias dc='sudo docker'.

Improve this answer
1
  • Maybe you could speak about : podman.io . But running in root seem to be usecase for developers.
    – Galigator
    Commented Jan 5, 2021 at 11:41
5

You just need the check permissions for this file /var/run/docker.sock it should be 666 chmod 666 /var/run/docker.sock

Improve this answer
1
  • 1
    Just add sudo to the above command
    – Omar Salem
    Commented Feb 18 at 20:59
4

This work for me:

Get inside the container and modify the file's ACL

sudo usermod -aG docker $USER
sudo setfacl --modify user:$USER:rw /var/run/docker.sock

It's a better solution than use chmod.

Improve this answer
1
  • .sock files are socket files and temporary by nature. You'd have to set this every time docker starts.
    – Jeter-work
    Commented Feb 10, 2022 at 19:51
3

lightdm and kwallet ship with a bug that seems to not pass the supplementary groups at login. To solve this, I also, beside sudo usermod -aG docker $USER, had to comment out

auth optional pam_kwallet.so
auth optional pam_kwallet5.so

to

#auth optional pam_kwallet.so
#auth optional pam_kwallet5.so

in /etc/pam.d/lightdm before rebooting, for the docker-group to actually have effect.

bug: https://bugs.launchpad.net/lightdm/+bug/1781418 and here: https://bugzilla.redhat.com/show_bug.cgi?id=1581495

Improve this answer
3

you can follow these steps and this will work for you:

  1. create a docker group sudo groupadd docker
  2. add your user to this group sudo usermod -aG docker $USER
  3. list the groups to make sure that docker group created successfully by running this command groups
  4. run the following command also to change the session for docker group newgrp docker
  5. change the group ownership for file docker.socksudo chown root:docker /var/run/docker.sock
  6. change the ownership for .docker directory sudo chown "$USER":"$USER" /home/"$USER"/.docker -R
  7. finally sudo chmod g+rwx "$HOME/.docker" -R

After that test you can run docker ps -a

Improve this answer
1
  • I wanted an answer that doesn't require rebooting. This was the only answer that provided that. The "trick" is to chown the docker.sock file.
    – Potherca
    Commented Jun 13, 2020 at 14:38
2

Rebooting the machine worked for me.

$ reboot
Improve this answer
1
  • this is worst solution since it will not work and restart the system :(
    – TarangP
    Commented Dec 27, 2022 at 9:32
1

I ran into a similar problem as well, but where the container I wanted to create needed to mount /var/run/docker.sock as a volume (Portainer Agent), while running it all under a different namespace. Normally a container does not care about which namespace it is started in -- that is sort of the point -- but since access was made from a different namespace, this had to be circumvented.

Adding --userns=host to the run command for the container enabled it to use the attain the correct permissions.

Quite a specific use case, but after more research hours than I want to admit I just thought I should share it with the world if someone else ends up in this situation :)

Improve this answer
1

i try this commend with sudo commend and it was ok.sudo docker pull hello-world or sudo docker run hello-world

Improve this answer
1
  • That will always work. The OP was having trouble doing it without sudo -- which should work as long as you're in the docker group
    – Auspex
    Commented Nov 23, 2022 at 14:41
1

The Docker daemon binds to a Unix socket instead of a TCP port. By default that Unix socket is owned by the user root and other users can only access it using sudo. The Docker daemon always runs as the root user.

If you don’t want to preface the docker command with sudo, create a Unix group called docker and add users to it. When the Docker daemon starts, it creates a Unix socket accessible by members of the docker group.

To create the docker group and add your user:

  1. Create the docker group

    sudo groupadd docker

  2. Add your user to the docker group

    sudo usermod -aG docker $USER

  3. Log out and log back in so that your group membership is re-evaluated.

    If testing on a virtual machine, it may be necessary to restart the virtual machine for changes to take effect.

    On a desktop Linux environment such as X Windows, log out of your session completely and then log back in.

    On Linux, you can also run the following command to activate the changes to groups:

    newgrp docker

  4. Verify that you can run docker commands without sudo. The below command downloads a test image and runs it in a container. When the container runs, it prints an informational message and exits

    docker run hello-world

If you initially ran Docker CLI commands using sudo before adding your user to the docker group, you may see the following error, which indicates that your ~/.docker/ directory was created with incorrect permissions due to the sudo commands.

WARNING: Error loading config file: /home/user/.docker/config.json -
stat /home/user/.docker/config.json: permission denied

To fix this problem, either remove the ~/.docker/ directory (it is recreated automatically, but any custom settings are lost), or change its ownership and permissions using the following commands:

sudo chown "$USER":"$USER" /home/"$USER"/.docker -R

sudo chmod g+rwx "$HOME/.docker" -R

All other post installation steps for docker on linux can be found here https://docs.docker.com/engine/install/linux-postinstall/

Improve this answer
1

In the Linux environment, after installing docker and docker-compose reboot is required for work docker better to avoid this issue

$ sudo systemctl restart docker
Improve this answer
1
  • Just installed docker on Ubuntu. Restarting didn't solve the "permission denied".
    – pinei
    Commented May 11, 2022 at 3:44
0

It is definitely not the case the question was about, but as it is the first search result while googling the error message, I'll leave it here.

First of all, check if docker service is running using the following command:

systemctl status docker.service

If it is not running, try starting it:

sudo systemctl start docker.service

... and check the status again:

systemctl status docker.service

If it has not started, investigate the reason. Probably, you have modified a config file and made an error (like I did while modifying /etc/docker/daemon.json)

Improve this answer
0

I tried all the described methods and nothing helped to solve the problem. The solution was to use the --use-drivers parameter when running selenoid and selenoid-ui. Below is the full listing of my Dockerfile.

