Docker Community Forums

Share and learn in the Docker community.

Rights to run Docker via Azure DevOps

  • Issue type:

Rights to run Docker

  • OS Version/build

NAME=“Red Hat Enterprise Linux Server”
VERSION=“7.5 (Maipo)”

  • App version

Docker version 19.03.3, build cde21d3829

  • Steps to reproduce

Run build from ADO

I am running my Azure DevOps build agent with an account named “account”.

server:Linux:account: /opt/ADOReleaseMark --> docker run hello-world

Hello from Docker!
This message shows that your installation appears to be working correctly.

To generate this message, Docker took the following steps:

  1. The Docker client contacted the Docker daemon.
  2. The Docker daemon pulled the “hello-world” image from the Docker Hub.
  3. The Docker daemon created a new container from that image which runs the
    executable that produces the output you are currently reading.
  4. The Docker daemon streamed that output to the Docker client, which sent it
    to your terminal.

To try something more ambitious, you can run an Ubuntu container with:
$ docker run -it ubuntu bash

Share images, automate workflows, and more with a free Docker ID:

For more examples and ideas, visit:

This works as intended. However when I run from a pipeline, I get the following error

docker run hello-world

========================== Starting Command Output ===========================

[command]/usr/bin/bash --noprofile --norc /opt/ADOReleaseMark/_work/_temp/

docker: Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Post http://%2Fvar%2Frun%2Fdocker.sock/v1.40/containers/create: dial unix /var/run/docker.sock: connect: permission denied.

See ‘docker run --help’.

##[error]Bash exited with code ‘126’.

The account is an AD account and not a local account. Running usermod -a -G docker account gives me the following error.

usermod: user ‘account’ does not exist

So to get around this I hard coded account into the group file. This allowed me to run docker hello, however I still get the same error when running from Azure DevOps.

Any thoughts on how I can allow anyone to call docker?


Well it isn’t exactly what I wanted to do, however issuing the following command fixed the problem.

sudo chmod 666 /var/run/docker.sock


1 Like

This is a bit late, but just in case someone else runs into this…

You shouldn’t actually need to do sudo to do that. Basically, what’s happening here, is that your system that you’re using (presumably Linux) doesn’t have the account that you setup for the agent as a Service to have access to the destination folders (as the default for using the docker folders is generally located in a place where you need Administrative access). What you’ll need to do, is something like this:

either make a daemon.json file to specify the account that you’re using as the User Account for the network service should be permitted to use the daemon, or you whatever User Account you end up using needs to have administrative access on the OS, or at least access to said folder.

I suppose a third way, could be if you are using Docker Desktop rather than Docker Engine, is to have Docker installed somewhere that doesn’t need administrative access, but I haven’t really messed with doing something like that too much, so I cannot say for certain.

Thank you, I spent hours looking for a solution to this.
And your solution worked for me too.

Thanks a lot for this question. I am also facing this issue for quite a long, but after research, I came to a solution which I am sharing -

Switch Docker to use Windows containers

By default, Docker for Windows is configured to use Linux containers. To allow running the Windows container, confirm that Docker for Windows is running the Windows daemon.
Basically I am using docker to design my automated payroll software, you can check once.

Create and build the Dockerfile

Next, create the Dockerfile.

  1. Open a command prompt.
  2. Create a new directory:


mkdir C:\dockeragent
  1. Change directories to this new directory:


cd C:\dockeragent
  1. Save the following content to a file called C:\dockeragent\Dockerfile (no file extension):




COPY start.ps1 .

CMD powershell .\start.ps1
  1. Save the following content to C:\dockeragent\start.ps1 :


if (-not (Test-Path Env:AZP_URL)) {
  Write-Error "error: missing AZP_URL environment variable"
  exit 1

if (-not (Test-Path Env:AZP_TOKEN_FILE)) {
  if (-not (Test-Path Env:AZP_TOKEN)) {
    Write-Error "error: missing AZP_TOKEN environment variable"
    exit 1

  $Env:AZP_TOKEN_FILE = "\azp\.token"
  $Env:AZP_TOKEN | Out-File -FilePath $Env:AZP_TOKEN_FILE

Remove-Item Env:AZP_TOKEN

if ((Test-Path Env:AZP_WORK) -and -not (Test-Path $Env:AZP_WORK)) {
  New-Item $Env:AZP_WORK -ItemType directory | Out-Null

New-Item "\azp\agent" -ItemType directory | Out-Null

# Let the agent ignore the token env variables

Set-Location agent

Write-Host "1. Determining matching Azure Pipelines agent..." -ForegroundColor Cyan

$base64AuthInfo = [Convert]::ToBase64String([Text.Encoding]::ASCII.GetBytes(":$(Get-Content ${Env:AZP_TOKEN_FILE})"))
$package = Invoke-RestMethod -Headers @{Authorization=("Basic $base64AuthInfo")} "$(${Env:AZP_URL})/_apis/distributedtask/packages/agent?platform=win-x64&`$top=1"
$packageUrl = $package[0].Value.downloadUrl

Write-Host $packageUrl

Write-Host "2. Downloading and installing Azure Pipelines agent..." -ForegroundColor Cyan

$wc = New-Object System.Net.WebClient
$wc.DownloadFile($packageUrl, "$(Get-Location)\")

Expand-Archive -Path "" -DestinationPath "\azp\agent"

  Write-Host "3. Configuring Azure Pipelines agent..." -ForegroundColor Cyan

  .\config.cmd --unattended `
    --agent "$(if (Test-Path Env:AZP_AGENT_NAME) { ${Env:AZP_AGENT_NAME} } else { ${Env:computername} })" `
    --url "$(${Env:AZP_URL})" `
    --auth PAT `
    --token "$(Get-Content ${Env:AZP_TOKEN_FILE})" `
    --pool "$(if (Test-Path Env:AZP_POOL) { ${Env:AZP_POOL} } else { 'Default' })" `
    --work "$(if (Test-Path Env:AZP_WORK) { ${Env:AZP_WORK} } else { '_work' })" `

  Write-Host "4. Running Azure Pipelines agent..." -ForegroundColor Cyan

  Write-Host "Cleanup. Removing Azure Pipelines agent..." -ForegroundColor Cyan

  .\config.cmd remove --unattended `
    --auth PAT `
    --token "$(Get-Content ${Env:AZP_TOKEN_FILE})"
  1. Run the following command within that directory:


docker build -t dockeragent:latest .

This command builds the Dockerfile in the current directory.The final image is tagged dockeragent:latest . You can easily run it in a container as dockeragent , because the latest tag is the default if no tag is specified.

Start the image

Now that you have created an image, you can run a container.

  1. Open a command prompt.
  2. Run the container. This installs the latest version of the agent, configures it, and runs the agent. It targets the Default pool of a specified Azure DevOps or Azure DevOps Server instance of your choice:


 -e AZP_TOKEN= -e AZP_AGENT_NAME=mydockeragent dockeragent:latest
" style="box-sizing: inherit; font-family: SFMono-Regular, Consolas, "Liberation Mono", Menlo, Courier, monospace; font-size: 1em; direction: ltr; outline-color: inherit; line-height: 1.3571; border: 0px; display: block; padding: 0px; position: relative;">docker run -e AZP_URL=<Azure DevOps instance> -e AZP_TOKEN=<PAT token> -e AZP_AGENT_NAME=mydockeragent dockeragent:latest

Optionally, you can control the pool and agent work directory by using additional [environment variables].