How can I use Docker without sudo?

Question

On Docker's documentation pages, all example commands are shown without sudo, like this one:

docker ps

On Ubuntu, the binary is called docker.io. It also does not work without sudo:

sudo docker.io ps

How can I configure Docker so that I don't need to prefix every Docker command with sudo?

@anatolytechtonik I also used 'docker' instead of 'docker.io' in Ubuntu 14.04 LTS — Nabin, Jul 28 '16 at 01:49
Recommended installation is not the docker in default ubuntu repos; instead, instructions here ( https://docs.docker.com/engine/installation/linux/ubuntulinux/ ), recommend using the docker repo. Remove all the existing docker stuff, and verify you're getting the one from the right source: apt-cache policy docker-engine (apt url should be from dockerproject.org) — michael, Sep 24 '16 at 06:30
How about an alias:? That way, you still use sudo, with password protection. alias docker="sudo docker " — Andrej Panjkov, Mar 22 '18 at 17:34
Yeah, until Docker implements policykit or something similar I'd strongly recommend using an alias, otherwise you might as well just run everything as root. — Jonathan Baldwin, Apr 21 '19 at 22:53
What junk is this for requiring root to do simple things such as docker info. Like docker info needs raw access to all my file and devices and ports to run. — Rolf, Feb 27 '21 at 10:57
@Flimm Your flag says "This is an answer that is probably wrong". If it's a wrong answer then you should just flag the comment for deletion. — Thomas Ward, Mar 06 '23 at 15:56
@TechnicalKeera that breaks a bit because then the docker daemon can't talk to the socket. It also will not stick, it'll be recreated at next boot as a different user so the solution proposed will fail. If you want to bypass sudo for docker you SHOULD put your user into the docker group if you want unrestricted execution access for the user - it's a security risk to do that though, so running sudo on your docker commands is the way you should be handling things which need run as an admin. — Thomas Ward, Mar 06 '23 at 15:57

score 1472 · Accepted Answer · edited Apr 15 '23 at 09:49

1472

Good news: the new Docker version 19.03 (currently experimental) will be able to run rootless negating the problems that can occur using a root user. No more messing with elevated permissions, root, and anything that might open up your machine when you did not want to.

Video about this from [DockerCon 2019] Hardening Docker daemon with Rootless mode

A few Caveats to the rootless Docker mode

Docker engineers say the rootless mode cannot be considered a replacement for the complete suite of Docker engine features. Some limitation to the rootless mode include:

cgroups resource controls, apparmor security profiles, checkpoint/restore, overlay networks etc. do not work on rootless mode.

Exposing ports from containers currently requires manual socat helper process.

Only Ubuntu-based distros support overlay filesystems in rootless mode.

Rootless mode is currently only provided for nightly builds that may not be as stable as you are used to.

As of Docker 19.3 this is obsolete (and more dangerous than need be):

The Docker manual has this to say about it:

Giving non-root access

The docker daemon always runs as the root user, and since Docker version 0.5.2, the docker daemon binds to a Unix socket instead of a TCP port. By default that Unix socket is owned by the user root, and so, by default, you can access it with sudo.

Starting in version 0.5.3, if you (or your Docker installer) create a Unix group called docker and add users to it, then the docker daemon will make the ownership of the Unix socket read/writable by the docker group when the daemon starts. The docker daemon must always run as the root user, but if you run the docker client as a user in the docker group then you don't need to add sudo to all the client commands. As of 0.9.0, you can specify that a group other than docker should own the Unix socket with the -G option.

Warning: The docker group (or the group specified with -G) is root-equivalent; see Docker Daemon Attack Surface details and this blogpost on Why we don't let non-root users run Docker in CentOS, Fedora, or RHEL (thanks michael-n).

In the recent release of the experimental rootless mode on GitHub, engineers mention rootless mode allows running dockerd as an unprivileged user, using user_namespaces(7), mount_namespaces(7), network_namespaces(7).

Users need to run dockerd-rootless.sh instead of dockerd.
$ dockerd-rootless.sh --experimental
As Rootless mode is experimental, users need to always run dockerd-rootless.sh with –experimental.

Important to read: post-installation steps for Linux (it also links to Docker Daemon Attack Surface details).

Manage Docker as a non-root user

The docker daemon binds to a Unix socket instead of a TCP port. By default that Unix socket is owned by the user root and other users can only access it using sudo. The docker daemon always runs as the root user.

