How to access /var/run/docker.sock from inside a docker container as a non-root user? (MacOS Host)

add jenkins user to docker group mac
docker.sock location
java lang runtimeexception socket not found var/run/docker sock
could not change group /var/run/docker sock to docker group docker not found
add user to docker group mac
docker run as user
docker run as root
jenkins docker permission denied

I have installed docker on Mac and everything is running fine. I am using a Jenkins docker image and running it. While using Jenkins as a CI server and to build further images by running docker commands through it, I came to know that we have to bind mount /var/run/docker.sock while running the Jenkins images so it can access the docker daemon.

I did that, and installed docker CLI inside Jenkins’s container. But when running docker ps or any other docker commands it is throwing an error:

Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get http://%2Fvar%2Frun%2Fdocker.sock/v1.28/containers/json: dial unix /var/run/docker.sock: connect: permission denied

When I connect to container as a root user, it works fine. But switching to the ‘jenkins’ user throws the above error. I have already added ‘jenkins’ user to sudo list but does not help.

I found few articles suggesting to add ‘jenkins’ user to ‘docker’ group but to my surprise I do not find any docker group on Mac or inside container.

Any help is much appreciated. Thanks

It looks like the reason this is happening is pretty straight forward: UNIX permissions are not letting the jenkins user read /var/run/docker.sock. Really the easiest option is to just change the group assignment on /var/run/docker.sock from root to another group, and then add jenkins to that group:

[as root, inside the container]
root@host:/# usermod -G docker jenkins
root@host:/# chgrp docker /var/run/docker.sock

This assumes of course that you already have the docker CLI installed, and that a group called docker exists. If not:

[as root, inside the container]
root@host:/# groupadd docker

Alternatively, you could change the world permissions on /var/run/docker.sock to allow non-root users to access the socket, but I wouldn't recommend doing that; it just seems like bad security practice. Similarly, you could outright chown the socket to the jenkins user, although I'd rather just change the group settings.


I'm confused why using sudo didn't work for you. I just tried what I believe is exactly the setup you described and it worked without problems.

Start the container:

[on macos host]
darkstar:~$ docker run \
                  -v /var/run/docker.sock:/var/run/docker.sock \  
                  docker.io/jenkins/jenkins:lts
darkstar:~$ docker exec -u root -it <container id> /bin/bash

Install Docker CLI:

[as root, inside container]
root@host:/# apt-get update
root@host:/# apt-get -y install apt-transport-https \
                                ca-certificates \
                                curl \
                                gnupg2 \
                                software-properties-common
root@host:/# rel_id=$(. /etc/os-release; echo "$ID")
root@host:/# curl -fsSL https://download.docker.com/linux/${rel_id}/gpg > /tmp/dkey
root@host:/# apt-key add /tmp/dkey
root@host:/# add-apt-repository \
             "deb [arch=amd64] https://download.docker.com/linux/${rel_id} \
              $(lsb_release -cs) stable"
root@host:/# apt-get update
root@host:/# apt-get -y install docker-ce

Then set up the jenkins user:

[as root, inside container]
root@host:/# usermod -G sudo jenkins
root@host:/# passwd jenkins
[...]

And trying it out:

[as jenkins, inside container]
jenkins@host:/$ sudo docker ps -a
[...]
password for jenkins:

CONTAINER ID        IMAGE                 COMMAND                  CREATED     ...
69340bc13bb2        jenkins/jenkins:lts   "/sbin/tini -- /usr/…"   8 minutes ago ...

it seems to work fine for me. Maybe you took a different route to install the Docker CLI? Not sure, but if you want to access the docker socket using sudo, those steps will work. Although, I think it would be easier to just change the group assignment as explained up above. Good luck :)


Note: All tests performed using macOS Mojave v10.14.3 running Docker Engine v19.03.2. This doesn't seem to be heavily dependent on the host platform, so I would expect it to work on Linux or any other UNIX-like OS, including other versions of macOS/OSX.

Mounting & using /var/run/docker.sock in a container not running as , On a mid 2014 MacBook Pro running Sierra 10.12.5… I'm trying to mount the /​var/run/docker.sock socket into my container to The container runs as a non-​root user (circleci:circleci). I get permission errors, which is not surprising since My host is a MAC OS X and the /var/run/docker.sock has the  You have probably already run containers from the Docker Hub and noticed that some of them need to bind mount the /var/run/docker.sock file. What is this file, and why it is sometimes used by…

Add volume

volumes:
  - /var/run/docker.sock:/var/run/docker.sock

and you will have access to socket

Post-installation steps for Linux, By default that Unix socket is owned by the user root and other users can only access it using sudo . To run Docker without root privileges, see Run the Docker daemon as a This command downloads a test image and runs it in a container. it is possible for remote non-root users to gain root access on the host. Subscribe How to access the host's Docker Socket without root 13 Jan 2017 • 2 min read . I needed to run a Docker container from inside another container. While it’s possible to run Docker inside Docker, the recommended way is running siblings containers.

I got this issue today. Here is the cause and fix:

I've started docker for mac as user A and try to run docker commands as user B.

Fix: Stopped docker for mac as user A and started as user B.

