Docker: Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock
DockerJenkinsJenkins PipelineDocker Problem Overview
Docker Solutions
Solution 1 - Docker
The user jenkins
needs to be added to the group docker
:
sudo usermod -a -G docker jenkins
Then restart Jenkins.
Edit
If you arrive to this question of stack overflow because you receive this message from docker, but you don't use jenkins, most probably the error is the same: your unprivileged user does not belong to the docker group.
You can do:
sudo usermod -a -G docker [user]
Insert your user name where [user]
is.
You can check it was successful by doing grep docker /etc/group
and see something like this:
docker:x:998:[user]
in one of the lines.
Then change your users group ID to docker
:
newgrp docker
Finally, log out and log in again
Solution 2 - Docker
My first solutions was:
usermod -aG docker jenkins
usermod -aG root jenkins
chmod 664 /var/run/docker.sock
But none of them work for me, I tried:
chmod 777 /var/run/docker.sock
That works, but I don't know if it is the right call.
Solution 3 - Docker
Success for me
sudo usermod -a -G docker $USER
reboot
Solution 4 - Docker
2018-08-19
I have been stuck for days on this one and as I haven't found a complete answer with the why and how, I will post one for other people that stumble on the same problem and answers from above do not work.
These are the 3 crucial steps when running Jenkins inside docker:
- You mount the socket
/var/run/docker.sock
to the jenkins container in order to be able to use the docker from the host. - You have to install docker inside the container in order to use it. This is a great and simple article on how to do that. Note that newer versions might already have docker installed
- You run
sudo usermod -a -G docker jenkins
in order to add jenkins to the docker group. However, here you might run into a permission problem if the host docker and the container docker don't have the same group id so it is very important to adjust the container docker's gid to be the same as the host docker gid
You can do this as a part of a launch script or simply by using exec
and doing it manually: groupmod -g <YOUR_HOST_DOCKER_GID> docker
.
Also, do not change permissions of the /var/run/docker.sock
to 777 or stuff like that because that is a big security risk, you are basically giving everyone permission to use docker on your machine
Hope this helps
Solution 5 - Docker
Change the access permission of the docker.sock file
chmod 777 /var/run/docker.sock
or u can use sudo
in the start of the command.
chmod 777
will allow all actions for all users while chmod 666
will allow all users to read and write but cannot execute the file.
Solution 6 - Docker
Method 01 :- Safer method
sudo usermod -aG docker ${USER}
To apply the new group membership, log out of the server and back in, or type the following:
su - ${USER}
You will be prompted to enter your user’s password to continue. Confirm that your user is now added to the docker group by typing:
id -nG
Method 02 :- Not recommended for public deployments (Unsafe)
chmod 777 /var/run/docker.sock
or use
sudo chown root:docker /var/run/docker.sock
Solution 7 - Docker
This works for me in Ubuntu 20.04
sudo chmod 666 /var/run/docker.sock
Don't know what exactly it does but solve the problem.
Solution 8 - Docker
I added the jenkins user to root group and restarted the jenkins and it started working.
sudo usermod -a -G root jenkins
sudo service jenkins restart
Solution 9 - Docker
Simply adding docker
as a supplementary group for the jenkins
user
sudo usermod -a -G docker jenkins
is not always enough when using a Docker image as the Jenkins Agent. That is, if your Jenkinsfile
starts with pipeline{agent{dockerfile
or pipeline{agent{image
:
pipeline {
agent {
dockerfile {
filename 'Dockerfile.jenkinsAgent'
}
}
stages {
This is because Jenkins performs a docker run
command, which results in three problems.
- The Agent will (probably) not have the Docker programs installed.
- The Agent will not have access to the Docker daemon socket, and so will try to run Docker-in-Docker, which is not recommended.
- Jenkins gives the numeric user ID and numeric group ID that the Agent should use. The Agent will not have any supplementary groups, because
docker run
does not do a login to the container (it's more like asudo
).
Installing Docker for the Agent
Making the Docker programs available within the Docker image simply requires running the Docker installation steps in your Dockerfile:
# Dockerfile.jenkinsAgent
FROM debian:stretch-backports
# Install Docker in the image, which adds a docker group
RUN apt-get -y update && \
apt-get -y install \
apt-transport-https \
ca-certificates \
curl \
gnupg \
lsb-release \
software-properties-common
RUN curl -fsSL https://download.docker.com/linux/debian/gpg | apt-key add -
RUN add-apt-repository \
"deb [arch=amd64] https://download.docker.com/linux/debian \
$(lsb_release -cs) \
stable"
RUN apt-get -y update && \
apt-get -y install \
docker-ce \
docker-ce-cli \
containerd.io
...
