I'm using AWS Linux virtual machine as my production server. When I try to login to Docker-hub from AWS Linux virtual machine it says permission denied while trying to connect to the docker daemon socket. There are solutions in the internet and those need 'Sudo' access. But I just connect to the VM using SSH with user I created named prod-user. Therefor I don't have password.
click here tom see the error msg
It seems the user you are using to access docker hub doesn't have enough permission. You can try adding prod-user to group Docker.
sudo usermod -a -G docker $USER
usermod is a command that modifies the system configuration for a specific user.
-a is a shortcut for --append: It means append the group to the list of groups the user belongs to.
-G is a shortcut for --groups: It tells usermod that the next argument is a group.
docker is the group we want to add $USER to.
$USER is the user that we want to modify.
If this alone doesn't resolve the issue then try below :
chmod 664 /var/run/docker.sock ## First try this.
chmod 777 /var/run/docker.sock ## Then this. Not recommended though due to full permission.
I was able to fixed this with the help of #Pacifit answer. Since I cannot do any sudo things as prod-user what I did was I connect to the VM as ec2-user and then I added prod-user to the group by using
sudo usermod -a -G docker prod-user
and change the permission. Then I was able to execute docker in prod-user.
Related
I have installed Docker on my Pop OS according to the official tutorial (I also created a docker user group and added myself to it). In IntelliJ Idea I am getting:
Cannot connect to the Docker daemon at unix:/var/run/docker.sock. Is the docker daemon running? No such file or directory.
systemctl status docker shows that docker.service is active.
My permissions:
ls -l /var/run/docker.sock
srw-rw---- 1 root docker 0 Feb 28 09:05 /var/run/docker.sock
You need to :
Add your $user to the docker group:
sudo usermod -aG docker $USER
Log out, and then log back in.
Docker configuration settings:
Unix socket: This is the recommended connection option for Linux.
note
If you get permission denied errors, add the current user to the docker group on the machine, log out, and then log back in. The docker group grants privileges equivalent to the root user. For details on how this impacts security in your system, see Docker Daemon Attack Surface.
I've solved the issue by re-installing Intellij. My version was from the pop-os application store and causes the problem, but the interesting fact - other things work as expected. So the version from the JetBrains toolbox did the trick.
When trying to start minikube with docker driver, as a root user I get:
$ minikube start --driver=docker
* minikube v1.16.0 on Ubuntu 18.04
* Using the docker driver based on user configuration
* The "docker" driver should not be used with root privileges.
* If you are running minikube within a VM, consider using --driver=none:
* https://minikube.sigs.k8s.io/docs/reference/drivers/none/
X Exiting due to DRV_AS_ROOT: The "docker" driver should not be used with root privileges.
What is the problem to use docker driver as a root user?
This is a question of security. In official docker documentation written clearly about the risks.
As per documentation -
Docker allows you to share a directory between the Docker host and a guest container; and it allows you to do so without limiting the access rights of the container. This means that you can start a container where the /host directory is the / directory on your host; and the container can alter your host filesystem without any restriction.
To solve your problem you can follow these steps:
Add new User
adduser newUser
usermod -aG sudo newUser
su - newUser
Login to the newly created User
su - newUser
Add User to the Docker Group
sudo groupadd docker
sudo usermod -aG docker $USER
Relogin and the start minikube with this following commands
minikube start --driver=docker
Verify minikube is running
docker ps
Here is a github issue you may have a look.
Updating my answer as it is causing confusion if this steps will solve the security issues
This steps will solve the error you were facing when you were trying to start minikube. But this steps won't solve the security issues because docker group grants privileges equivalent to the root user. To run docker without root privilege aka rootless mode you need to follow this documentation.
Login to root user and run below commands.
useradd testuser
usermod -aG docker testuser
su - testuser (or open another terminal and login to testuser)
minikube start --driver=docker
its works!
This question already has answers here:
How to fix docker: Got permission denied issue
(33 answers)
Closed 1 year ago.
I was just getting started with docker, and I run this:
docker pull redis
and I get a permission denied error. It turns out, docker writes to /var/* directories, which requires permission to write. and so many other docker commands also require something like:
sudo docker ***
Now, I don't really like the notion of add root privileges to every docker command.(It might be because I just don't know docker much yet, but that's true with every program). Is this a requirement by docker?
If it is not required, then how do I configure it so that it is much like other programs, that only ask me privileges when they need to, all the pulling, running commands would just write to my normal directories or run from them, not from a system directory.