If you don’t want to use sudo when you use the docker command, create a Unix group called docker and add users to it. When the docker daemon starts, it makes the ownership of the Unix socket read/writable by the docker group.

Add the docker group if it doesn't already exist:
```
 sudo groupadd docker
```
Add the connected user "$USER" to the docker group. Change the user name to match your preferred user if you do not want to use your current user:
```
 sudo gpasswd -a $USER docker
```
Either do a newgrp docker or log out/in to activate the changes to groups.
You can use
```
 docker run hello-world
```
to check if you can run Docker without sudo.

edited Apr 15 '23 at 09:49

Matthias Braun

1,043

answered Jun 06 '14 at 08:24

Rinzwind

299,756

@Chechus "You need to log out and log back in again for this to take effect." has been there for over a year? – Rinzwind Aug 29 '14 at 14:53
@Rinzwind Could you consider any several security implication that this may have to the host system to remark on the answer? – Lucio Dec 27 '14 at 23:05
2

Isn't that the most insecure architecture for production? I must be missing something – matanox Jan 10 '15 at 01:19
@matt not the "most" insecure. See the link for some things on that: "First of all, only trusted users should be allowed to control your Docker daemon.". If you use it with a webserver (ie. as an API) you have another layer of problems. – Rinzwind Jan 10 '15 at 07:08
5

Yeah, but every privileged process opens up potential for exploit. Is docker hooking that deep into the operating system to really mandate that level of privileges? – matanox Jan 10 '15 at 14:24
4

newgrp docker didn't work for me, i had to log out. – lolmaus - Andrey Mikhaylov Mar 14 '15 at 19:29
68

It's worth pointing out that this gives that user unrestricted, non-password protected root access. See details of the vulnerability here – Chris Foster Apr 22 '15 at 20:57
1

@ChrisFoster that's why there is a bit fat warning in there. But it is also set up such that is someone can exploit this they got bigger problems ;-) – Rinzwind Apr 23 '15 at 06:55
This: "If you are on Ubuntu 14.04 and up use docker.io instead: sudo service docker.io restart" is not correct for Ubuntu 16.04 server edition. The service is called "docker" simply. Installed docker via Xenials ordinary apt sources using sudo apt-get install docker.io though. – Olof Bjarnason Apr 28 '16 at 11:43
3

you do NOT need to restart the docker daemon for this change to take place!! just have the user that you just added log out then back in – Tommy Sep 12 '16 at 15:21
1

more on the security vulnerability this 'solution' presents, here: https://www.projectatomic.io/blog/2015/08/why-we-dont-let-non-root-users-run-docker-in-centos-fedora-or-rhel/ – michael Sep 25 '16 at 10:39
1

@Tommy This worked for me also, but I suspect that it was because the docker group already existed. If the docker group does not exist before starting the server, I'd bet you do have to restart it, or at least systemctl reload docker. – jpaugh Jan 20 '17 at 16:04
Note that restarting the docker service will stop all containers running being run. It's obvious in retrospect, but it's worth warning people about. – Aaron Feb 07 '17 at 19:12
As stated by @Tommy, there should not be a need to restart docker service. Docker service does not care about users, all it receives is an anonymous HTTP request to perform an action. Adding user to the docker group allows to access unix socket through which you make the request. That is entirely on the client-side which does not actively run and is not affected by service docker restart. – Pijusn May 24 '17 at 07:26
@Pijusn there removed it. – Rinzwind May 24 '17 at 09:30
8

if you use docker login, you may find that the .docker folder created in your home folder, belongs to root. thus you would encounter this warning when running docker commands: WARNING: Error loading config file:/home/myuser/.docker/config.json - stat /home/myuser/.docker/config.json: permission denied. I made my user's .docker folder accessible without sudo like so: sudo chgrp -hR docker ~/.docker && sudo chown -R myuser ~/.docker. the chgrp didn't seem to help though, so probably I should only recommend the chown step. – Birchlabs Jul 28 '17 at 11:24
3

@Tommy, I also had to restart the docker server. Since my docker group did not exist, the file ownership on the /var/run/docker.sock file was root:root. When I restarted the docker server it was root:docker. Then it worked for me. – Greg Jan 04 '18 at 16:15
this helped, but the trick was to run @Christian Hujer wrote sudo setfacl -m user:username:rw /var/run/docker.sock – Ben Yitzhaki Jan 18 '18 at 09:02
@BenYitzhaki I did not want to steal his part of this ;-) – Rinzwind Jan 18 '18 at 09:39
@Rinzwind didn't really follow the comments, just wasted too much time on this when the answer was on front of me :( – Ben Yitzhaki Jan 18 '18 at 12:59
Followed all the steps mentioned, logged out and in multiple times but that didn't help. Finally did a "sudo service docker restart" and bingo, docker was able to run images without sudo! – Bharat Mallapur Nov 26 '18 at 07:16
15