Sharing the Docker daemon socket
As has been said before, fixing the second problem means running the Jenkins Docker container so it shares the Docker daemon socket with the Docker daemon that is outside the container. So you need to tell Jenkins to run the Docker container with that sharing, thus:
pipeline {
agent {
dockerfile {
filename 'Dockerfile.jenkinsAgent'
args '-v /var/run/docker.sock:/var/run/docker.sock'
}
}
Setting UIDs and GIDs
The ideal fix to the third problem would be set up supplementary groups for the Agent. That does not seem possible. The only fix I'm aware of is to run the Agent with the Jenkins UID and the Docker GID (the socket has group write permission and is owned by root.docker
). But in general, you do not know what those IDs are (they were allocated when the useradd ... jenkins
and groupadd ... docker
ran when Jenkins and Docker were installed on the host). And you can not simply tell Jenkins to user user jenkins
and group docker
args '-v /var/run/docker.sock:/var/run/docker.sock -u jenkins:docker'
because that tells Docker to use the user and group that are named jenkins
and docker
within the image, and your Docker image probably does not have the jenkins
user and group, and even if it did there would be no guarantee it would have the same UID and GID as the host, and there is similarly no guarantee that the docker
GID is the same
Fortunately, Jenkins runs the docker build
command for your Dockerfile in a script, so you can do some shell-script magic to pass through that information as Docker build arguments:
pipeline {
agent {
dockerfile {
filename 'Dockerfile.jenkinsAgent'
additionalBuildArgs '--build-arg JENKINSUID=`id -u jenkins` --build-arg JENKINSGID=`id -g jenkins` --build-arg DOCKERGID=`stat -c %g /var/run/docker.sock`'
args '-v /var/run/docker.sock:/var/run/docker.sock -u jenkins:docker'
}
}
That uses the id
command to get the UID and GID of the jenkins
user and the stat
command to get information about the Docker socket.
Your Dockerfile can use that information to setup a jenkins
user and docker
group for the Agent, using groupadd
, groupmod
and useradd
:
# Dockerfile.jenkinsAgent
FROM debian:stretch-backports
ARG JENKINSUID
ARG JENKINSGID
ARG DOCKERGID
...
# Install Docker in the image, which adds a docker group
RUN apt-get -y update && \
apt-get -y install \
apt-transport-https \
ca-certificates \
curl \
gnupg \
lsb-release \
software-properties-common
RUN curl -fsSL https://download.docker.com/linux/debian/gpg | apt-key add -
RUN add-apt-repository \
"deb [arch=amd64] https://download.docker.com/linux/debian \
$(lsb_release -cs) \
stable"
RUN apt-get -y update && \
apt-get -y install \
docker-ce \
docker-ce-cli \
containerd.io
...
# Setup users and groups
RUN groupadd -g ${JENKINSGID} jenkins
RUN groupmod -g ${DOCKERGID} docker
RUN useradd -c "Jenkins user" -g ${JENKINSGID} -G ${DOCKERGID} -M -N -u ${JENKINSUID} jenkins
Solution 10 - Docker
I faced a similar issue, which is a permission issue and the cause of this issue is because the Docker daemon/server always runs as the root
user, and wants you to always preface the docker command with sudo
.
Docker daemon binds to a Unix socket instead of a TCP port. By default that Unix socket is owned by the user root
and other users can only access it using sudo
.
