Docker Community Forums

Share and learn in the Docker community.

Permission denied while trying to connect to the Docker daemon socket

Hi All

I am trying to build a Non-Root Portainer Dockerfile, from centos:7.5.
The Dockerfile itself, and the deployment works really fine. Portainer is easy to set up and easy to deploy.

My issue is, I should not give to the images, a root permission. So, in order to do that, I built my Dockerfile, switching the owner of the portainer folder and data folder as well, to regular user (a non-root one).

Example:

RUN wget -O $USERWORKDIR/portainer-1.20.1-linux-amd64.tar.gz https://github.com/portainer/portainer/releases/download/1.20.1/portainer-1.20.1-linux-amd64.tar.gz

RUN cd $USERWORKDIR && tar xvpfz portainer-1.20.1-linux-amd64.tar.gz

RUN mkdir “/data” && chown -R regularuser:regularuser “/data”

Where regularuser ID and regularuser Group are already created.

But, after to do docker run, and try to access the portainer portal (which loads just fine), I get

Unable to create snapshot (endpoint=primary, URL=unix:///var/run/docker.sock) (err=Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get http://%2Fvar%2Frun%2Fdocker.sock/_ping: dial unix /var/run/docker.sock: connect: permission denied

This is the full docker command with the parameters:
docker run -d -p 9000:9000 --name portainer-1 --restart always -v /var/run/docker.sock:/var/run/docker.sock -v portainer_data:/data my-portainer-image:latest --no-auth -H unix:///var/run/docker.sock

Anyone here already succeed trying to create a non-root Portainer Image? And for sure (I should ask that first), Portainer can be deployed as a docker container using a non-root user?

Any help will be extremely welcome!

Marcel

Access to /var/run/docker.sock needs elevated permissions, which a non root user inside the container does not have.

You either need to loosen up the permission on /var/run/docker.sock on the host (not recommended!) or bind a port to the deamon and use tls certicates for mutual tls authentification (prefered).

2 Likes

Thanks a lot for the answer. That definitely gave me a better picture of the issue.

Just found while I was doing my home work, based on your answer. For those interesting, this Docker documentation gives some extra details as well: https://docs.docker.com/engine/reference/commandline/dockerd/

### Daemon socket option

The Docker daemon can listen for Docker Engine API requests via three different types of Socket: unix , tcp , and fd .

By default, a unix domain socket (or IPC socket) is created at /var/run/docker.sock , requiring either root permission, or docker group membership.

Cheers!