Cannot use Docker as unprivileged user on first "up"

[mbrodala]

Vagrant version

Vagrant 2.2.0

Host operating system

$ uname -a
Linux yui 4.18.0-2-amd64 #1 SMP Debian 4.18.10-2 (2018-11-02) x86_64 GNU/Linux
$ lsb_release -a
No LSB modules are available.
Distributor ID: Debian
Description:  Debian GNU/Linux unstable (sid)
Release:  unstable
Codename: sid

Guest operating system

$ uname -a
Linux vagrant-ubuntu-trusty-64 3.13.0-92-generic #139-Ubuntu SMP Tue Jun 28 20:42:26 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:  Ubuntu 14.04.5 LTS
Release:  14.04
Codename: trusty

Vagrantfile

Vagrant.configure("2") do |config|
  config.vm.box = "ubuntu/trusty64"
  config.vm.provision :docker

  config.vm.provision :shell,
    keep_color: true,
    privileged: false,
    run: "always",
    inline: <<-SCRIPT
      echo "Groups of $(whoami)"
      groups
      docker run hello-world
    SCRIPT
end

Debug output

https://gist.github.com/mbrodala/49813f8feceb77c6a4cfa747f72e6697

Expected behavior

Vagrant should execute the docker run command and display its output without errors.

Actual behavior

The docker run fails even though Docker has been set up properly by the docker provisioner:

...
==> default: Running provisioner: shell...
    default: Running: inline script
    default: Groups of vagrant
    default: vagrant
    default: docker: Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Post http://%2Fvar%2Frun%2Fdocker.sock/v1.38/containers/create: dial unix /var/run/docker.sock: connect: permission denied.
    default: See 'docker run --help'.
The SSH command responded with a non-zero exit status. Vagrant
assumes that this means the command failed. The output for this command
should be in the log above. Please read the output to determine what
went wrong.

This seems to be caused by Vagrant re-using the existing SSH connection and the way Linux behaves in general when adding groups to a user, in this case the docker group for the vagrant user. Newly added groups only affect new shells, existing shells will keep their list of user groups unchanged. Since Vagrant does not terminate the SSH connection after installing Docker and adding vagrant to the docker group, any subsequent SSH command won't have the docker group and won't have the permissions to access the Docker socket. On subsequent up a new SSH connection is set up which then has the updated list of user groups.

Steps to reproduce

1. Put the Vagrantfile somewhere
2. Run vagrant up
3. See the error and vagrant missing the docker group
4. Run vagrant up once more
5. See the error gone and now vagrant having the docker group

References

Initially discovered in leighmcculloch/vagrant-docker-compose#53

[mbrodala]

Just FYI: the mentioned fix (released with version 2.2.1) works like a charm.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.