Docker Community Forums

Share and learn in the Docker community.

Mounting & using /var/run/docker.sock in a container not running as root

Hi,

I’m trying to mount the /var/run/docker.sock socket into my container to allow docker-in-docker behaviour on Docker for Mac 17.06.0-cd-mac18 (18433), stable channel. On a mid 2014 MacBook Pro running Sierra 10.12.5.

The container runs as a non-root user (circleci:circleci). When I try and use docker inside it:

docker run -v /var/run/docker.sock:/var/run/docker.sock teviotia/circleci-docker-openjdk-node:latest docker info

I get permission errors, which is not surprising since

docker run -v /var/run/docker.sock:/var/run/docker.sock teviotia/circleci-docker-openjdk-node:latest ls -l /var/run/docker.sock

returns:

srw-rw---- 1 root staff

I tried touching the file and setting its ownership in the Dockerfile:

RUN sudo touch /var/run/docker.sock && sudo chown 3434:3434 /var/run/docker.sock

(3434 is the uid of the circleci user in the container) but this makes no difference to the ownership of the file once it is mounted. Likewise

RUN sudo touch /var/run/docker.sock && sudo chmod o+rw /var/run/docker.sock

makes no difference.

Any ideas?

(I could of course run docker as sudo inside the container, but as you’ve probably noticed the primary use of this container is for circleci, and the scripts work fine on circleci so I’m a bit reluctant to sprinkle sudo everywhere just to solve the ownership of the docker.sock when running locally.)

OK, got a solution - adding this to the Dockerfile:

RUN echo "if [ -e /var/run/docker.sock ]; then sudo chown circleci:circleci /var/run/docker.sock; fi" >> /home/circleci/.bashrc

changes the ownership of the docker.sock file after it has been mounted.

I have the same problem but my non-root user is not a sudoer. Is there any other solution?

May i suggest to override userid and groupid when the container is started?

The ’ docker run’ parameter allows to replace the uid:gid of the user of the first USER declartion in the Dockerfile:

--user=[ user | user:group | uid | uid:gid | user:gid | uid:group ]

The following command stores the group ip in the variable docker_gid:
docker_gid=$(cut -d: -f3 < <(getent group docker))

Though, it seems like you can use `docker run --user uid:docker directly…

I am not sure if the gid of the docker group is allways 999, if so, you could create the same group in your Dockerfile and assign the user to this group.

The configuration item “user:” can be used in a docker-compose.yml as a child node of the service as well. Though I am not sure if this is still possible with Swarm Stack deployments.