To fix this, here's what worked for me:
Firstly, check if you have a docker group already created:
cat /etc/group
If you don't find docker
in the list that is displayed, then you will need to create one:
sudo groupadd docker
Next, confirm your user
and your group
using the command below:
cat /etc/group
Scroll through to see the group for docker. It should be of this format
docker:x:140:promisepreston
where docker
is my group
and promisepreston
is my user
Now we can add your user to the docker group
Also add your user to the “docker” group, If you would like to use Docker as a non-root user:
Copy and run the command below in your terminal exactly how it is stated without modifying it in any way, regardless of the docker image/container/command that you want to run or are trying to run or is causing the permission issue:
sudo usermod -aG docker $USER
After running the command above, you will need to Log out and log back in so that your group membership is re-evaluated. However, on Linux, you can also run the following command below to activate the changes to groups (Copy and run the command below in your terminal exactly how it is stated without modifying it in any way, regardless of the docker image/container/command that you want to run or are trying to run or is causing the permission issue):
newgrp docker
OR
sudo systemctl restart docker
You can now verify that you can run docker commands without sudo permissions, by running the command that is causing the permissions issue again, say (Replace my-command
with the name of your image/container/command):
docker run my-command
For Docker and Local filesystem files:
If you have a copy of the files on your local filesystem, then you can change the ownership of the application directory where the application files are stored, using this format:
sudo chown your_user:your_group -R my-app-directory/
So in my case it will be:
sudo chown promisepreston:docker -R my-app-directory/
Note: Please run this command inside the parent directory housing the application directory.
That's all.
I hope this helps
Solution 11 - Docker
I have Jenkins running in Docker and connected Jenkins is using Docker socket from host machine Ubuntu 16.04 via volume to /var/run/docker.sock.
For me solution was:
-
Inside Docker container of Jenkins (
docker exec -it jenkins bash
on host machine)usermod -a -G docker jenkins chmod 664 /var/run/docker.sock service jenkins restart (or systemctl restart jenkins.service) su jenkins
-
On host machine:
sudo service docker restart
664
means - read and write(but not execute) for owner and users from group.
Solution 12 - Docker
Step 1: add your username to the docker
group:
sudo usermod -a -G docker $USER
Then logout and login again.
Step 2: Then change docker group ID :
newgrp docker
Bonus: Check your new group:
id -g
P.S If you are interested, the reference is here.
Solution 13 - Docker
While doing production config i got the permission issue.I tried below solution to resolve the issue.
Error Message
ubuntu@node1:~$ docker run hello-world
docker: Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Post http://%2Fvar%2Frun%2Fdocker.sock/v1.38/containers/create: dial unix /var/run/docker.sock: connect: permission denied.
See 'docker run --help'.
Solution: permissions of the socket indicated in the error message, /var/run/docker.sock:
ubuntu@ip-172-31-21-106:/var/run$ ls -lrth docker.sock
srw-rw---- 1 root root 0 Oct 17 11:08 docker.sock
ubuntu@ip-172-31-21-106:/var/run$ sudo chmod 666 /var/run/docker.sock
ubuntu@ip-172-31-21-106:/var/run$ ls -lrth docker.sock
srw-rw-rw- 1 root root 0 Oct 17 11:08 docker.sock
After changes permission for docket.sock then execute below command to check permissions.
ubuntu@ip-172-31-21-106:/var/run$ docker run hello-world
Unable to find image 'hello-world:latest' locally
latest: Pulling from library/hello-world
1b930d010525: Pull complete
Digest: sha256:c3b4ada4687bbaa170745b3e4dd8ac3f194ca95b2d0518b417fb47e5879d9b5f
Status: Downloaded newer image for hello-world:latest
Hello from Docker!
This message shows that your installation appears to be working correctly.
To generate this message, Docker took the following steps:
1. The Docker client contacted the Docker daemon.
2. The Docker daemon pulled the "hello-world" image from the Docker Hub.
(amd64)
3. The Docker daemon created a new container from that image which runs the
executable that produces the output you are currently reading.
4. The Docker daemon streamed that output to the Docker client, which sent it
to your terminal.
To try something more ambitious, you can run an Ubuntu container with:
$ docker run -it ubuntu bash
Share images, automate workflows, and more with a free Docker ID:
https://hub.docker.com/
For more examples and ideas, visit:
https://docs.docker.com/get-started/
Solution 14 - Docker
In my case, it was not only necessary add jenkins
user to docker
group, but make that group the primary group of the jenkins
user.
# usermod -g docker jenkins
# usermod -a -G jenkins jenkins
Don't forget to reconnect the jenkins slave node or restart the jenkins server, depend on your case.
Solution 15 - Docker
2019-05-26
This worked for me !
Example docker-compose:
version: "3"
services:
jenkins:
image: jenkinsci/blueocean
privileged: true
ports:
- "8080:8080"
volumes:
- $HOME/learning/jenkins/jenkins_home:/var/jenkins_home
environment:
- DOCKER_HOST=tcp://socat:2375
links:
- socat
socat:
image: bpack/socat
command: TCP4-LISTEN:2375,fork,reuseaddr UNIX-CONNECT:/var/run/docker.sock
volumes:
- /var/run/docker.sock:/var/run/docker.sock
expose:
- "2375"
Solution 16 - Docker
2019-02-16
Most of the steps were the same for me as the others has written. However, I was not able to add jenkins to the group docker using usermod with the mentioned solutions.
