211

I'm suddenly having issues after an update of Ubuntu 18.04: previously I've used docker without issue on the system, but suddenly I cannot. As far as I can tell, the permissions look correct:

$ docker run hello-world
docker: Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Post http://%2Fvar%2Frun%2Fdocker.sock/v1.35/containers/create: dial unix /var/run/docker.sock: connect: permission denied.
See 'docker run --help'.
$ ls -last /var/run/docker.sock 
0 srw-rw---- 1 root docker 0 Jul 14 09:10 /var/run/docker.sock
$ whoami
brandon
$ cat /etc/group | grep docker
docker:x:995:brandon
nvidia-docker:x:994:

EDIT:

Group information:

$ groups
brandon
$ groups brandon
brandon : brandon adm cdrom sudo dip plugdev games lpadmin sambashare docker
$ whoami
brandon

Update

I've already rebooted my system to apply the docker group. Still with that problem.

Since the original post where I upgraded a system from 17.04 to 18.04, I've done two upgrades from 16.04 to 18.04, and neither of the later systems had the issue. So it might be something to do with the 17.04 to 18.04 upgrade process. I've yet to perform a fresh 18.04 installation.

Improve this question
11
  • 2
    Does it work if you run sudo docker run hello-world?
    – mviereck
    Commented Jul 14, 2018 at 20:17
  • 6
    What happens if you run newgrp docker and try again from the same terminal?
    – BMitch
    Commented Jul 14, 2018 at 23:04
  • 1
    Can you try using your secondary TTYs (Ctrl-Alt-F3)?
    – sachav
    Commented Jul 15, 2018 at 14:07
  • 1
    Possible duplicate of Docker can't connect to docker daemon
    – David Maze
    Commented Jul 15, 2018 at 16:55
  • 2
    @DavidMaze - I don't believe so - the newgrp suggestion above worked, as did logging into the system via ssh
    – bbarker
    Commented Jul 15, 2018 at 17:40

15 Answers 15

Reset to default
367 
sudo setfacl --modify user:<user name or ID>:rw /var/run/docker.sock

It doesn't require a restart and is more secure than usermod or chown.

as @mirekphd pointed out, the user ID is required when the user name only exists inside the container, but not on the host.

Improve this answer
14
  • 7
    (It doesn't seem to persist through reboots)
    – bbarker
    Commented Feb 3, 2019 at 18:32
  • 1
    @bbarker unix.stackexchange.com/questions/372244/… Though on many systems this is persistant
    – Nahshon paz
    Commented Feb 4, 2019 at 19:43
  • 1
    setfacl -m jenkins:docker:rw /var/run/docker.sock setfacl: Option -m: Invalid argument near character 9
    – Shahar Hamuzim Rajuan
    Commented Jun 25, 2019 at 11:57
  • 1
    @ShacharHamuzimRajuan you need to run setfacl --modify for a user, e.g: setfacl -m u:docker:rw or u:jenkins:rw . Or per group (g instead of u). see: linux.die.net/man/1/setfacl
    – Nahshon paz
    Commented Jun 26, 2019 at 18:49
  • 2
    Why would I want to use this over adding the user to the docker group? This seems like a short sighted trial and error fix. If there are other permissions necessary the docker group is probably what it is for. Permissions will be adequate for the docker group, and so users that are to use docker should be part of the docker group. Fixing it for only this user and one socket file may lead to further issues now or later on other files.
    – Kissaki
    Commented Aug 6, 2019 at 8:59
135

add the user to the docker group. 

