10

According to the answers of this question about docker, running it as a non-root is as easy as adding the non-root username to the docker group, and logging out and back in. And sure enough, when I used it as sudo for the hello-world image that went well. But for another test image called whalefortune I still get the access denied error -- see below.

Is it not generally possible any more to run docker as non-root? I am using Ubuntu 19.04, which is a later version than the examples, and there were mentions of a possible security breach running dockers as non-root.

My idea was to run nvidia-docker as a normal user, would that be possible (or even a good idea)?

$ sudo docker run --rm hello-world
Unable to find image 'hello-world:latest' locally
latest: Pulling from library/hello-world
1b930d010525: Pull complete 
Digest:   sha256:6540fc08ee6e6b7b63468dc3317e3303aae178cb8a45ed3123180328bcc1d20f
Status: Downloaded newer image for hello-world:latest

Hello from Docker!
This message shows that your installation appears to be working correctly.

To generate this message, Docker took the following steps:
  1. The Docker client contacted the Docker daemon.
  2. The Docker daemon pulled the "hello-world" image from the Docker Hub. (amd64)
  3. The Docker daemon created a new container from that image which runs the executable that produces the output you are currently reading.
  4. The Docker daemon streamed that output to the Docker client, which sent it
to your terminal.

To try something more ambitious, you can run an Ubuntu container with: $ docker run -it ubuntu bash

Share images, automate workflows, and more with a free Docker ID:
https://hub.docker.com/

For more examples and ideas, visit:
https://docs.docker.com/get-started/

$ docker run --rm dbkdoc/whalefortune
docker: Got permission denied while trying to connect to the 
Docker daemon socket at unix:///var/run/docker.sock: 
Post http://%2Fvar%2Frun%2Fdocker.sock/v1.40/containers/create: 
dial unix /var/run/docker.sock: connect: permission denied.
See 'docker run --help'.
alle_meije
  • 285

1 Answers1

12

If you don’t want to preface the docker command with sudo, create a Unix group called docker and add users to it. When the Docker daemon starts, it creates a Unix socket accessible by members of the docker group.

Warning:

The docker group grants privileges equivalent to the root user. For details on how this impacts security in your system, see Docker Daemon Attack Surface.

If you still want to run docker without sudo:

  • Add the docker group if it doesn't already exist:

     sudo groupadd docker

  • Add the connected user "$USER" to the docker group. Change the user name to match your preferred user if you do not want to use your current user:

     sudo usermod -aG docker $USER

  • Either do a newgrp docker or log out/in to activate the changes to groups (If testing on a virtual machine, it may be necessary to restart the virtual machine for changes to take effect).

  • You can use

     docker run hello-world

    to check if you can run docker without sudo.

PS:
If you initially ran Docker CLI commands using sudo before adding your user to the docker group, you may see the following error, which indicates that your ~/.docker/ directory was created with incorrect permissions due to the sudo commands.

WARNING: Error loading config file: /home/user/.docker/config.json -
stat /home/user/.docker/config.json: permission denied

To fix this problem, either remove the ~/.docker/ directory (it is recreated automatically, but any custom settings are lost), or change its ownership and permissions using the following commands:

sudo chown "$USER":"$USER" /home/"$USER"/.docker -R
sudo chmod g+rwx "$HOME/.docker" -R

Once finished, you need to restart your session/re-login sudo su $USER to use docker without sudo.

Source: Docker documentation

singrium
  • 7,320