I tried the following command from the docker host, and from the running docker container:
sudo usermod -a -G docker jenkins
(I entered to the running docker container with the following command from the docker host:
docker exec -t -i my_container_id_or_name /bin/bash
)
Received from docker host:
> usermod: user 'jenkins' does not exist
Received from docker container:
> We trust you have received the usual lecture from the local System > Administrator. It usually boils down to these three things: > > #1) Respect the privacy of others. > #2) Think before you type. > #3) With great power comes great responsibility. > > [sudo] password for jenkins:
I didnt know the password.
Without the sudo
part of the command, in the docker container I received:
> usermod: Permission denied. usermod: cannot lock /etc/passwd; try > again later.
Solution: I entered to the running docker container from the docker host with the following command:
docker exec -t -i -u root my_container_id_or_name /bin/bash
Now, I entered as root, and issued the following command:
usermod -a -G docker jenkins
Then, from the docker host, I restarted my running docker container with the following command:
docker restart my_container_id_or_name
After that, I started the jenkins job and it finished with success.
I only used the root user to issue the usermod
command for the user jenkins
.
Solution 17 - Docker
If you may get errors like below,
Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock
or
level=error msg="failed to dial gRPC: cannot connect to the Docker daemon. Is 'docker daemon' running on this host?: dial unix /var/run/docker.sock: connect: permission denied"
Just try to execute the following commands,
$ sudo su - jenkins
$ sudo usermod -a -G docker $USER
$ sudo chown jenkins:docker /var/run/docker.sock
Solution 18 - Docker
I`m using the official jenkins docker image (https://hub.docker.com/r/jenkins/jenkins) but I think this solution is applicable to most use cases where we want to run Docker inside a Docker container.
The recommended way for using Docker inside a Docker container, is to use the Docker deamon of the host system. Good article regarding that: https://itnext.io/docker-in-docker-521958d34efd.
The secret to handle the permission issue, which this question is about, is to add permissions for the user of the container inside the container, not the host system. Only root user has permissions to do that by default, so
docker exec -it -u root <container-name> bash
usermod -a -G docker <username>
will do it. Remember to restart the container.
I guess the simpliest way to achive this is to create a customised Dockerfile:
# Official jenkins image
FROM jenkins/jenkins:lts
# Swith to root to be able to install Docker and modify permissions
USER root
RUN apt-get update
# Install docker
RUN curl -sSL https://get.docker.com/ | sh
# Add jenkins user to docker group
RUN usermod -a -G docker jenkins
# Switch back to default user
USER jenkins
# Bild the image:
# sudo docker build -t yourusername/imagename .
# Run the image and mount with the followin bind mount option:
# sudo docker run --name imagename -d -p8080:8080 -v /var/run/docker.sock:/var/run/docker.sock yourusername/imagename
Solution 19 - Docker
In my case this will work successfully. navigate your local repo and enter this command.
sudo chmod 666 /var/run/docker.sock
Solution 20 - Docker
sudo usermod -a -G docker jenkins
sudo service jenkins restart
Solution 21 - Docker
I am running Jenkins inside a docker container. The simplest solution for me was to make a custom image that dynamically sets the GID, like:
FROM jenkins/jenkins:lts
...
CMD DOCKER_GID=$(stat -c '%g' /var/run/docker.sock) && \
groupadd -for -g ${DOCKER_GID} docker && \
usermod -aG docker jenkins && \
sudo -E -H -u jenkins bash -c /usr/local/bin/jenkins.sh
See: https://github.com/jenkinsci/docker/issues/263
Alternatively you could launch jenkins with the following options:
-v /var/run/docker.sock:/var/run/docker.sock \
-u jenkins:$(getent group docker | cut -d: -f3)
This assumes your jenkins image has docker client installed. See: https://getintodevops.com/blog/the-simple-way-to-run-docker-in-docker-for-ci
Solution 22 - Docker
If you're running Jenkins inside a docker container and your Jenkins is linking to the host docker then you can fix that just by the Dockerfile below:
FROM jenkins/jenkins:2.179
USER root
RUN groupadd docker && usermod -a -G docker jenkins
USER jenkins
Solution 23 - Docker
>sudo setfacl --modify user:(user name or ID):rw /var/run/docker.sock
Several times I tried to execute the command
>sudo chmod 777 /var/run/docker.sock
but unfortunately, I have to do this every time when I'm logging in to ubuntu system. It doesn't require a restart and is more secure than usermod or chown. user ID is required when the user name only exists inside the container, but not on the host.
