This question already has answers here:
How to fix docker: Got permission denied issue
(33 answers)
Closed 1 year ago.
I was just getting started with docker, and I run this:
docker pull redis
and I get a permission denied error. It turns out, docker writes to /var/* directories, which requires permission to write. and so many other docker commands also require something like:
sudo docker ***
Now, I don't really like the notion of add root privileges to every docker command.(It might be because I just don't know docker much yet, but that's true with every program). Is this a requirement by docker?
If it is not required, then how do I configure it so that it is much like other programs, that only ask me privileges when they need to, all the pulling, running commands would just write to my normal directories or run from them, not from a system directory.
EDIT: my concern was, if docker was allowed access to system files, meaning, it has some embedded scipt that had a potential harm to the computer, and it executed when I ran the docker. Since, I give it root privileges, the script could do anything. Would adding it to the user group instead of sudo fix that?
By default Docker runs an always-on daemon on your system which requires root privileges (Experimental non-root Docker support exists though).
The common approach is to add your User to the docker group which allows you to run docker without having to sudo: https://docs.docker.com/engine/install/linux-postinstall/
sudo usermod -aG docker $USER
newgrp docker
If you are interested in non-root Docker the following might be interesting:
https://podman.io/
https://docs.docker.com/engine/security/rootless/
You are not probably part of docker group as user. You could try post-installations steps mentioned on here.
Create group docker:
sudo groupadd docker
Add user to the group
sudo usermod -aG docker $USER
Reload changes:
newgrp docker
Related
I am working on Docker and before i execute any command on Docker CLI , I need to switch to root used using the command
sudo su - root
Can anyone please tell me why we need to switch to root user to perform any operation on Docker Engine?
you don't need to switch to root for docker cli commands and it is common to add your user to the docker group
sudo groupadd docker
sudo usermod -aG docker $USER
see: https://docs.docker.com/engine/install/linux-postinstall/#manage-docker-as-a-non-root-user
the reason why docker is run as root:
The Docker daemon binds to a Unix socket instead of a TCP port. By default that Unix socket is owned by the user root and other users can only access it using sudo. The Docker daemon always runs as the root user.
Using docker commands, you can trivially get root-level access to any part of the host filesystem. The very most basic example is
docker run --rm -v /:/host busybox cat /host/etc/shadow
which will get you a file of encrypted passwords that you can crack offline at your leisure; but if I wanted to actually take over the machine I'd just write my own line into /host/etc/passwd and /host/etc/shadow creating an alternate uid-0 user with no password and go to town.
Docker doesn't really have any way to limit what docker commands you can run or what files or volumes you can mount. So if you can run any docker command at all, you have unrestricted root access to the host. Putting it behind sudo is appropriate.
The other important corollary to this is that using the dockerd -H option to make the Docker socket network-accessible is asking for your system to get remotely rooted. Google "Docker cryptojacking" for some more details and prominent real-life examples.
I'm using AWS Linux virtual machine as my production server. When I try to login to Docker-hub from AWS Linux virtual machine it says permission denied while trying to connect to the docker daemon socket. There are solutions in the internet and those need 'Sudo' access. But I just connect to the VM using SSH with user I created named prod-user. Therefor I don't have password.
click here tom see the error msg
It seems the user you are using to access docker hub doesn't have enough permission. You can try adding prod-user to group Docker.
sudo usermod -a -G docker $USER
usermod is a command that modifies the system configuration for a specific user.
-a is a shortcut for --append: It means append the group to the list of groups the user belongs to.
-G is a shortcut for --groups: It tells usermod that the next argument is a group.
docker is the group we want to add $USER to.
$USER is the user that we want to modify.
If this alone doesn't resolve the issue then try below :
chmod 664 /var/run/docker.sock ## First try this.
chmod 777 /var/run/docker.sock ## Then this. Not recommended though due to full permission.
I was able to fixed this with the help of #Pacifit answer. Since I cannot do any sudo things as prod-user what I did was I connect to the VM as ec2-user and then I added prod-user to the group by using
sudo usermod -a -G docker prod-user
and change the permission. Then I was able to execute docker in prod-user.
I am launch a jenkins docker container for CI work. And the host OS I am using is CoreOS. Inside the jenkins container, I also installed docker-cli in order to run build on docker containers in the host system. In order to do that, I use below configuration to mount /var/run on the jenkins container for mapper Docker socket:
volumes:
- /jenkins/data:/var/jenkins_home
- /var/run/docker.sock:/var/run/docker.sock:rw
when I launch the container and run docker command, I got below error:
Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get http://%2Fvar%2Frun%2Fdocker.sock/v1.29/containers/json: dial unix /var/run/docker.sock: connect: permission denied
The /var/run is root permission but my user is jenkins. How can I solve the permission issue to allow jenkins user to use docker command through mapper socket?