Use docker inside docker with jenkins user · Issue #263 · jenkinsci , USER root RUN apt-get update RUN groupadd docker && gpasswd -a jenkins docker @brthor I'm not saying running Jenkins in docker is a bad idea, I'm saying Mount /var/run/docker.sock into the container from the host. So if you don't use the host namespaces, then when you run the command, you'll getl the isolated ones of the container, but you'd still have access to the underlying host filesystem (due to the volume mount), so depending on what you want to do it still works fine (For example you'd still have root access to /etc/shadow.

dial unix /var/run/docker.sock: permission denied · Issue #5314 , I installed docker.io on ubuntu 14.04 only i always get this message: dial unix /var​/run/docker.sock: permission denied I read this was an old problem, i see it does belong to the group docker, It is explained in "Giving non-root access" section of official Docker docs. Replace jenkins with container User. How can I run a ‘docker exec’ command inside Just keep in mind that running the containers on the same host will give you the privilege of executing docker commands within the container. You can do this just by defining the docker socket in the container. Simply run the container and mount the 'docker.sock':

/var is a symlink to /private/var in macos. Try mounting it instead of the symlink.

Docker Tips : about /var/run/docker.sock, You have probably already run containers from the Docker Hub and noticed with the following command, bind mounting the host's Docker's Unix socket. through the /var/run/docker.sock file that it has access to via the bind mount. All the HTTP endpoints defined in the Docker engine API v1.27 (last  I stumbled across this page while trying to make docker socket calls work from a container that is running as the nobody user.. In my case I was getting access denied errors when my-service would try to make calls to the docker socket to list available containers.

How to fix docker: Got permission denied while trying to connect to , I've just installed docker but I have to run it with sudo every time. to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get https://docs.​docker.com/install/linux/linux-postinstall/#manage-docker-as-a-non-root-user This command downloads a test image and runs it in a container. @mdawar does this work fine without step 1, assuming the docker-compose.yml file is already inside the container?. I ask because I want to do the same thing — control the host docker daemon from within a container using compose.

Docker not found, If such a network is found, then published ports where no host IP address is When Docker runs a container, it runs an image inside it. as not found, but if i shutdown the service, remove /var/run/docker. sock, and run Docker is installed​; For Linux user, make sure you could manage Docker as a non-root user without​  Oh yeah it is absolutely possible to run docket container inside a docker container as an individual docker container can be realistically considered as a VM where you can again install docker and run more containers.A realistic usecase is where a

docksal/community-support, I'm running MacOS + Docker Machine, so /var/run/docker.sock isn't available in this /var/run/docker.sock is mounted from the Linux host, not the Mac/Win host. I switched to root in the container and re-ran the same command and I got the docker user to make requests against docker.sock and get the same results? hostname of the docker container cannot be seen from outside. What you can do is to assign a name to container and access the container through the name. If you link 2 containers say container1 and container2 then docker takes care of writing the IP and the hostname of container2 in the container1.

Comments
  • Docker > File-Sharing... /var is not shared by default
  • Or serverfault.com/a/659043
  • though not cool but modifying the permission of /var/run/docker.sock fixed the issue. I have provided the appropriate permission to jenkins user to /var/run/docker.sock file and it worked fine.
  • Hey Neeraj, have you done a chmod on /var/run/docker.sock?
  • @TibinPaul, yes. I had to provide permission to my user for /var/run/docker.sock.
  • Do you realize we are on MacOSX ?
  • @DimitriKopriwa I ran this on my Macbook Pro. I guess technically I am on macOS and not OSX (since Apple rebranded it) but it should not make a difference. This issue appears to be related to setup from within the container and not on the host OS.
  • I added a note on the test platform. Maybe I am misunderstanding, but it sounds to me like this: OSX is being used as the host system to run a Jenkins CI build server inside a docker container. The Jenkins server requires the ability to control the provisioning of other containers on the OSX host, but from within it's own container (thus the bind mount of /var/run/docker.sock). There has been some difficulty in granting access to that socket inside of the container to the jenkins user. If that is correct, this answer should be the solution. If I am missing something, please let me know.
  • I am not even running a single docker container, my issue is having another user than root being able to use docker on MacOSx, not being able to have a user within a container to access docker socket. But I admit, this question was half mine, half within a docker container. I will accept your answer and give you the bounty even if I still can't use docker cli in my MacOSx without root
  • @DimitriKopriwa That sounds very strange. Are you using Docker Desktop, or something older (ie. Docker Toolkit)?? I am using Docker Desktop and I don't have that issue. If you can, perhaps try uninstalling whatever you are using currently, and try the latest Docker Desktop. Make sure you don't have VirtualBox prior to version 4.3.30 installed, and also make sure to unset any DOCKER_* environment variables that might have been set by the old installation. Both of those can cause issues when switching to Docker Desktop. You might want to start a new question if the problem is ongoing.
  • This answer doesn't provide any relevant information. OP already has the socket bind mounted into the container. This is apparent because the error message is Permission Denied and not File Not Found. The problem appears to be file permissions, as I explained in my answer. Also, this is using the syntax for a docker-compose file, but I don't see where OP mentioned using docker-compose.
  • This break system permissions, staff is not an admin and it should not be.