Docker Got permission denied while trying to connect to the Docker daemon socket at unix var run docker sock

Question

I am new to docker  I just tried to use docker in my local machine Ubuntu 16 04  with Jenkins    I configured a new job with below pipeline script   node       stage  Build           docker image  maven 3 3 3   inside           sh  mvn --version                    But it fails with below error

User · Answer

Maybe you should run the docker with option  -u root  from the very beginning   At least that solved my problem

User · Answer

I am running Jenkins inside a docker container  The simplest solution for me was to make a custom image that dynamically sets the GID  like   FROM jenkins jenkins lts     CMD DOCKER GID   stat -c   g   var run docker sock   amp  amp        groupadd -for -g   DOCKER GID  docker  amp  amp        usermod -aG docker jenkins  amp  amp        sudo -E -H -u jenkins bash -c  usr local bin jenkins sh   See  https   github com jenkinsci docker issues 263  Alternatively you could launch jenkins with the following options   -v  var run docker sock  var run docker sock   -u jenkins   getent group docker   cut -d  -f3    This assumes your jenkins image has docker client installed  See  https   getintodevops com blog the-simple-way-to-run-docker-in-docker-for-ci

User · Answer

2018-08-19  I have been stuck for days on this one and as I haven t found a complete answer with the why and how  I will post one for other people that stumble on the same problem and answers from above do not work   These are the 3 crucial steps when running Jenkins inside docker    You mount the socket  var run docker sock to the jenkins container in order to be able to use the docker from the host  You have to install docker inside the container in order to use it  This is a great and simple article on how to do that  Note that newer versions might already have docker installed You run sudo usermod -a -G docker jenkins in order to add jenkins to the docker group  However  here you might run into a permission problem if the host docker and the container docker don t have the same group id so it is very important to adjust the container docker s gid to be the same as the host docker gid   You can do this as a part of a launch script or simply by using exec and doing it manually  groupmod -g  lt YOUR HOST DOCKER GID gt  docker   Also  do not change permissions of the  var run docker sock to 777 or stuff like that because that is a big security risk  you are basically giving everyone permission to use docker on your machine  Hope this helps

User · Answer

I added the jenkins user to root group and restarted the jenkins and it started working       sudo usermod -a -G root jenkins sudo service jenkins restart

User · Answer

often need a reboot to take effect on the new user group and user

User · Answer

While doing production config i got the permission issue I tried below solution to resolve the issue   Error Message  ubuntu node1    docker run hello-world docker  Got permission denied while trying to connect to the Docker daemon socket at unix    var run docker sock  Post http    2Fvar 2Frun 2Fdocker sock v1 38 containers create  dial unix  var run docker sock  connect  permission denied  See  docker run --help     Solution  permissions of the socket indicated in the error message   var run docker sock   ubuntu ip-172-31-21-106  var run  ls -lrth docker sock srw-rw---- 1 root root 0 Oct 17 11 08 docker sock ubuntu ip-172-31-21-106  var run  sudo chmod 666  var run docker sock ubuntu ip-172-31-21-106  var run  ls -lrth docker sock srw-rw-rw- 1 root root 0 Oct 17 11 08 docker sock   After changes permission for docket sock then execute below command to check permissions   ubuntu ip-172-31-21-106  var run  docker run hello-world Unable to find image  hello-world latest  locally latest  Pulling from library hello-world 1b930d010525  Pull complete Digest  sha256 c3b4ada4687bbaa170745b3e4dd8ac3f194ca95b2d0518b417fb47e5879d9b5f Status  Downloaded newer image for hello-world latest  Hello from Docker  This message shows that your installation appears to be working correctly   To generate this message  Docker took the following steps   1  The Docker client contacted the Docker daemon   2  The Docker daemon pulled the  hello-world  image from the Docker Hub       amd64   3  The Docker daemon created a new container from that image which runs the     executable that produces the output you are currently reading   4  The Docker daemon streamed that output to the Docker client  which sent it     to your terminal   To try something more ambitious  you can run an Ubuntu container with     docker run -it ubuntu bash  Share images  automate workflows  and more with a free Docker ID   https   hub docker com   For more examples and ideas  visit   https   docs docker com get-started

User · Answer

chmod 777  var run docker sock  This worked like a charm

User · Answer

In my case  it was not only necessary add jenkins user to docker group  but make that group the primary group of the jenkins user     usermod -g docker jenkins   usermod -a -G jenkins jenkins   Don t forget to reconnect the jenkins slave node or restart the jenkins server  depend on your case