EDIT: my concern was, if docker was allowed access to system files, meaning, it has some embedded scipt that had a potential harm to the computer, and it executed when I ran the docker. Since, I give it root privileges, the script could do anything. Would adding it to the user group instead of sudo fix that?
By default Docker runs an always-on daemon on your system which requires root privileges (Experimental non-root Docker support exists though).
The common approach is to add your User to the docker group which allows you to run docker without having to sudo: https://docs.docker.com/engine/install/linux-postinstall/
sudo usermod -aG docker $USER
newgrp docker
If you are interested in non-root Docker the following might be interesting:
https://podman.io/
https://docs.docker.com/engine/security/rootless/
You are not probably part of docker group as user. You could try post-installations steps mentioned on here.
Create group docker:
sudo groupadd docker
Add user to the group
sudo usermod -aG docker $USER
Reload changes:
newgrp docker
I am working on Docker and before i execute any command on Docker CLI , I need to switch to root used using the command
sudo su - root
Can anyone please tell me why we need to switch to root user to perform any operation on Docker Engine?
you don't need to switch to root for docker cli commands and it is common to add your user to the docker group
sudo groupadd docker
sudo usermod -aG docker $USER
see: https://docs.docker.com/engine/install/linux-postinstall/#manage-docker-as-a-non-root-user
the reason why docker is run as root:
The Docker daemon binds to a Unix socket instead of a TCP port. By default that Unix socket is owned by the user root and other users can only access it using sudo. The Docker daemon always runs as the root user.
Using docker commands, you can trivially get root-level access to any part of the host filesystem. The very most basic example is
docker run --rm -v /:/host busybox cat /host/etc/shadow
which will get you a file of encrypted passwords that you can crack offline at your leisure; but if I wanted to actually take over the machine I'd just write my own line into /host/etc/passwd and /host/etc/shadow creating an alternate uid-0 user with no password and go to town.
Docker doesn't really have any way to limit what docker commands you can run or what files or volumes you can mount. So if you can run any docker command at all, you have unrestricted root access to the host. Putting it behind sudo is appropriate.
The other important corollary to this is that using the dockerd -H option to make the Docker socket network-accessible is asking for your system to get remotely rooted. Google "Docker cryptojacking" for some more details and prominent real-life examples.
I am launch a jenkins docker container for CI work. And the host OS I am using is CoreOS. Inside the jenkins container, I also installed docker-cli in order to run build on docker containers in the host system. In order to do that, I use below configuration to mount /var/run on the jenkins container for mapper Docker socket:
volumes:
- /jenkins/data:/var/jenkins_home
- /var/run/docker.sock:/var/run/docker.sock:rw
when I launch the container and run docker command, I got below error:
Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get http://%2Fvar%2Frun%2Fdocker.sock/v1.29/containers/json: dial unix /var/run/docker.sock: connect: permission denied
The /var/run is root permission but my user is jenkins. How can I solve the permission issue to allow jenkins user to use docker command through mapper socket?
I have tried below command but the container doesn't allow me to run sudo:
$ sudo usermod -a -G docker jenkins
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
sudo: no tty present and no askpass program specified
There's nothing magical about permissions in Docker: they work just like permissions outside of Docker. That is, if you want a user to have access to a file (like /var/run/docker.sock), then either that file needs to be owned by the user, or they need to be a member of the appropriate group, or the permissions on the file need to permit access to anybody.
Exposing /var/run/docker.sock to a non-root user is a little tricky, because typical solutions (just chown/chmod things from inside the container) will potentially break things on your host.
I suspect the best solution may be:
Ensure that /var/run/docker.sock on your host is group-writable (e.g., create a docker group on your host and make sure that users in that group can use Docker).
Pass the numeric group id of your docker group into the container as an environment variable.
Have an ENTRYPOINT script in your container that runs as root that (a) creates a group with a matching numeric gid, and (b) modifies the Jenkins users to be a member of that group, and then (c) exec your docker CMD as the jenkins user.
So, your entrypoint script might look something like this (assuming that you have passed in a value for $DOCKER_GROUP_ID in your docker-compose.yml):
#!/bin/sh
groupadd -g $DOCKER_GROUP_ID docker
usermod -a -G docker jenkins
exec runuser -u jenkins "$#"
You would need to copy this into your image and add the appropriate ENTRYPOINT directive to your Dockerfile.
You may not have the runuser command. You can accomplish something similar using sudo or su or other similar commands.