I had to restart Ubunutu. Logging out didn't work. – Philip Rego Nov 10 '19 at 03:18
Are you saying that as of now I should by default not be encountering the error Got permission denied while trying... at all anymore? I am still getting this error on Docker version 20.10.2, build 20.10.2-0ubuntu1~20.04.2 and I still had to solve it through the groupadd procedure. – Kvothe Apr 30 '21 at 13:36
1

sudo chown $USER /var/run/docker.sock it worked for me – Tanjin Alam Apr 06 '23 at 08:24
1

@TanjinAlam I would advide to jnclude the group too (so $USER:$USER ) if the socket has permission 6 (rw) for groups (if lower it does not matter). – Rinzwind Apr 06 '23 at 08:32

score 432 · Answer 2 · edited Dec 20 '16 at 21:32

432

To run docker command without sudo, you need to add your user (who has root privileges) to docker group. For this run following command:

 sudo usermod -aG docker $USER

Now, have the user logout then login again. This solution is well explained here with proper installation process.

edited Dec 20 '16 at 21:32

Tshilidzi Mudau

4,173

answered Feb 27 '16 at 19:57

Rohini Choudhary

4,470

42

after add user to group , run this command: sg group_name -c "bash" – madjardi Apr 09 '16 at 02:12
8

you do not need to restart the OS for this change to take place! That will bomb all running containers! Just have the user that you just added log out then in. – Tommy Sep 12 '16 at 15:22
2

This is indeed what the official Docker documentation recommends doing to be able to run docker with unprivileged users: – Pejvan Jan 30 '17 at 13:42
8

How is that command different to "sudo gpasswd -a ${USER} docker" in other answer? If at all... – Ashley Aitken Mar 09 '17 at 15:22
30

Could you please add the warning given by the docs: " The docker group [...] is root-equivalent", so people have a chance to think about it – Murmel Apr 24 '17 at 21:28
9

Same effect as the 2 year older accepted answer, but without the warnings about the security risks – Gert van den Berg Apr 12 '19 at 06:33
1

Still getting: Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get "http://%2Fvar%2Frun%2Fdocker.sock/v1.24/containers/json": dial unix /var/run/docker.sock: connect: permission denied – Soerendip Oct 08 '21 at 15:57
2

@Soren Logging out often does not work, restart the machine and try again. Could update the answer with this info. – Snackoverflow Feb 15 '22 at 06:31
1

requires reboot – Chang Zhao Mar 02 '22 at 17:33
2

Logging out/in did not work. I did that 3 times and it did not work. Only after system reboot, it worked. Ubuntu 22.04 LTS. Change the answer to say that reboot is needed. – Damn Vegetables Sep 17 '22 at 15:58
I don't know why people keep using usermod/useradd with options instead of adduser $USER docker, the friendly and convenient frontend that Debian recommends – Pablo Bianchi May 30 '23 at 20:45

Christian Hujer · Answer 3 · 2020-08-11T11:29:34.493

158

The mechanism by which adding a user to group docker grants permission to run docker is to get access to the socket of docker at /var/run/docker.sock. If the filesystem that contains /var/run has been mounted with ACLs enabled, this can also be achieved via ACLs.

sudo setfacl -m user:$USER:rw /var/run/docker.sock

I'm only including this for completeness.

In general, I recommend to avoid ACLs whenever a good alternative based on groups is available: It is better if the privileges in a system can be understood by looking at group memberships only. Having to scan the file system for ACL entries in order to understand system privileges is an additional burden for security audits.

Warning 1: This has the same root equivalence as adding $USER to the docker group. You can still start a container in a way that has root access to the host filesystem.