User · Answer

If you want to keep it simple  use fixdockergid on your Dockerfile

User · Answer

I m using the official jenkins docker image  https   hub docker com r jenkins jenkins  but I think this solution is applicable to most use cases where we want to run Docker inside a Docker container   The recommended way for using Docker inside a Docker container  is to use the Docker deamon of the host system  Good article regarding that  https   itnext io docker-in-docker-521958d34efd   The secret to handle the permission issue  which this question is about  is to add permissions for the user of the container inside the container  not the host system  Only root user has permissions to do that by default  so  docker exec -it -u root  lt container-name gt  bash usermod -a -G docker  lt username gt    will do it  Remember to restart the container   I guess the simpliest way to achive this is to create a customised Dockerfile     Official jenkins image FROM jenkins jenkins lts   Swith to root to be able to install Docker and modify permissions USER root RUN apt-get update   Install docker RUN curl -sSL https   get docker com    sh   Add jenkins user to docker group RUN usermod -a -G docker jenkins   Switch back to default user USER jenkins    Bild the image    sudo docker build -t yourusername imagename     Run the image and mount with the followin bind mount option    sudo docker run --name imagename -d -p8080 8080 -v  var run docker sock  var run docker sock yourusername imagename

User · Answer

sudo usermod -a -G docker jenkins sudo service jenkins restart

User · Answer

Simply adding docker as a supplementary group for the jenkins user  sudo usermod -a -G docker jenkins   is not always enough when using a Docker image as the Jenkins Agent  That is  if your Jenkinsfile starts with pipeline agent dockerfile or pipeline agent image   pipeline       agent           dockerfile               filename  Dockerfile jenkinsAgent                      stages      This is because Jenkins performs a docker run command  which results in three problems    The Agent will  probably  not have the Docker programs installed  The Agent will not have access to the Docker daemon socket  and so will try to run Docker-in-Docker  which is not recommended  Jenkins gives the numeric user ID and numeric group ID that the Agent should use  The Agent will not have any supplementary groups  because docker run does not do a login to the container  it s more like a sudo     Installing Docker for the Agent  Making the Docker programs available within the Docker image simply requires running the Docker installation steps in your Dockerfile     Dockerfile jenkinsAgent FROM debian stretch-backports   Install Docker in the image  which adds a docker group RUN apt-get -y update  amp  amp     apt-get -y install      apt-transport-https      ca-certificates      curl      gnupg      lsb-release      software-properties-common  RUN curl -fsSL https   download docker com linux debian gpg   apt-key add - RUN add-apt-repository       deb  arch amd64  https   download docker com linux debian        lsb release -cs       stable   RUN apt-get -y update  amp  amp     apt-get -y install      docker-ce      docker-ce-cli      containerd io        Sharing the Docker daemon socket  As has been said before  fixing the second problem means running the Jenkins Docker container so it shares the Docker daemon socket with the Docker daemon that is outside the container  So you need to tell Jenkins to run the Docker container with that sharing  thus   pipeline       agent           dockerfile               filename  Dockerfile jenkinsAgent              args  -v  var run docker sock  var run docker sock                     Setting UIDs and GIDs  The ideal fix to the third problem would be set up supplementary groups for the Agent  That does not seem possible  The only fix I m aware of is to run the Agent with the Jenkins UID and the Docker GID  the socket has group write permission and is owned by root docker   But in general  you do not know what those IDs are  they were allocated when the useradd     jenkins and groupadd     docker ran when Jenkins and Docker were installed on the host   And you can not simply tell Jenkins to user user jenkins and group docker  args  -v  var run docker sock  var run docker sock -u jenkins docker    because that tells Docker to use the user and group that are named jenkins and docker within the image  and your Docker image probably does not have the jenkins user and group  and even if it did there would be no guarantee it would have the same UID and GID as the host  and there is similarly no guarantee that the docker GID is the same  Fortunately  Jenkins runs the docker build command for your Dockerfile in a script  so you can do some shell-script magic to pass through that information as Docker build arguments   pipeline       agent           dockerfile               filename  Dockerfile jenkinsAgent              additionalBuildArgs   --build-arg JENKINSUID  id -u jenkins  --build-arg JENKINSGID  id -g jenkins  --build-arg DOCKERGID  stat -c  g  var run docker sock               args  -v  var run docker sock  var run docker sock -u jenkins docker                    That uses the id command to get the UID and GID of the jenkins user and the stat command to get information about the Docker socket   Your Dockerfile can use that information to setup a jenkins user and docker group for the Agent  using groupadd  groupmod and useradd     Dockerfile jenkinsAgent FROM debian stretch-backports ARG JENKINSUID ARG JENKINSGID ARG DOCKERGID       Install Docker in the image  which adds a docker group RUN apt-get -y update  amp  amp     apt-get -y install      apt-transport-https      ca-certificates      curl      gnupg      lsb-release      software-properties-common  RUN curl -fsSL https   download docker com linux debian gpg   apt-key add - RUN add-apt-repository       deb  arch amd64  https   download docker com linux debian        lsb release -cs       stable   RUN apt-get -y update  amp  amp     apt-get -y install      docker-ce      docker-ce-cli      containerd io        Setup users and groups RUN groupadd -g   JENKINSGID  jenkins RUN groupmod -g   DOCKERGID  docker RUN useradd -c  Jenkins user  -g   JENKINSGID  -G   DOCKERGID  -M -N -u   JENKINSUID  jenkins

