Docker install via CLI creates folders owned by root, can't start Docker

[dannyfallon]

Description

As per the Install from command line instructions, you need to run the install binary with sudo or else you'll run into permissions errors writing settings files.

Starting very recently once you run the install command with sudo any attempt to start Docker Desktop will produce an error stating that ~/Library/Containers/com.docker.docker is owned by root and prompting you to exit, reset all the settings or diagnose.

➜  ~ cd /Volumes/Docker

➜  Docker cat /Volumes/Docker/Docker.app/Contents/Info.plist | grep -A 1 CFBundleShortVersionString
    <key>CFBundleShortVersionString</key>
    <string>4.23.0</string>

➜  Docker sudo /Volumes/Docker/Docker.app/Contents/MacOS/install
Password:

➜  Docker ls -lha ~/Library/Containers/ | grep com.docker.docker
drwxr-xr-x    3 root   staff    96B 18 Sep 16:59 com.docker.docker

The version information below is only obtained after I manually changed the directory ownership back to myself.

Reproduce

1. Run sudo /Volumes/Docker/Docker.app/Contents/MacOS/install
2. Run the Docker app

Expected behavior

The application should be in a runnable state without any permissions errors after doing a CLI-based install

docker version

➜  MacOS docker version
Client:
 Cloud integration: v1.0.35+desktop.4
 Version:           24.0.6
 API version:       1.43
 Go version:        go1.20.7
 Git commit:        ed223bc
 Built:             Mon Sep  4 12:28:49 2023
 OS/Arch:           darwin/arm64
 Context:           default

Server: Docker Desktop 4.23.0 (120376)
 Engine:
  Version:          24.0.6
  API version:      1.43 (minimum version 1.12)
  Go version:       go1.20.7
  Git commit:       1a79695
  Built:            Mon Sep  4 12:31:36 2023
  OS/Arch:          linux/arm64
  Experimental:     false
 containerd:
  Version:          1.6.22
  GitCommit:        8165feabfdfe38c65b599c4993d227328c231fca
 runc:
  Version:          1.1.8
  GitCommit:        v1.1.8-0-g82f18fe
 docker-init:
  Version:          0.19.0
  GitCommit:        de40ad0

docker info

Client:
 Version:    24.0.6
 Context:    default
 Debug Mode: false
 Plugins:
  buildx: Docker Buildx (Docker Inc.)
    Version:  v0.11.2-desktop.4
    Path:     /Users/danny/.docker/cli-plugins/docker-buildx
  compose: Docker Compose (Docker Inc.)
    Version:  v2.21.0-desktop.1
    Path:     /Users/danny/.docker/cli-plugins/docker-compose
  dev: Docker Dev Environments (Docker Inc.)
    Version:  v0.1.0
    Path:     /Users/danny/.docker/cli-plugins/docker-dev
  extension: Manages Docker extensions (Docker Inc.)
    Version:  v0.2.20
    Path:     /Users/danny/.docker/cli-plugins/docker-extension
  init: Creates Docker-related starter files for your project (Docker Inc.)
    Version:  v0.1.0-beta.7
    Path:     /Users/danny/.docker/cli-plugins/docker-init
  sbom: View the packaged-based Software Bill Of Materials (SBOM) for an image (Anchore Inc.)
    Version:  0.6.0
    Path:     /Users/danny/.docker/cli-plugins/docker-sbom
  scan: Docker Scan (Docker Inc.)
    Version:  v0.26.0
    Path:     /Users/danny/.docker/cli-plugins/docker-scan
  scout: Command line tool for Docker Scout (Docker Inc.)
    Version:  0.24.1
    Path:     /Users/danny/.docker/cli-plugins/docker-scout

Server:
 Containers: 0
  Running: 0
  Paused: 0
  Stopped: 0
 Images: 0
 Server Version: 24.0.6
 Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
  Using metacopy: false
  Native Overlay Diff: true
  userxattr: false
 Logging Driver: json-file
 Cgroup Driver: cgroupfs
 Cgroup Version: 2
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
 Swarm: inactive
 Runtimes: io.containerd.runc.v2 runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: 8165feabfdfe38c65b599c4993d227328c231fca
 runc version: v1.1.8-0-g82f18fe
 init version: de40ad0
 Security Options:
  seccomp
   Profile: unconfined
  cgroupns
 Kernel Version: 6.3.13-linuxkit
 Operating System: Docker Desktop
 OSType: linux
 Architecture: aarch64
 CPUs: 4
 Total Memory: 7.667GiB
 Name: docker-desktop
 ID: 399f3e57-6806-4ab5-b80c-aea253769365
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 HTTP Proxy: http.docker.internal:3128
 HTTPS Proxy: http.docker.internal:3128
 No Proxy: hubproxy.docker.internal
 Experimental: false
 Insecure Registries:
  hubproxy.docker.internal:5555
  127.0.0.0/8
 Live Restore Enabled: false

WARNING: daemon is not using the default seccomp profile

Diagnostics ID

7F87A9E6-39E8-4D1C-BAAA-AF63BC4F6511/20230918160813

Additional Info

No response

[lorenrh]

Hello,

We've escalated this internally. The workaround for now is changing the ownership of com.docker.docker to your user manually, as you've done it.

Thank you for the report, any updates we have will be added to this issue!

[lorenrh]

Hello,

This issue has been fixed in the latest 4.24.0 release. You can see the latest release notes here.

I'll close the issue for now, but let us know if the issue persists.