Using docker requires sudo

[fginther]

Using docker as installed by the docker snap requires sudo. My expectation is that normal users could use docker without needing sudo. This is the case for both the stable and edge versions of the docker snap.

Here's what I found while using the docker snap from --edge:

fginther@docker-snap-test:~$ sudo snap install --edge docker
docker (edge) 1.13.1-0 from 'docker-inc' installed
fginther@docker-snap-test:~$ snap list
Name    Version   Rev   Developer   Notes
core    16-2      1577  canonical   -
docker  1.13.1-0  84    docker-inc  -

Running docker commands requires sudo to connect to the daemon socket:

fginther@docker-snap-test:~$ docker version
Client:
 Version:      1.13.1
 API version:  1.26
 Go version:   go1.7.4
 Git commit:   -snap-899f8a8
 Built:        Tue Apr 11 12:44:12 2017
 OS/Arch:      linux/amd64
Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get http://%2Fvar%2Frun%2Fdocker.sock/v1.26/version: dial unix /var/run/docker.sock: connect: permission denied
fginther@docker-snap-test:~$ docker run hello-world
docker: Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Post http://%2Fvar%2Frun%2Fdocker.sock/v1.26/containers/create: dial unix /var/run/docker.sock: connect: permission denied.
See 'docker run --help'.
fginther@docker-snap-test:~$ sudo docker run hello-world
Unable to find image 'hello-world:latest' locally
latest: Pulling from library/hello-world
78445dd45222: Pull complete 
Digest: sha256:c5515758d4c5e1e838e9cd307f6c6a0d620b5e07e6f927b07d05f6d12a1ac8d7
Status: Downloaded newer image for hello-world:latest

Hello from Docker!
This message shows that your installation appears to be working correctly.

To generate this message, Docker took the following steps:
 1. The Docker client contacted the Docker daemon.
 2. The Docker daemon pulled the "hello-world" image from the Docker Hub.
 3. The Docker daemon created a new container from that image which runs the
    executable that produces the output you are currently reading.
 4. The Docker daemon streamed that output to the Docker client, which sent it
    to your terminal.

To try something more ambitious, you can run an Ubuntu container with:
 $ docker run -it ubuntu bash

Share images, automate workflows, and more with a free Docker ID:
 https://cloud.docker.com/

For more examples and ideas, visit:
 https://docs.docker.com/engine/userguide/

Looking at the permissions of the socket indicated in the error message, /var/run/docker.sock:

fginther@docker-snap-test:~$ ls -l /var/run/docker.sock
srw-rw---- 1 root root 0 Apr 18 12:46 /var/run/docker.sock

Changing the permissions on this socket is enough to allow non-sudo use:

fginther@docker-snap-test:~$ sudo chmod 666 /var/run/docker.sock
fginther@docker-snap-test:~$ ls -l /var/run/docker.sock
srw-rw-rw- 1 root root 0 Apr 18 12:46 /var/run/docker.sock
fginther@docker-snap-test:~$ docker run hello-world

Hello from Docker!
This message shows that your installation appears to be working correctly.

To generate this message, Docker took the following steps:
 1. The Docker client contacted the Docker daemon.
 2. The Docker daemon pulled the "hello-world" image from the Docker Hub.
 3. The Docker daemon created a new container from that image which runs the
    executable that produces the output you are currently reading.
 4. The Docker daemon streamed that output to the Docker client, which sent it
    to your terminal.

To try something more ambitious, you can run an Ubuntu container with:
 $ docker run -it ubuntu bash

Share images, automate workflows, and more with a free Docker ID:
 https://cloud.docker.com/

For more examples and ideas, visit:
 https://docs.docker.com/engine/userguide/

[adglkh]

Hi fginther
Thanks for your head up.
Actually, there's a discussion around this issue.
https://forum.snapcraft.io/t/snap-declaration-request-for-docker-snap/394/5
I'm assuming you installed and ran the docker snap on Classic. If so, you can setup docker snap by running the following command without sudo
$sudo addgroup --system docker
$sudo adduser $USER docker
$newgrp docker

Also you can run docker.help to learn how to configure it.

But if you're running docker under Ubuntu Core 16. It's another story. As system user/group file(etc/passwd, /etc/group) is read-only on UC16. We need new user/group management interface to solve this problem. As of now, we apply a workaround to make docker running without sudo on UC16. The side effect of this is that it requires manual setup to make dockerd running. From the customer feedback, in practical terms, people really hope everything up to work once installation without configuration by hand.
As discussed internally, we plan to revert back to "run dokcer with root user on UC16" for the time being and fix it in the proper way once the interfaces of snapd is ready.

bab38be

[Hugo-Gomez]

I did this :
sudo gpasswd -a $USER docker
And it worked out instantly

[TangentFoxy]

I just encountered this error, and as it was explained to me, the issue is that a user needs to be added to the docker group in order to have permission to use it.

I would assume this is still the case and seems like a good method of handling that to me.. but this issue also haven't been commented on in quite a while..

[ttshaw]

$ sudo adduser $USER docker does not work because the group is "root" not "docker"

$ ls -l /var/run/docker.sock
srw-rw---- 1 root root 0 Jul 11 09:48 /var/run/docker.sock

so it should be $ sudo adduser $USER root

from a non-snap installed machine, the group is "docker"

# ls -l /var/run/docker.sock
srw-rw---- 1 root docker 0 Jul  3 04:18 /var/run/docker.sock

The correct way is,
according to docker.help you have to run the followings BEFORE sudo snap install docker

$ sudo addgroup --system docker
$ sudo adduser $USER docker
$ newgrp docker

then the group will be "docker"

$ ls -l /var/run/docker.sock
srw-rw---- 1 root docker 0 Jul 11 10:59 /var/run/docker.sock

[joekendal]

@ttshaw Not a good idea to ever run this command though $ sudo adduser $USER root

[objarni]

@ttshaw's method worked for me in both Ubuntu 16.04 and 18.04 (Desktop editions) for the snap way of installing docker. The complete step-by-step method is then:

$ sudo addgroup --system docker
$ sudo adduser $USER docker
$ newgrp docker
$ sudo snap install docker

I did not have any need to log out or reboot computer using above steps.