Warning 2: ACLs are significantly more difficult for security audits than group-based security. Probably avoid ACLs if possible when you can use groups instead, at least in audit-relevant environments.

edited Aug 11 '20 at 11:29

answered Dec 01 '17 at 16:08

Christian Hujer

2,442

10

It worked on 16.04 – edib Dec 12 '17 at 08:22
2

Much better way imo. The group docker is root-equivalent and that is always a sign of danger. And I don't see any disadvantage to taking ownership of this one file. – xeruf Mar 03 '18 at 00:54
Could you describe which commands should be executed in order to "get access to the socket of docker at /var/run/docker.sock"? – Yuval Atzmon Apr 12 '18 at 16:46
@yuval That command is already described in the answer, it's the setfacl command. – Christian Hujer Apr 18 '18 at 19:47
11

@Xerus if I understand correctly, whoever can write to this socket can get root-equivalent privileges too. So giving someone access to this socket via ACL has the same security effect as adding that person to the docker group. – Paŭlo Ebermann Apr 23 '18 at 15:26
1

This solution worker with Ubuntu 18.04 as well. In any case I did sudo groupadd docker and sudo usermod -aG docker $USER as well before of it. – loretoparisi Dec 29 '20 at 19:46
2

Do the job for me on Ubuntu 20.04 – Alexey Muravyov Feb 25 '21 at 11:51
Worked on Ubuntu 21.04 – Joe Aug 18 '21 at 13:18
2

worked on 22.04 – Ahmed ElMetwally May 11 '22 at 14:05
1

This is solid, b/c it doesn't require any shell restarts, so it can be used in the middle of a script and actually work. Yes, like ~all other lazy options, it grants root access, but in cases when you are already using root because reasons, it is much simpler than setup and maintenance of rootless docker. – Ajax Aug 10 '22 at 00:09

miu · Answer 4 · 2022-02-21T11:44:15.943

54

After creating the docker group and adding my user to it with

sudo groupadd docker
sudo usermod -aG docker $USER

... I still had to give the /var/run/docker.sock socket and /var/run/docker directory the proper permissions to make it work:

sudo chown root:docker /var/run/docker.sock
sudo chown -R root:docker /var/run/docker

Logout and login again (with that user) then you'll be able to run docker commands without sudo:

docker run hello-world

BTW: This was fixed in Ubuntu 21.10 and is only necessary for Ubuntu versions lower than that.

edited Feb 21 '22 at 11:44

answered Nov 19 '20 at 12:06

miu

821
9
8

2

I get chown: changing ownership of '/var/run/docker/netns/ingress_sbox': Operation not permitted – Soerendip Oct 08 '21 at 15:58
@Soren I just tried it right now again with Ubuntu 20.04 and all my commands from above work fine. If you use the chown command with sudo you shouldn't get any error messages. Try to reboot, log into the root accout and run the two chown commands (no sudo needed). Then logout from the root user account and into your normal user account and try to use docker without sudo. Does it work now? – miu Oct 10 '21 at 03:23
Worked for me with just adding the group and adding the user to the group, but after reboot. Im on Pop!_OS 20.04 LTS. One might want to reboot, try it out and only if it doesnt work use this solution. – Yaroslav Yakovlev Jan 29 '23 at 12:29
@Soren this is because you are trying to chown while the docker daemon is running. Stop docker with systemctl stop docker then run the commands of this solution and start it again with systemctl start docker – A.Casanova May 03 '23 at 08:23

score 9 · Answer 5 · edited Mar 27 '23 at 11:53

9

Docker containers need to be run by a superuser. You can add yourself to the docker group (e.g. by running sudo usermod -aG docker $USER), but this makes it easy for anyone with access to the $USER account to gain root access to the machine (e.g. by mounting a root volume in a privileged container).

A more security-conscious way of running Docker containers as a non-root user would be to use Podman. From its website:

Podman is a daemonless container engine for developing, managing, and running OCI Containers on your Linux System. Containers can either be run as root or in rootless mode. Simply put: alias docker=podman.

Another alternative is Singularity, which is more commonly deployed in HPC environments.

edited Mar 27 '23 at 11:53

Michael Mior

150

answered Mar 22 '21 at 18:29

ostrokach

854
8
11

Please provide info on why docker containers must be run as a root user. – GaTechThomas Jul 18 '21 at 21:44
1

@GaTechThomas See https://docs.docker.com/engine/install/linux-postinstall/#manage-docker-as-a-non-root-user. "The Docker daemon binds to a Unix socket instead of a TCP port. By default that Unix socket is owned by the user root and other users can only access it using sudo. The Docker daemon always runs as the root user." My knowledge does not go deeper than this. – ostrokach Jul 19 '21 at 14:10
2

Docker can be run without root permisssions. See the section Run the Docker daemon as a non-root user (Rootless mode) https://docs.docker.com/engine/security/rootless/ – Erik Sjölund Feb 27 '22 at 08:01

How can I use Docker without sudo?

5 Answers5

Linked

Related