FROM selenoid/chrome
USER root
RUN apt-get update
RUN apt-get -y install docker.io
RUN curl -s https://aerokube.com/cm/bash | bash
RUN ./cm selenoid start --vnc --use-drivers
RUN ./cm selenoid-ui start --use-drivers
EXPOSE 4444 8080
CMD ["-conf", "/etc/selenoid/browsers.json", "-video-output-dir", "/opt/selenoid/video/"]
Improve this answer
0

In my case it was the process itself (CI server agent) that was trying to run a docker command wasn't able to run it, but when I tried to run same command from within the same user it worked.

Restarting the daemon that runs CI server agent solved the problem.

The reason why command wasn't working from within agent before is because the agent was running before I installed docker and granted docker group permissions, and agent process used cached old permissions and was failing. Restarting the process dropped the cache and make things work out.

Improve this answer
0

Docker already created a guide to Run the Docker daemon as a non-root user (Rootless mode).

Rootless mode allows running the Docker daemon and containers as a non-root user to mitigate potential vulnerabilities in the daemon and the container runtime.

Improve this answer
0

for mac users :

sudo chown -R $(whoami) ~/.docker
Improve this answer
-1

The most straightforward solution is to type

sudo chmod 640 /var/run/docker.sock every time you boot your machine. However, this method defeats any system security that may be in place and opens up the Docker socket to everybody. If this is acceptable to you -e.g.: the only user of your machine- then use it.

Nevertheless, it will be required every time you boot your machine, you can make it run with booting by adding

start on startup
task
exec chmod 640 /var/run/docker.sock

to the /etc/init/docker-chmod.conf file.

Improve this answer
2
  • 3
    666 Is excessive permissions. 660 or 640 should be more than enough
    – spuder
    Commented Dec 24, 2021 at 19:19
  • I updated it to 640. Thanks for raising the concern.
    – Mostafa Wael
    Commented Feb 20 at 9:20
-1

After you installed docker, created 'docker' group and added user to it, edit docker service unit file:

sudo nano /usr/lib/systemd/system/docker.service

Add two lines into the section [Service]:

SupplementaryGroups=docker    
ExecStartPost=/bin/chmod 666 /var/run/docker.sock

Save the file (Ctrl-X, y, Enter)

Run and enable the Docker service:

sudo systemctl daemon-reload
sudo systemctl start docker
sudo systemctl enable docker
Improve this answer
2
  • Almost right. Never give permission to the world! Permission on the docker socket should be 660, and as long as your user is in the docker group, you'll be fine.
    – Auspex
    Commented Nov 23, 2022 at 14:44
  • what's the purpose of SupplementaryGroups=docker ?
    – reisub83
    Commented Mar 8, 2023 at 11:01
-1

After Docker Installation on Centos. While running below command I got below error.

[centos@aiops-dev-cassandra3 ~]$ docker run hello-world
docker: Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Post http://%2Fvar%2Frun%2Fdocker.soc k/v1.40/containers/create: dial unix /var/run/docker.sock: connect: permission denied.
See 'docker run --help'.

Change Group and Permission for docker.socket

[centos@aiops-dev-cassandra3 ~]$ ls -l /lib/systemd/system/docker.socket
-rw-r--r--. 1 root root 197 Nov 13 07:25 /lib/systemd/system/docker.socket
[centos@aiops-dev-cassandra3 ~]$ sudo chgrp docker /lib/systemd/system/docker.socket
[centos@aiops-dev-cassandra3 ~]$ sudo chmod 666 /var/run/docker.sock
[centos@aiops-dev-cassandra3 ~]$ ls -lrth /var/run/docker.sock
srw-rw-rw-. 1 root docker 0 Nov 20 11:59 /var/run/docker.sock
[centos@aiops-dev-cassandra3 ~]$

Verify by using below docker command

[centos@aiops-dev-cassandra3 ~]$ docker run hello-world
Unable to find image 'hello-world:latest' locally
latest: Pulling from library/hello-world
1b930d010525: Pull complete
Digest: sha256:c3b4ada4687bbaa170745b3e4dd8ac3f194ca95b2d0518b417fb47e5879d9b5f
Status: Downloaded newer image for hello-world:latest

Hello from Docker!
This message shows that your installation appears to be working correctly.

To generate this message, Docker took the following steps:
 1. The Docker client contacted the Docker daemon.
 2. The Docker daemon pulled the "hello-world" image from the Docker Hub.
    (amd64)
 3. The Docker daemon created a new container from that image which runs the
    executable that produces the output you are currently reading.
 4. The Docker daemon streamed that output to the Docker client, which sent it
    to your terminal.

To try something more ambitious, you can run an Ubuntu container with:
 $ docker run -it ubuntu bash

Share images, automate workflows, and more with a free Docker ID:
 https://hub.docker.com/

For more examples and ideas, visit:
 https://docs.docker.com/get-started/

[centos@aiops-dev-cassandra3 ~]$
Improve this answer
1
  • Absolutely not! Never give permission to the world! Permission on the docker socket should be 660, and as long as your user is in the docker group, you'll be fine.
    – Auspex
    Commented Nov 23, 2022 at 14:43
-8

A simple hack is to execute as a "Super User".

To access the super user or root user, follow:

At user@computer:

$sudo su

After you enter your password, you'll be at root@computer:

$docker run hello-world
Improve this answer

Not the answer you're looking for? Browse other questions tagged or ask your own question.