Permission denied while using rootless docker with different user on ubuntu

Docker Desktop
,
1

I have set up rootless docker in line with the official guide and when I am using “docker” user it works as intendent. However, also user “foo” needs to use docker, hence following this official guide I added him to docker group and “id” confirms that it was successful. As he still could not use “docker” command, I’ve aligned to the first guide and added to ~/.bash_aliases:

export PATH=/home/docker/bin:$PATH
export DOCKER_HOST=unix:///run/user/1001/docker.sock # 1001 is “docker” user UUID

Now the “docker” command works, but when I try “docker run hello-world” I get:

docker: permission denied while trying to connect to the Docker daemon socket at unix:///run/user/1001/docker.sock: Post “http://%2Frun%2Fuser%2F1001%2Fdocker.sock/v1.24/containers/create”: dial unix /run/user/1001/docker.sock: connect: permission denied.

Command sudo ls -la /run/user/1001 shows:

total 4
drw-rw---- 6 docker docker 200 Apr 7 07:41 .
drwxr-xr-x 4 root root 80 Apr 6 13:25 …
srw-rw---- 1 docker docker 0 Apr 6 13:23 bus
drw-rw---- 3 docker docker 60 Apr 6 13:23 dbus-1
drw-rw---- 7 docker docker 160 Apr 6 13:23 docker
-rw-rw---- 1 docker docker 3 Apr 6 13:23 docker.pid
srw-rw---- 1 docker 166536 0 Apr 6 13:23 docker.sock
drw-rw---- 2 docker docker 140 Apr 6 13:23 gnupg
srw-rw---- 1 docker docker 0 Apr 6 13:23 snapd-session-agent.socket
drw-rw---- 6 docker docker 160 Apr 6 13:23 systemd

What’s interesting, docker.sock is not in docker group. I’ve tried to change the ownership to docker group, but I still get the same error. And after reboot, docker.sock is once again reassigned to this integer group. I can’t add “foo” user to this group as it does not exist.

I’ve tried also to go with nuclear option and open all permissions (sudo chmod -R 666 /run/user/1001). Permissions are changed, but I still get the same error:

total 4
drw-rw-rw- 6 docker docker 200 Apr 7 07:49 .
drwxr-xr-x 4 root root 80 Apr 6 13:25 …
srw-rw-rw- 1 docker docker 0 Apr 6 13:23 bus
drw-rw-rw- 3 docker docker 60 Apr 6 13:23 dbus-1
drw-rw-rw- 7 docker docker 160 Apr 6 13:23 docker
-rw-rw-rw- 1 docker docker 3 Apr 6 13:23 docker.pid
srw-rw-rw- 1 docker docker 0 Apr 6 13:23 docker.sock
drw-rw-rw- 2 docker docker 140 Apr 6 13:23 gnupg
srw-rw-rw- 1 docker docker 0 Apr 6 13:23 snapd-session-agent.socket
drw-rw-rw- 6 docker docker 160 Apr 6 13:23 systemd

I’m completely stuck and will be grateful for any guidance.

2

The docker group can be used with rootful Docker if you trust everyone who is in the docker group to do nothing wrong. Using the docker group you don’t really have any way to log what the users were doing. On the other hand, if you allow specific users to run sudo docker in /etc/sudoers by using the visudo command, the auth log (or sudo log) will contain these commands.

The point of using Rootless Docker is that everyone can have their own Docker daemon with a docker socket that only they can use. If you want multiple users to be able to use the same rootless Docker, you could create a user just for running rootless Docker and allow other users to impersonate that user, although I wouldn’t do that either.

For development it is best if you have your own Docker and for prodution, it is enough if only one user has access to Docker interactively or through some automated workflow.

If you still want to work with multiple users on a server and make Docker more secure than it is by default, you can enable the user namespace.

This is the same technique as used for Rootless Docker so the root user in the container would not be root user on the host, but it wouldn’t belong to a specific interactive user either.