sudo usermod -aG docker $USER
sudo reboot
Improve this answer
8
  • 6
    Maybe I am missing something, but the output of 'groups brandon' already includes 'docker', in my case, as indicated above. But this is generally good advice.
    – bbarker
    Commented Sep 9, 2018 at 14:31
  • 6
    Reboot helps :)
    – digz6666
    Commented Jun 18, 2019 at 6:13
  • 22
    Creating a new user session (logging out and back in) is enough to update the user sessions groups. No reboot required.
    – Kissaki
    Commented Aug 6, 2019 at 9:00
  • 3
    Instead of rebooting, you can just restart the docker daemon sudo systemctl restart docker
    – martyglaubitz
    Commented Oct 15, 2020 at 16:37
  • 4
    restarting the docker daemon and logging out/in weren't sufficient for me. A reboot was.
    – craq
    Commented Jul 5, 2022 at 23:03
118

Just try to give the right permission to docker.sock file by:

sudo chmod 666 /var/run/docker.sock
Improve this answer
9
  • 6
    this worked for me on Win10 WSL 2 and Ubuntu 20.04
    – pmko
    Commented Nov 29, 2021 at 2:27
  • 4
    This worked for me on Ubuntu 20.04.2 LTS
    – Vishrant
    Commented Mar 10, 2022 at 22:47
  • 5
    this worked on Ubuntu 22.04.1 LTS
    – orb
    Commented Nov 10, 2022 at 0:48
  • 10
    Note that this allows any user on your system to control Docker. If you have a mulit-user system, it's probably not what you want.
    – paul
    Commented Dec 3, 2022 at 19:17
  • 3
    This is very insecure. It could potentially allow someone to take control of the underlying Docker host if user namespaces are not used.
    – Paul Calabro
    Commented Feb 15, 2023 at 16:00
39

The way to fix it is to run:

sudo addgroup --system docker
sudo adduser $USER docker
newgrp docker

that works for me :)

Improve this answer
1
  • 9
    newgrp docker was the step missing from the guide I was following in my case
    – van
    Commented Dec 4, 2021 at 14:54
21

Ubuntu 18:04

sudo setfacl --modify user:$USER:rw /var/run/docker.sock
Improve this answer
1
  • 2
    What does that do?
    – Kris
    Commented Jun 6, 2022 at 23:32
10

It looks like a permission issue:

sudo addgroup --system docker
sudo adduser $USER docker
newgrp docker
sudo setfacl -m "g:docker:rw" /var/run/docker.sock

or Simply use this command below, which will fix this issue.

sudo chmod -x /var/run/docker.sock
Improve this answer
8

I did the quick fix and it worked immediately. 

sudo chmod 777 /var/run/docker.sock
Improve this answer
4
  • 31
    That may look like an easy solution in case you're just playing around with Docker on a dev environment, but that's a very bad idea for the security of your system.
    – yoann-h
    Commented Feb 24, 2019 at 1:57
  • 2
    sudo setfacl -m user:brandon:rw /var/run/docker.sock gives just the one user the permissions it needs.
    – Nahshon paz
    Commented Mar 14, 2019 at 10:35
  • 4
    when suggesting something that is insecure please write a warning
    – medic17
    Commented Jun 13, 2021 at 10:37
  • Don't do this. This is a security risk as already said. Instead, assign a custom group to that sock file (example: "docker"), and be in that group (sudo adduser YOURUSER docker) and eventually reboot.
    – Valerio Bozz
    Commented Mar 19 at 10:49
8

Somehow, i found this page when i have't correct permissons on my docker.sock after my Docker installation. So, if you have the same issue, you can read this:

$ sudo adduser $USER docker does not work because the group is "root" not "docker"

$ ls -l /var/run/docker.sock srw-rw---- 1 root root 0 Jul 11 09:48 /var/run/docker.sock so it should be $ sudo adduser $USER root

from a non-snap installed machine, the group is "docker"

# ls -l /var/run/docker.sock srw-rw---- 1 root docker 0 Jul 3 04:18 /var/run/docker.sock The correct way is, according to docker.help you have to run the followings BEFORE sudo snap install docker

$ sudo addgroup --system docker $ sudo adduser $USER docker $ newgrp docker then the group will be "docker"

$ ls -l /var/run/docker.sock srw-rw---- 1 root docker 0 Jul 11 10:59 /var/run/docker.sock

Source: https://github.com/docker-archive/docker-snap/issues/1 (yes, first issue :D)

The easyest way to fix it is to run:

$ sudo setfacl -m "g:docker:rw" /var/run/docker.sock

And then, as it already metioned, run following commands for your user:

$sudo addgroup --system docker
$sudo adduser $USER docker
$newgrp docker

That's it :) Have fun!