I have tried below command but the container doesn't allow me to run sudo:
$ sudo usermod -a -G docker jenkins
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
sudo: no tty present and no askpass program specified
There's nothing magical about permissions in Docker: they work just like permissions outside of Docker. That is, if you want a user to have access to a file (like /var/run/docker.sock), then either that file needs to be owned by the user, or they need to be a member of the appropriate group, or the permissions on the file need to permit access to anybody.
Exposing /var/run/docker.sock to a non-root user is a little tricky, because typical solutions (just chown/chmod things from inside the container) will potentially break things on your host.
I suspect the best solution may be:
Ensure that /var/run/docker.sock on your host is group-writable (e.g., create a docker group on your host and make sure that users in that group can use Docker).
Pass the numeric group id of your docker group into the container as an environment variable.
Have an ENTRYPOINT script in your container that runs as root that (a) creates a group with a matching numeric gid, and (b) modifies the Jenkins users to be a member of that group, and then (c) exec your docker CMD as the jenkins user.
So, your entrypoint script might look something like this (assuming that you have passed in a value for $DOCKER_GROUP_ID in your docker-compose.yml):
#!/bin/sh
groupadd -g $DOCKER_GROUP_ID docker
usermod -a -G docker jenkins
exec runuser -u jenkins "$#"
You would need to copy this into your image and add the appropriate ENTRYPOINT directive to your Dockerfile.
You may not have the runuser command. You can accomplish something similar using sudo or su or other similar commands.
I'm currently trying to finish a Vagrantfile to be used as a docker host by other Vagrantfiles running the docker provider (https://www.vagrantup.com/docs/docker/).
I am using centos/atomic-host as a base box. The problem is that when I run vagrant up I get:
A Docker command executed by Vagrant didn't complete successfully!
The command run along with the output from the command is shown
below.
Command: "docker" "ps" "-a" "-q" "--no-trunc"
Stderr: Cannot connect to the Docker daemon. Is the docker daemon running on this host?
And this is due to the vagrant user not being part of the docker group. I solve this by adding this to my Vagrantfile:
# Add user vagrant to docker group
$docker_group = <<-DOCKER_GROUP
groupadd docker
usermod -a -G docker vagrant
systemctl restart docker
DOCKER_GROUP
config.vm.provision "docker_group", type: "shell", privileged: true, inline: $docker_group
I still get the exception above the first time I run vagrant up but it works from the second time onwards. The reason I suspect is that after adding the vagrant user to the docker group I need to logout/login for the changes to take effect.
For the record, I tried adding newgrp docker at the end of the my $docker_group script but it doesn't solve the problem. I suspect the docker provider starts a separate session.
Anybody found a solution for this?
I am not aware of Vagrantfile, but what I understand from your question is that you need some way to refresh a user's group without having to re-login.
If that's the case, the following points may help you:
Why not just su to the user again: you may just login in to the user again, and all the user's group will be updated.
Or you may try the this approach Legooolas has mentiones.
I hardly think the problem you mentioned is with the Vagrantfile, it's just the way it is. To update user's configurations, you need to re-login with the user. Still, if you wish to find a way, the above two might help you out.
Although this post is tempted to be closed for many I should ask what I am doing wrong since I am getting crazy and can't find a solution.
I have installed Docker in Fedora 24 and everything seems to be fine but I can't run docker command without sudo and that's annoying (at least for me).
I am logged as a normal user (non-root) and as soon as I run a command I can see this message:
$ docker ps
Cannot connect to the Docker daemon. Is the docker daemon running on this host?
However if I run only docker I can see a list of possible commands :-\
I've followed this guide and I read also a lot (here is a small list):
http://bsaunder.github.io/2014/12/21/running-docker-without-sudo/
Running Docker as non-root user
How to run docker image as a non-root user?
But certainly I am missing something, can any illuminate me? What I am missing here? I know the problem become user has not permissions to /var/run/docker.sock but what's the fix?
Running docker to get the list of commands doesn't use a connection to the daemon, which is why you can run it as non-root.
Have you added your user to the docker group?
sudo usermod -aG docker <my-user>
If you do that, next time you log in you should be able to use the docker CLI without sudo. But beware that the docker group has root privileges, so this is a convenience but not a security improvement.