I have installed Docker on my Pop OS according to the official tutorial (I also created a docker user group and added myself to it). In IntelliJ Idea I am getting:
Cannot connect to the Docker daemon at unix:/var/run/docker.sock. Is the docker daemon running? No such file or directory.
systemctl status docker shows that docker.service is active.
My permissions:
ls -l /var/run/docker.sock
srw-rw---- 1 root docker 0 Feb 28 09:05 /var/run/docker.sock
You need to :
Add your $user to the docker group:
sudo usermod -aG docker $USER
Log out, and then log back in.
Docker configuration settings:
Unix socket: This is the recommended connection option for Linux.
note
If you get permission denied errors, add the current user to the docker group on the machine, log out, and then log back in. The docker group grants privileges equivalent to the root user. For details on how this impacts security in your system, see Docker Daemon Attack Surface.
I've solved the issue by re-installing Intellij. My version was from the pop-os application store and causes the problem, but the interesting fact - other things work as expected. So the version from the JetBrains toolbox did the trick.
Related
I am doing docker-outside-of-docker, so I mount the host's /var/run/docker.sock into the container via bind-mount.
Now the user and group within the container differ from the one on the host, although they are supposed to be the same.
Container:
ls -lna /var/run/docker.sock
srwxr-xr-x 1 0 0 0 Sep 2 21:30 /var/run/docker.sock
^- owner
^-group
Host:
lrwxr-xr-x 1 0 1 74 2 Sep 23:30 /var/run/docker.sock -> /Users/(...)/docker.sock
^- owner
^-group
As the container is running with a non-root user, and I cannot get the groups to align, this results in a permission denied error when trying to execute docker commands.
$ docker --version
Docker version 20.10.5, build 55c4c88
Solution
Via an entrypoint script, I set the needed permission on container startup.
chown root:docker /var/run/docker.sock
chmod g+w /var/run/docker.sock
It requires that the container starts as root, and only after setting the permission changes to the jenkins user.
This solution works independent of the gRPC FUSE setting of Docker Desktop/Docker for Mac.
Dead Ends
I gave up to solve the permission question with a bind-mount. Because:
Turns out, I overlooked that the host's /var/run/docker.sock is a symbolic link. I thought, due to that symbolic link, the permissions are not transferred as expected. But I could not find documentation about it, only hints
When bind-mounting the link target directly, when running a docker command I get
Error response from daemon: Mounts denied: approving /Users/(...)/docker.sock: file does not exist
Presumably because the file is a socket link (see ls' long format).
Turns out, this appears to be caused by the gRPC FUSE file sharing setting of my Docker Desktop. Disabling it made the error go away, and the socket link docker.sock gets mounted with the container user as owner and group automatically.
However, exeuting e.g. docker image ls inside the container results in an unexplainable error now:
Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running?
This question already has answers here:
How to fix docker: Got permission denied issue
(33 answers)
Closed 1 year ago.
I was just getting started with docker, and I run this:
docker pull redis
and I get a permission denied error. It turns out, docker writes to /var/* directories, which requires permission to write. and so many other docker commands also require something like:
sudo docker ***
Now, I don't really like the notion of add root privileges to every docker command.(It might be because I just don't know docker much yet, but that's true with every program). Is this a requirement by docker?
If it is not required, then how do I configure it so that it is much like other programs, that only ask me privileges when they need to, all the pulling, running commands would just write to my normal directories or run from them, not from a system directory.
EDIT: my concern was, if docker was allowed access to system files, meaning, it has some embedded scipt that had a potential harm to the computer, and it executed when I ran the docker. Since, I give it root privileges, the script could do anything. Would adding it to the user group instead of sudo fix that?
By default Docker runs an always-on daemon on your system which requires root privileges (Experimental non-root Docker support exists though).
The common approach is to add your User to the docker group which allows you to run docker without having to sudo: https://docs.docker.com/engine/install/linux-postinstall/
sudo usermod -aG docker $USER
newgrp docker
If you are interested in non-root Docker the following might be interesting:
https://podman.io/
https://docs.docker.com/engine/security/rootless/
You are not probably part of docker group as user. You could try post-installations steps mentioned on here.
Create group docker:
sudo groupadd docker
Add user to the group
sudo usermod -aG docker $USER
Reload changes:
newgrp docker
I am working on Docker and before i execute any command on Docker CLI , I need to switch to root used using the command
sudo su - root
Can anyone please tell me why we need to switch to root user to perform any operation on Docker Engine?
you don't need to switch to root for docker cli commands and it is common to add your user to the docker group
sudo groupadd docker
sudo usermod -aG docker $USER
see: https://docs.docker.com/engine/install/linux-postinstall/#manage-docker-as-a-non-root-user
the reason why docker is run as root:
The Docker daemon binds to a Unix socket instead of a TCP port. By default that Unix socket is owned by the user root and other users can only access it using sudo. The Docker daemon always runs as the root user.
Using docker commands, you can trivially get root-level access to any part of the host filesystem. The very most basic example is
docker run --rm -v /:/host busybox cat /host/etc/shadow
which will get you a file of encrypted passwords that you can crack offline at your leisure; but if I wanted to actually take over the machine I'd just write my own line into /host/etc/passwd and /host/etc/shadow creating an alternate uid-0 user with no password and go to town.