User · Answer

In addition to adding the user to the docker group and trying everything mentioned in this thread  it took me a while to realize that I had to restart my terminal and then log back into the ec2 instance  It worked after that

User · Answer

2019-02-16  Most of the steps were the same for me as the others has written  However  I was not able to add jenkins to the group docker using usermod with the mentioned solutions   I tried the following command from the docker host  and from the running docker container    sudo usermod -a -G docker jenkins    I entered to the running docker container with the following command from the docker host    docker exec -t -i my container id or name  bin bash      Received from docker host      usermod  user  jenkins  does not exist   Received from docker container      We trust you have received the usual lecture from the local System   Administrator  It usually boils down to these three things    1  Respect the privacy of others   2  Think before you type   3  With great power comes great responsibility         sudo  password for jenkins    I didnt know the password   Without the sudo part of the command  in the docker container I received      usermod  Permission denied  usermod  cannot lock  etc passwd  try   again later    Solution   I entered to the running docker container from the docker host with the following command   docker exec -t -i -u root my container id or name  bin bash   Now  I entered as root  and issued the following command   usermod -a -G docker jenkins   Then  from the docker host  I restarted my running docker container with the following command   docker restart my container id or name   After that  I started the jenkins job and it finished with success   I only used the root user to issue the usermod command for the user jenkins

User · Answer

use below dockerfile  FROM jenkins jenkins  USER root    Install Docker RUN apt-get update  amp  amp        apt-get -y install apt-transport-https       ca-certificates       curl       gnupg2       software-properties-common  amp  amp        curl -fsSL https   download docker com linux      etc os-release  echo   ID   gpg  gt   tmp dkey  apt-key add  tmp dkey  amp  amp        add-apt-repository        deb  arch amd64  https   download docker com linux      etc os-release  echo   ID           lsb release -cs        stable   amp  amp        apt-get update  amp  amp        apt-get -y install docker-ce     Compose RUN curl -L  https   github com docker compose releases download 1 22 0 docker-compose-  uname -s -  uname -m   -o  usr local bin docker-compose  amp  amp  chmod  x  usr local bin docker-compose    RUN usermod -aG docker jenkins RUN usermod -aG root jenkins  USER jenkins

User · Answer

On the server where Jenkins is running  I used  sudo setfacl -m user tomcat rw  var run docker sock   And then run each docker container with  -v  var run docker sock  var run docker sock   Using setfacl seems a better option  and no  -u user  is needed  The containers then run as the same user that is running Jenkins  But I would appreciate any feedback from the security experts

User · Answer

If someone is still facing the issue on their local machine Ubuntu  then try below command    sudo chmod 666  var run docker sock

User · Answer

My first solutions was   usermod -aG docker jenkins usermod -aG root jenkins chmod 664  var run docker sock   But none of them work for me  I tried   chmod 777  var run docker sock   That works  but I don t know if it is the right call

User · Answer

The user jenkins needs to be added to the group docker  sudo usermod -a -G docker jenkins  Then restart Jenkins  Edit If you arrive to this question of stack overflow because you receive this message from docker  but you don t use jenkins  most probably the error is the same  your unprivileged user does not belong to the docker group  You can do  sudo usermod -a -G docker alice  or whatever your username is  You can check it at the end doing grep docker  etc group and see something like this  docker x 998 alice  in one of the lines  Then change your users group ID to docker  newgrp docker  Finally  log out and log in again

User · Answer

In my case this will work successfully  navigate your local repo and enter this command   sudo chmod 666  var run docker sock