To verify docker was installed correctly:

$ docker run hello-world

[kelvinromero]

I had a strange problem, $ newgrp docker worked until I closed the terminal. I had to run this for every new terminal.

The only thing that did for me was the line below, do you guys have any idea why?

$ sudo setfacl -m user:${USER}:rw /var/run/docker.sock

Everything else has been working just fine.

[dvisztempacct]

@kelvinromero oversimplifying a bit: in *nix each process is identified by its user and groups. Updating the groups a user belongs to on disk does not change the groups that each process belongs to.

From newgrp(1):

The newgrp command is used to change the current group ID during a login session.

But how does it do this? Surely if you run newgrp from your shell, your shell will first fork(2) create a whole separate process.

We can actually see how it does this pretty easily:

hdon@pop-os:~$ echo $$ # the $$ variable is your shell's process ID
9943
hdon@pop-os:~$ newgrp
hdon@pop-os:~$ echo $$
10674
hdon@pop-os:~$ pstree -p 9943 # see a process and its descendants
bash(9943)───newgrp(10673)───bash(10674)───pstree(11026)
hdon@pop-os:~$ exit
exit
hdon@pop-os:~$ pstree -p 9943
bash(9943)───pstree(11071)
hdon@pop-os:~$

So, as it turns out, newgrp has to launch a new shell process in order to furnish you with a shell process whose groups have been updated. Relogging will fix the issue.

The reason your setfacl command worked is because it worked around the issue in a similar to way you might do with chown or chmod. You were just changing the file so that your user had access to it without any group membership required.

Hope that helps.

[kelvinromero]

@dvisztempacct After your comment, I took a time to actually read the man pages. And I feel ashamed that did this in a hurry running commands before understanding them.

So adding the Docker group, my user to it, and giving it permission to access the socket, should've been enough right (which apparently was not my case)?

I might have jumped some steps because I was rushing to start programming, but is it necessary to add permission to the user itself, or just the group is enough? I'm using Ubuntu 18.04.

Thanks a lot!

[jabrena]

In my case, I solved the same issue with the following statement:

• sudo chmod 666 /var/run/docker.sock

[emmaly]

I solved by doing the following on Ubuntu Server 18.04 LTS after the docker snap was already installed. It felt like the above answers were nearly there for me, but the missing piece was restarting the docker snap. If you hadn't installed the snap yet, then obviously you don't need to restart it, but to install it instead. Here's how I did it:

$ sudo docker ps # which works fine
$ docker ps # which doesn't work because of permission failure
$ sudo addgroup --system docker
$ sudo adduser $USER docker
$ newgrp docker
$ sudo snap restart docker
$ docker ps # this now works because my user is in the group

[ukreddy-erwin]

None of the above steps are working now.
On Ubuntu I tried, the latest one as of now , I mean the comment.

My Error:

docker pull maven:3-alpine
cannot create user data directory: /var/lib/jenkins/snap/docker/321: Permission denied

Any suggestion?

Now, newgrp command is not available to use.

[Hugo-Gomez]

@ukreddy-erwin When this append you have to try with sudo before your command, just like this
sudo docker pull maven:3-alpine

[ukreddy-erwin]

But I am using it in jenkins pipeline with docker plugin.
Where in the pipeline, when I kept below line, it expands as below.

stage('Back-end') {
agent {
docker { image 'maven:3-alpine' }
}
steps {
sh 'mvn --version'
}

Here, it runs without sudo.

If I append sudo in front of it, what is the purpose of all this process?

[ukreddy-erwin]

Without sudo I am able to access docker but with below command, I am getting error for access.

docker run -t -d -u 1000:1000 -w /var/lib/jenkins/workspace/test -v /var/lib/jenkins/workspace/test:/var/lib/jenkins/workspace/test:rw,z -v /var/lib/jenkins/workspace/test@tmp:/var/lib/jenkins/workspace/test@tmp:rw,z maven:3-alpine cat

docker: Error response from daemon: error while creating mount source path '/var/lib/jenkins/workspace/test': mkdir /var/lib/jenkins: permission denied.

WHen I check the permissions,they already exists.

uday@jenkins-server:~$ ls -l /var/lib/jenkins/workspace
total 8
drwxr-xr-x 2 uday uday 4096 Nov 15 06:51 test
drwxr-xr-x 2 uday uday 4096 Nov 15 07:32 test@tmp

Any suggestions please.

When I tried to troubleshoot ing daemon, dockerd is not available. So, I installed it.
sudo apt-geet install docer.io

Now, I am able to start.

And get the output.
But when I tried to stop the container.

docker stop --time=1 bee

Error response from daemon: cannot stop container: bee: Cannot kill container bee8f2fd8b6b3a7a88277cf072d04ebb8ab69fe00c6b83c58c2e8762abec0448: unknown error after kill: docker-runc did not terminate sucessfully: container_linux.go:393: signaling init process caused "permission denied"
: unknown

Why it is getting permission denied again?

[zzCOMzz]

In my case, I solved the same issue with the following statement:

• sudo chmod 666 /var/run/docker.sock

Thanks! I have tried with this, Work very well for me 😄

[psftw]

Closing all issues and pull requests since this repo is getting archived (see notice at the top of README).