Docker doesn't really have any way to limit what docker commands you can run or what files or volumes you can mount. So if you can run any docker command at all, you have unrestricted root access to the host. Putting it behind sudo is appropriate.
The other important corollary to this is that using the dockerd -H option to make the Docker socket network-accessible is asking for your system to get remotely rooted. Google "Docker cryptojacking" for some more details and prominent real-life examples.
I have access to a server by ssh with docker version 1.13.1 and I'm
just trying to load a local image using docker load -i
and I'm receiving this error message:
docker load -i docker.img
Error processing tar file(exit status 1): permission denied
And by the way:
docker image import docker.img
Error response from daemon: ApplyLayer exit status 1 stdout: stderr: permission denied
The img file has all the permissions:
> ls -l
> -rwxrwxrwx 1 myuser myuser 9278464 Mar 22 19:12 docker.img*
And docker seems to work rigth:
> docker images
> REPOSITORY TAG IMAGE ID CREATED SIZE
The image works perfectly fine in my local machine...
Any idea about what can be happening here ? The host is running ubuntu 16.04, i was looking for an answer about 1 hour...
=======
I could figure it out, the problem was that I was accessing a proxmox container
not fully virtualized, so, docker requires kernel capabilities that I had not. I searched for the correct proxmox configuration and I solve the issue.
You are trying to execute docker commands as which user?, Standard account or as root user?
Note that the docker daemon binds to a Unix socket instead of a TCP port. By default that Unix socket is owned by the user root and other users can only access it using sudo. The docker daemon always runs as the root user.
If you don’t want to use sudo when you use the docker command, create a Unix group called docker and add users to it. When the docker daemon starts, it makes the ownership of the Unix socket read/writable by the docker group.
First, check if docker group exists on your server. If not, then add it
$ sudo groupadd docker
Add your user to the docker group.
$ sudo usermod -aG docker $USER
Log out and log back in so that your group membership is re-evaluated
I have installed docker in Linux Mint 17 Qiana (which is based on Ubuntu 14.04) present in the Oracle VM. If I tries to start, it shows the following error,
FATA[0000] Get http:///var/run/docker.sock/v1.18/containers/json: dial unix /var/run/docker.sock: no such file or directory. Are you trying to connect to a TLS-enabled daemon without TLS?
I couldn't find any useful information regarding this when I tried googling regarding the same. This stackoverflow question suggesting to restart my system, but it doesn't work.
I'm seeing the following related questions which are unhelpful.
/var/run/docker.sock: no such file or directory. Are you trying to connect to a TLS-enabled daemon without TLS?
Docker: Are you trying to connect to a TLS-enabled daemon without TLS?
So, any help on this would be greatly helpful.
I don't know how it comes with .deb package (I'm using Fedora), but TLS shouldn't be set by default, so I would suggest following some basic steps to see if it is running correctly.
1. Check if docker daemon is running
ps aux | grep docker
root 4215 0.1 0.1 440156 17332 ? Ssl 15:48 0:00 /usr/bin/docker -d -D --bip=172.17.42.1/16 --dns=172.17.42.1 --dns-search=docker -s overlay
wololock 8986 0.0 0.0 113024 2304 pts/1 S+ 15:50 0:00 /usr/bin/grep docker
I the docker process is not running, try sudo /etc/init.d/docker start or sudo service docker start
2. Check if /var/run/docker.sock exists
ls -la /var/run/docker.*
-rw-r--r--. 1 root root 4 04-23 15:48 /var/run/docker.pid
srw-rw----. 1 root docker 0 04-23 15:48 /var/run/docker.sock
The important part here is that file need to be own by group docker, so you can connect to it without root permissions.
If docker.sock does not exist, you can try running docker from the command line with debug mode on to see what causes the problem:
sudo docker -d -D
3. Check if your user is added to docker group
id -a
uid=1000(wololock) gid=1000(wololock) grupy=1000(wololock),0(root),10(wheel),100(users),977(docker),989(pkg-build)
If you wont find your user in docker group, try adding yourself to it by:
sudo gpasswd -a [username] docker
4. Get the latest docker version
If the previous attempts wont help, try getting the latest docker version from https://docs.docker.com/installation/ubuntulinux/#installing-docker-on-ubuntu I'm not sure, but this line:
FATA[0000] Get http:///var/run/docker.sock/v1.18/containers/json:
suggests that you're using docker v1.18. I might be wrong, but if it's true, this is not the most recent docker version and it should be upgraded. I use currently docker v1.5.0, it works well on Fedora 21
IMPORTANT: UBUNTU / LINUX MINT USERS
The problem we discussed here was caused by missing (or not running) apparmor package in the ubuntu/linuxmint distribution. The easiest way to fix it is to install apparmor:
sudo apt-get install apparmor
If it's installed yet not running, start it with:
sudo service apparmor start
https://wiki.ubuntu.com/AppArmor
https://github.com/docker/docker/issues/9745
I hope my answer will help you in resolving your problem. If you have any questions, feel free to ask. I will try to help you as much as I can.