docker.sock permission denied

When I try to run simple docker commands like:

$ docker ps -a

I get an error message:

> Got permission denied ... /var/run/docker.sock: connect: permission denied

When I check permissions with

$ ls -al /var/run/

I see this line:

srw-rw---- root docker docker.sock

So, I follow an advice from many forums and add local user to docker group:

$ sudo usermod -aG docker $USER

But it does not help. I still get the very same error message. How can I fix it?

For those new to the shell, the command:

$ sudo usermod -aG docker $USER

needs to have $USER defined in your shell. This is often there by default, but you may need to set the value to your login id in some shells.

---

Changing the groups of a user does not change existing logins, terminals, and shells that a user has open. To avoid performing a login again, you can simply run:

$ newgrp docker

to get access to that group in your current shell.

---

Once you have done this, the user effectively has root access on the server, so only do this for users that are trusted with unrestricted sudo access.

Reason: The error message means that the current user can’t access the docker engine, because the user hasn't enough permissions to access the UNIX socket to communicate with the engine.

Quick Fix:

1. Run the command as root using sudo.

   sudo docker ps
   

2. Change the permissions of /var/run/docker.sock for the current user.

   sudo chown $USER /var/run/docker.sock
   

Caution: Running sudo chmod 777 /var/run/docker.sock will solve your problem but it will open the docker socket for everyone which is a security vulnerability as pointed out by @AaylaSecura. Hence it shouldn't be used, except for testing purposes on the local system.

Permanent Solution:

Add the current user to the docker group.

sudo usermod -a -G docker $USER

---

Note: You have to log out and log in again for the changes to take effect.

Refer to this blog to know more about managing Docker as a non-root user.

1. Make sure your $USER variable is set

   $ echo $USER
   
   $ sudo usermod -aG docker $USER
   

2. logout

3. Upon login, restart the docker service

   $ sudo systemctl restart docker
   
   $ docker ps
   

As mentioned earlier in the comment the changes won't apply until your re-login. If you were doing a SSH and opening a new terminal, it would have worked in new terminal

But since you were using GUI and opening the new terminal the changes were not applied. That is the reason the error didn't go away

So below command did do its job, its just a re-login was missed

sudo usermod -aG docker $USER

You need to manage docker as a non-root user. To create the docker group and add your user:

1. Create the docker group.

   $ sudo groupadd docker

2. Add your user to the docker group.

   $ sudo usermod -aG docker $USER

3. Log out and log back in so that your group membership is re-evaluated.

If testing on a virtual machine, it may be necessary to restart the virtual machine for changes to take effect.

On a desktop Linux environment such as X Windows, log out of your session completely and then log back in.

On Linux, you can also run the following command to activate the changes to groups:

$ newgrp docker

4. Verify that you can run docker commands without sudo.

$ docker run hello-world

As my user is and AD user, I have to add the AD user to the local group by manually editing /etc/group file. Unforrtunately the adduser commands do not seem to be nsswitch aware and do not recognize a user not locally defined when adding someone to a group.

Then reboot or refresh /etc/group. Now, you can use docker without sudo.

Regards.

> When I try to run simple docker commands like: $ docker ps -a > > I get an error message: Got permission denied ... /var/run/docker.sock: connect: permission denied. > > […] How can I fix it?

TL;DR: There are two ways (the first one, also mentioned in the question itself, was extensively addressed by other answers, but comes with security concerns; so I'll elaborate on this issue, and develop the second solution that can also be applicable for this fairly sensible use case).

---

Just to recall the context, the Docker daemon socket is owned by root:docker:

$ ls -l /var/run/docker.sock
srw-rw---- 1 root docker 0 janv. 28 14:23 /var/run/docker.sock

so with this default setup, one needs to prepend all docker CLI commands by sudo.

To avoid this, one can either:

1. add one's user account ($USER) to the docker group − but that's quite risky to do this on one's personal workstation, as this would amount to provide all programs run by the user with root permissions without any sudo password prompt nor auditing.

   See also:

   • this page in the official Docker documentation:
     https://docs.docker.com/engine/security/#docker-daemon-attack-surface
   • this page that documents the related exploit:
     https://fosterelli.co/privilege-escalation-via-docker.html

2. one can otherwise prepend sudo automatically without typing sudo docker manually: to this aim, a solution consists in adding the following alias in the ~/.bashrc (see e.g. this thread for details):

   __docker() {
       if [[ "${BASH_SOURCE[*]}" =~ "bash-completion" ]]; then
           docker "$@"
       else
           sudo docker "$@"
       fi
   }
   alias docker=__docker
   

   Then one can test this by opening a new terminal and typing:

   docker run --pul〈TAB〉 # → docker run --pull
                          # autocompletion works
   docker run --pull always --rm -it debian:11  # ask one's password
   \docker run --help  # bypass the alias (thanks to the \) and ask no password
   

***Important Note on these answers: the docker group is not always "docker" sometimes it is "dockerroot", for example the case of Centos 7 installation by

sudo yum install -y docker

The first thing you should do, after installing Docker, is

sudo tail /etc/group

it should say something like

......
sshd:x:74:
postdrop:x:90:
postfix:x:89:
yourusername:x:1000:yourusername
cgred:x:996:
dockerroot:x:995:

In this case, it is "dockerroot" not "docker". So,

sudo usermod -aG dockerroot yourusername
logout

enter the command and explore docker without sudo command

sudo chmod 666 /var/run/docker.sock

bash into container as root user docker exec -it --user root <dc5> bash

create docker group if it's not already created groupadd -g 999 docker

add user to docker group usermod -aG docker jenkins

change permissions chmod 777 /var/run/docker.sock

You have to use pns executer instead of docker. run the following patch which modifies the configmap and you are all set.

kubectl -n argo patch cm workflow-controller-configmap -p '{"data": {"containerRuntimeExecutor": "pns"}}' ;

ref: https://www.youtube.com/watch?v=XySJb-WmL3Q&list=PLGHfqDpnXFXLHfeapfvtt9URtUF1geuBo&index=2&t=3996s