Linux docker without sudo

Post-installation steps for Linux

Estimated reading time: 15 minutes

This section contains optional procedures for configuring Linux hosts to work better with Docker.

Manage Docker as a non-root user

The Docker daemon binds to a Unix socket instead of a TCP port. By default that Unix socket is owned by the user root and other users can only access it using sudo . The Docker daemon always runs as the root user.

If you don’t want to preface the docker command with sudo , create a Unix group called docker and add users to it. When the Docker daemon starts, it creates a Unix socket accessible by members of the docker group.

The docker group grants privileges equivalent to the root user. For details on how this impacts security in your system, see Docker Daemon Attack Surface.

To create the docker group and add your user:

Create the docker group.

Add your user to the docker group.

Log out and log back in so that your group membership is re-evaluated.

If testing on a virtual machine, it may be necessary to restart the virtual machine for changes to take effect.

On a desktop Linux environment such as X Windows, log out of your session completely and then log back in.

On Linux, you can also run the following command to activate the changes to groups:

Verify that you can run docker commands without sudo .

This command downloads a test image and runs it in a container. When the container runs, it prints a message and exits.

If you initially ran Docker CLI commands using sudo before adding your user to the docker group, you may see the following error, which indicates that your

/.docker/ directory was created with incorrect permissions due to the sudo commands.

To fix this problem, either remove the

/.docker/ directory (it is recreated automatically, but any custom settings are lost), or change its ownership and permissions using the following commands:

Configure Docker to start on boot

Most current Linux distributions (RHEL, CentOS, Fedora, Debian, Ubuntu 16.04 and higher) use systemd to manage which services start when the system boots. On Debian and Ubuntu, the Docker service is configured to start on boot by default. To automatically start Docker and Containerd on boot for other distros, use the commands below:

To disable this behavior, use disable instead.

If you need to add an HTTP Proxy, set a different directory or partition for the Docker runtime files, or make other customizations, see customize your systemd Docker daemon options.

Use a different storage engine

For information about the different storage engines, see Storage drivers. The default storage engine and the list of supported storage engines depend on your host’s Linux distribution and available kernel drivers.

Configure default logging driver

Docker provides the capability to collect and view log data from all containers running on a host via a series of logging drivers. The default logging driver, json-file , writes log data to JSON-formatted files on the host filesystem. Over time, these log files expand in size, leading to potential exhaustion of disk resources.

To alleviate such issues, either configure the json-file logging driver to enable log rotation, use an alternative logging driver such as the “local” logging driver that performs log rotation by default, or use a logging driver that sends logs to a remote logging aggregator.

Configure where the Docker daemon listens for connections

By default, the Docker daemon listens for connections on a UNIX socket to accept requests from local clients. It is possible to allow Docker to accept requests from remote hosts by configuring it to listen on an IP address and port as well as the UNIX socket. For more detailed information on this configuration option take a look at “Bind Docker to another host/port or a unix socket” section of the Docker CLI Reference article.

Before configuring Docker to accept connections from remote hosts it is critically important that you understand the security implications of opening docker to the network. If steps are not taken to secure the connection, it is possible for remote non-root users to gain root access on the host. For more information on how to use TLS certificates to secure this connection, check this article on how to protect the Docker daemon socket.

Configuring Docker to accept remote connections can be done with the docker.service systemd unit file for Linux distributions using systemd, such as recent versions of RedHat, CentOS, Ubuntu and SLES, or with the daemon.json file which is recommended for Linux distributions that do not use systemd.

Configuring Docker to listen for connections using both the systemd unit file and the daemon.json file causes a conflict that prevents Docker from starting.

Configuring remote access with systemd unit file

Use the command sudo systemctl edit docker.service to open an override file for docker.service in a text editor.

Add or modify the following lines, substituting your own values.

Источник

How to use Docker without sudo on Ubuntu

This tutorial I will show you how to enter docker command without using sudo command on Ubuntu Linux machine.

If you use Docker for testing and development on your local machine, you probably experienced of those messages.

You would probably circumvent this by using sudo before docker command or logging as root using su. But it does not have to be that way. It is possible to run as normal user, and there are two ways. One is to add your user to docker group and another is to allow it to write to Unix socket used by docker. We are going to show both ways to do this in on Ubuntu 18.04 LTS.

1) Adding user to the docker group

Create new group if it does not exist. This command will likely fail as group maybe already exist, but let’s run it anyways.

Next we need to add current user to the group.

If you don’t want to add currently logged in user, but instead some other, you change $USER for the username of that user. Note that user must be allowed to use sudo.

Lastly we need to reload shell in order to have new group settings applied. For this you can reboot or you can log out and log back in, but both are nuke approaches when you actually want something more subtle so lets instead do this command

Now we are ready to run docker test program without sudo

2) ACL lists

There is another way to do this, and that is ACL lists.

Still logged in as sudoer user we need to run this command

Off course, change bobby for your actual user who you want to use docker.

Now you can log in as this user.

Now we can use docker, for example enter this command

It should list containers if you have some. If not, at least it won’t show you permission denied error.

That is it, two ways to have docker without sudo. It will save you typing and make using docker faster. Thank you for reading, and let us know in the comments if know any other options.

Источник

How to run docker on ubuntu without the sudo [duplicate]

I want to run my docker by running this command:

I get the following error:

Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Post http://%2Fvar%2Frun%2Fdocker.sock/v1.24/build?buildargs=%7B%7D&cachefrom=%5B%5D&cgroupparent=&cpuperiod=0&cpuquota=0&cpusetcpus=&cpusetmems=&cpushares=0&dockerfile=Dockerfile&labels=%7B%7D&memory=0&memswap=0&networkmode=default&rm=1&shmsize=0&t=getting-started&target=&ulimits=null&version=1: dial unix /var/run/docker.sock: connect: permission denied

My question is: how can I run docker on ubuntu without adding «sudo»?