User · Answer

If you re running Jenkins inside a docker container and your Jenkins is linking to the host docker then you can fix that just by the Dockerfile below   FROM jenkins jenkins 2 179 USER root RUN groupadd docker  amp  amp  usermod -a -G docker jenkins USER jenkins

User · Answer

If you may get errors like below    Got permission denied while trying to connect to the Docker daemon socket at unix    var run docker sock   or  level error msg  failed to dial gRPC  cannot connect to the Docker daemon  Is  docker daemon  running on this host   dial unix  var run docker sock  connect  permission denied    Just try to execute the following commands     sudo su - jenkins   sudo usermod -a -G docker  USER   sudo chown jenkins docker  var run docker sock

User · Answer

2019-05-26  This worked for me    Example docker-compose   version   3  services    jenkins      image  jenkinsci blueocean     privileged  true     ports        -  8080 8080      volumes        -  HOME learning jenkins jenkins home  var jenkins home     environment        - DOCKER HOST tcp   socat 2375     links        - socat    socat       image  bpack socat      command  TCP4-LISTEN 2375 fork reuseaddr UNIX-CONNECT  var run docker sock      volumes          -  var run docker sock  var run docker sock      expose          -  2375

User · Answer

Change the access permission of the docker sock file   chmod 777  var run docker sock   or u can use sudo in the start of the command   chmod 777 will allow all actions for all users while chmod 666 will allow all users to read and write but cannot execute the file

User · Answer

Success for me  sudo usermod -a -G docker  USER reboot

User · Answer

in my case it was just starting docker service    sudo service docker start

User · Answer

sudo setfacl --modify user  user name or ID  rw  var run docker sock  Several times I tried to execute the command  sudo chmod 777  var run docker sock  but unfortunately  I have to do this every time when I m logging in to ubuntu system  It doesn t require a restart and is more secure than usermod or chown  user ID is required when the user name only exists inside the container  but not on the host  I hope that it will help you solve the problem

User · Answer

I faced a similar issue  which is a permission issue and the cause of this issue is because the Docker daemon server always runs as the root user  and wants you to always preface the docker command with sudo  Docker daemon binds to a Unix socket instead of a TCP port  By default that Unix socket is owned by the user root and other users can only access it using sudo  To fix this  here s what worked for me  Firstly  check if you have a docker group already created  cat  etc group  If you don t find docker in the list that is displayed  then you will need to create one  sudo groupadd docker  Next  confirm your user and your group using the command below  cat  etc group  Scroll through to see the group for docker  It should be of this format docker x 140 promisepreston  where docker is my group and promisepreston is my user Now we can add your user to the docker group Also add your user to the    docker    group  If you would like to use Docker as a non-root user   Copy and run the command below in your terminal exactly how it is stated without modifying it in anyway  regardless of the docker image container command that you want to run or are trying to run or is casuing the permission issue  sudo usermod -aG docker  USER  After running the command above  you will need to Log out and log back in so that your group membership is re-evaluated  However  on Linux  you can also run the following command below to activate the changes to groups  Copy and run the command below in your terminal exactly how it is stated without modifying it in anyway  regardless of the docker image container command that you want to run or are trying to run or is casuing the permission issue   newgrp docker   You can now verify that you can run docker commands without sudo permissions  by running the command that is causing the permissions issue again  say  Replace my-command with the name of your image container command   docker run my-command  For Docker and Local filesystem files  If you have a copy of the files on your local filesystem  then you can change the ownership of the application directory where the application files are stored  using this format  sudo     chown      lt your user gt   lt your group gt      -R   my-app-directory   So in my case it will be  sudo chown promisepreston docker -R my-app-directory   Note  Please run this command inside the parent directory housing the application directory  That s all  I hope this helps

User · Answer

I have Jenkins running in Docker and connected Jenkins is using Docker socket from host machine Ubuntu 16 04 via volume to  var run docker sock   For me solution was   1  Inside Docker container of Jenkins  docker exec -it jenkins bash on host machine   usermod -a -G docker jenkins chmod 664  var run docker sock service jenkins restart  or systemctl restart jenkins service  su jenkins   2  On host machine   sudo service docker restart   664 means - read and write but not execute  for owner and users from group

User · Answer

Step 1  add your username to the docker group  sudo usermod -a -G docker  USER  Then logout and login again  Step 2  Then change docker group ID   newgrp docker

[docker] Docker: Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock

Examples related to docker

Examples related to jenkins

Examples related to jenkins-pipeline