I hope that it will help you solve the problem.
Solution 24 - Docker
check if ur docker is running sudo systemctl status docker
To check the error docker ps -a
Give Permission sudo usermod -aG docker ${USER} next command su - ${USER}
check again if it gives error docker ps -a
Solution 25 - Docker
We have two methods for solve this issue..
Method 1 Apply the new group membership
sudo usermod -aG docker ${USER}
su - ${USER}
Method 2 Change the file permision and group permisions
chmod 777 /var/run/docker.sock
sudo chown root:docker /var/run/docker.sock
Method 1 is secure method.
Solution 26 - Docker
On the server where Jenkins is running, I used
sudo setfacl -m user:tomcat:rw /var/run/docker.sock
And then run each docker container with
-v /var/run/docker.sock:/var/run/docker.sock
Using setfacl seems a better option, and no "-u user" is needed. The containers then run as the same user that is running Jenkins. But I would appreciate any feedback from the security experts.
Solution 27 - Docker
use below dockerfile
FROM jenkins/jenkins
USER root
# Install Docker
RUN apt-get update && \
apt-get -y install apt-transport-https \
ca-certificates \
curl \
gnupg2 \
software-properties-common && \
curl -fsSL https://download.docker.com/linux/$(. /etc/os-release; echo "$ID")/gpg > /tmp/dkey; apt-key add /tmp/dkey && \
add-apt-repository \
"deb [arch=amd64] https://download.docker.com/linux/$(. /etc/os-release; echo "$ID") \
$(lsb_release -cs) \
stable" && \
apt-get update && \
apt-get -y install docker-ce
# Compose
RUN curl -L "https://github.com/docker/compose/releases/download/1.22.0/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose && chmod +x /usr/local/bin/docker-compose
RUN usermod -aG docker jenkins
RUN usermod -aG root jenkins
USER jenkins
Solution 28 - Docker
in my case it was just starting docker service :
sudo service docker start
Solution 29 - Docker
If someone is still facing the issue on their local machine(Ubuntu) then try below command:
sudo chmod 666 /var/run/docker.sock
Solution 30 - Docker
If you want to keep it simple, use fixdockergid
on your Dockerfile.
Solution 31 - Docker
In addition to adding the user to the docker group and trying everything mentioned in this thread, it took me a while to realize that I had to restart my terminal and then log back into the ec2 instance. It worked after that.
Solution 32 - Docker
I was getting problem that after restarting the ubuntu server docker was loosing the access if I have given the permission via sudo chmod 666 /var/run/docker.sock
Hence I needed to add my username (ubuntu
) to the docker group via: sudo usermod -aG docker ubuntu
Solution 33 - Docker
often need a reboot to take effect on the new user group and user.
Solution 34 - Docker
I was able to make this work as well without having to change the permissions on the local unix socket /var/run/docker.sock. What I had to do was to enable tcp connections on the build agent node and then specify the docker host in the Jenkins cloud configuration.
Assuming that you are using a aws image, ssh into your build agent node(s) and enable tcp ports using the /etc/sysconfig/docker file
Add the -H tcp://0.0.0.0:2376
option.
# Additional startup options for the Docker daemon, for example:
# OPTIONS="--ip-forward=true --iptables=true"
# By default we limit the number of open files per container
OPTIONS="-H tcp://0.0.0.0:2376 --default-ulimit nofile=1024:4096"
Make sure to restart the daemon using sudo service docker restart
Finally you need to tell Jenkins to use tcp by default using the DOCKER_HOST environment variable configured in the cloud nodes configuration. Note this is not a configuration in the Jenkins pipeline environment.
Navigate to Jenkins -> Manage Jenkins -> Manage Cloud And Nodes -> Some Configuration -> Node Properties -> Environment Variables
Then add your DOCKER_HOST environment variable.
NOTE: I am using Launch agents via ssh to make this work.
Solution 35 - Docker
Maybe you should run the docker with option "-u root" from the very beginning
At least that solved my problem