2 Answers 2

You should add user to docker group:

After you may have to restart Ubuntu

TL;DR: Unlike what many tutorials on the web propose (add your user account to the docker group, which is risky! see below), you could just add an alias in your .bashrc to avoid typing sudo , while having the «password prompt protection».

To be more precise: the Docker daemon socket is owned by root:docker :

so with this default setup, you need to prepend all docker CLI commands by sudo .

To avoid this, you can either:

Add $USER to the docker group (but that’s quite risky to do this on your personal workstation, as this would amount to provide your user account with root permissions without any sudo password prompt nor auditing).

Or, to prepend sudo automatically but avoid typing sudo docker manually, a good practice consists in adding the following alias in your

/.bashrc file (see e.g. this thread for details):

Then you can test this by opening a new terminal and typing:

Источник

How can I use docker without sudo?

On Docker’s documentation pages, all example commands are shown without sudo , like this one:

On Ubuntu, the binary is called docker.io . It also does not work without sudo:

How can I configure Docker so that I don’t need to prefix every Docker command with sudo?

5 Answers 5

Good news: the new docker (version 19.03 (currently experimental)) will be able to run rootless negating the problems that can occur using a root user. No more messing with elevated permissions, root and anything that might open up your machine when you did not want to.

A few Caveats to the rootless Docker mode

Docker engineers say the rootless mode cannot be considered a replacement for the complete suite of Docker engine features. Some limitation to the rootless mode include:

• cgroups resource controls, apparmor security profiles, checkpoint/restore, overlay networks etc. do not work on rootless mode.
• Exposing ports from containers currently requires manual socat helper process.
• Only Ubuntu-based distros support overlay filesystems in rootless mode.
• Rootless mode is currently only provided for nightly builds that may not be as stable as you are used to.

As of docker 19.3 this is obsolete (and more dangerous than need be):

The docker manual has this to say about it:

Giving non-root access

The docker daemon always runs as the root user, and since Docker version 0.5.2, the docker daemon binds to a Unix socket instead of a TCP port. By default that Unix socket is owned by the user root, and so, by default, you can access it with sudo.

Starting in version 0.5.3, if you (or your Docker installer) create a Unix group called docker and add users to it, then the docker daemon will make the ownership of the Unix socket read/writable by the docker group when the daemon starts. The docker daemon must always run as the root user, but if you run the docker client as a user in the docker group then you don’t need to add sudo to all the client commands. As of 0.9.0, you can specify that a group other than docker should own the Unix socket with the -G option.

Warning: The docker group (or the group specified with -G) is root-equivalent; see Docker Daemon Attack Surface details and this blogpost on Why we don’t let non-root users run Docker in CentOS, Fedora, or RHEL (thanks michael-n).

In the recent release of the experimental rootless mode on GitHub, engineers mention rootless mode allows running dockerd as an unprivileged user, using user_namespaces(7), mount_namespaces(7), network_namespaces(7).

Users need to run dockerd-rootless.sh instead of dockerd.

As Rootless mode is experimental, users need to always run dockerd-rootless.sh with –experimental.

Manage Docker as a non-root user

The docker daemon binds to a Unix socket instead of a TCP port. By default that Unix socket is owned by the user root and other users can only access it using sudo. The docker daemon always runs as the root user.

If you don’t want to use sudo when you use the docker command, create a Unix group called docker and add users to it. When the docker daemon starts, it makes the ownership of the Unix socket read/writable by the docker group.

Add the docker group if it doesn’t already exist:

Add the connected user «$USER» to the docker group. Change the user name to match your preferred user if you do not want to use your current user:

Either do a newgrp docker or log out/in to activate the changes to groups.

to check if you can run docker without sudo.

Источник

Is it possible to use docker without sudo?

According to the answers of this question about docker, running it as a non-root is as easy as adding the non-root username to the docker group, and logging out and back in. And sure enough, when I used it as sudo for the hello-world image that went well. But for another test image called whalefortune I still get the access denied error — see below.

Is it not generally possible any more to run docker as non-root? I am using Ubuntu 19.04, which is a later version than the examples, and there were mentions of a possible security breach running dockers as non-root.

My idea was to run nvidia-docker as a normal user, would that be possible (or even a good idea)?

1 Answer 1

If you don’t want to preface the docker command with sudo, create a Unix group called docker and add users to it. When the Docker daemon starts, it creates a Unix socket accessible by members of the docker group.

Warning:

The docker group grants privileges equivalent to the root user. For details on how this impacts security in your system, see Docker Daemon Attack Surface.

If you still want to run docker without sudo :

Add the docker group if it doesn’t already exist:

Add the connected user «$USER» to the docker group. Change the user name to match your preferred user if you do not want to use your current user:

Either do a newgrp docker or log out/in to activate the changes to groups (If testing on a virtual machine, it may be necessary to restart the virtual machine for changes to take effect).

to check if you can run docker without sudo.

PS:
If you initially ran Docker CLI commands using sudo before adding your user to the docker group, you may see the following error, which indicates that your

/.docker/ directory was created with incorrect permissions due to the sudo commands.

To fix this problem, either remove the

/.docker/ directory (it is recreated automatically, but any custom settings are lost), or change its ownership and permissions using the following commands:

Источник