Improve this answer
5

For ubuntu 20.04

Step1 : Check Ubuntu user

echo $USER

Step2 : give rw permission to docker

sudo setfacl --modify user:<user_name>:rw /var/run/docker.sock

Example

Getting error

enter image description here

Solution

enter image description here

enter image description here

Improve this answer
2

I was able to solve this on my Linux Machine using the below command.

> sudo setfacl --modify user:$USER:rw /var/run/docker.sock

Note: Please checck if you have sudo access. Otherwise this command will fail.

How to check sudo access?

$ whoami
> rahul
$ groups
> useracc
$ groups useracc
> Here you can see sudo and other access details.
Improve this answer
2

Specific to Ubuntu, there is a known issue with lightdm that removes secondary groups from the user as part of the GUI login. You can follow that issue here: https://bugs.launchpad.net/lightdm/+bug/1781418

You can try switching off of lightdm or apply the workaround mentioned in the bug report:

[Comment out the below lines from /etc/pam.d/lightdm:]

auth optional pam_kwallet.so
auth optional pam_kwallet5.so

Temporary options include logging into your machine with something like an ssh or su -l command, or running the newgrp docker command. These will only affect the current shell and would need to be done again with each new terminal.

Outside of this issue, the general commands to give a user direct access to the docker socket (and therefore root access to the host) are:

sudo usermod -aG docker $(id -un) # you can often use $USER in place of the id command
newgrp docker # affects the current shell, logging out should affect all shells
Improve this answer
1

I fixed this issue by using the following command:

sudo chmod -x /var/run/docker.sock
Improve this answer
1

This issue is resolved by following the process below

  1. Check whether the "docker" group is created or not

    cmd: cat /etc/group | grep docker

    output: docker:x:995

  2. Check the permissions of "/var/run/docker.sock" file

    cmd: ls -l /var/run/docker.sock

    output: rw-rw---- 1 root root 0 Jul 14 09:10 /var/run/docker.sock

  3. add docker group to "/var/run/docker.sock" file

cmd: sudo setfacl -m "g:docker:rw" /var/run/docker.sock

output: rw-rw---- 1 root docker 0 Jul 14 09:10 /var/run/docker.sock

  1. Now it will work, if possible restart the docker service.

  2. To restart the docker service

    cmd: sudo systemctl restart docker

Improve this answer
0

Please note: not only group name is important, but apparently also gid of the groups. So if docker group on host system has gid of i.e. 995,

cat /etc/group | grep docker  
docker:x:995:brandon

You must make sure gid of docker group You can do this as a part of a launch script, or simply by using exec and doing it manually:

groupmod -g 995 docker

Hope it helps anyone who comes here, it took me a while to find this answear.

Improve this answer
0

All of above solutions are working, but are not persistent after system reboot, which was most important for me. I was seraching for persistent solution and only thing what works for me is to change SocketMode to 0666 in file '/lib/systemd/system/docker.socket'

...
SocketMode=0666
...

after changing this file we need to restart the service

sudo systemctl daemon-reload
sudo systemctl restart docker.socket

Now the permission will be properly set by service itself after service restart.

Improve this answer
2
  • 1
    Don't do this. This is a security risk as already said. Instead, assign a custom group to that sock file (example: "docker"), and be in that group (sudo adduser YOURUSER docker) and eventually reboot.
    – Valerio Bozz
    Commented Mar 19 at 10:49
  • tried this for testing and it didn't help with my issue. It should have no issues when looking at permissions....
    – pcnate
    Commented Mar 22 at 4:40

Not the answer you're looking for? Browse other questions tagged or ask your own question.