How can I use docker without sudo?

Question

Flimm

Asked: 2014-06-07 00:17:43 +0800 CST2014-06-07 00:17:43 +0800 CST 2014-06-07 00:17:43 +0800 CST

How can I use docker without sudo?

772

On Docker's documentation pages, all example commands are shown without sudo, like this one:

docker ps

On Ubuntu, the binary is called docker.io. It also does not work without sudo:

sudo docker.io ps

How can I configure Docker so that I don't need to prefix every Docker command with sudo?

5 Answers

Voted

Rinzwind · Answer 1 · 2014-06-07T00:24:12+08:00

Good news: the new docker (version 19.03 (currently experimental)) will be able to run rootless negating the problems that can occur using a root user. No more messing with elevated permissions, root and anything that might open up your machine when you did not want to.

Video about this from [DockerCon 2019] Hardening Docker daemon with Rootless mode

A few Caveats to the rootless Docker mode

Docker engineers say the rootless mode cannot be considered a replacement for the complete suite of Docker engine features. Some limitation to the rootless mode include:

cgroups resource controls, apparmor security profiles, checkpoint/restore, overlay networks etc. do not work on rootless mode.

Exposing ports from containers currently requires manual socat helper process.

Only Ubuntu-based distros support overlay filesystems in rootless mode.

Rootless mode is currently only provided for nightly builds that may not be as stable as you are used to.

As of docker 19.3 this is obsolete (and more dangerous than need be):

The docker manual has this to say about it:

Giving non-root access

The docker daemon always runs as the root user, and since Docker version 0.5.2, the docker daemon binds to a Unix socket instead of a TCP port. By default that Unix socket is owned by the user root, and so, by default, you can access it with sudo.

Starting in version 0.5.3, if you (or your Docker installer) create a Unix group called docker and add users to it, then the docker daemon will make the ownership of the Unix socket read/writable by the docker group when the daemon starts. The docker daemon must always run as the root user, but if you run the docker client as a user in the docker group then you don't need to add sudo to all the client commands. As of 0.9.0, you can specify that a group other than docker should own the Unix socket with the -G option.

Warning: The docker group (or the group specified with -G) is root-equivalent; see Docker Daemon Attack Surface details and this blogpost on Why we don't let non-root users run Docker in CentOS, Fedora, or RHEL (thanks michael-n).

In the recent release of the experimental rootless mode on GitHub, engineers mention rootless mode allows running dockerd as an unprivileged user, using user_namespaces(7), mount_namespaces(7), network_namespaces(7).

Users need to run dockerd-rootless.sh instead of dockerd.
$ dockerd-rootless.sh --experimental
As Rootless mode is experimental, users need to always run dockerd-rootless.sh with –experimental.

Important to read: post-installation steps for Linux (it also links to Docker Daemon Attack Surface details).

Manage Docker as a non-root user

The docker daemon binds to a Unix socket instead of a TCP port. By default that Unix socket is owned by the user root and other users can only access it using sudo. The docker daemon always runs as the root user.

If you don’t want to use sudo when you use the docker command, create a Unix group called docker and add users to it. When the docker daemon starts, it makes the ownership of the Unix socket read/writable by the docker group.

Add the docker group if it doesn't already exist:
```
 sudo groupadd docker
```
Add the connected user "$USER" to the docker group. Change the user name to match your preferred user if you do not want to use your current user:
```
 sudo gpasswd -a $USER docker
```
Either do a newgrp docker or log out/in to activate the changes to groups.
You can use
```
 docker run hello-world
```
to check if you can run docker without sudo.

Rohini Choudhary · Answer 2 · 2016-02-28T11:57:56+08:00

Rohini Choudhary

2016-02-28T11:57:56+08:002016-02-28T11:57:56+08:00

To run docker command without sudo, you need to add your user (who has root privileges) to docker group. For this run following command:

 sudo usermod -aG docker $USER

Now, have the user logout then login again. This solution is well explained here with proper installation process.

379

Christian Hujer · Answer 3 · 2017-12-02T08:08:37+08:00

The mechanism by which adding a user to group docker grants permission to run docker is to get access to the socket of docker at /var/run/docker.sock. If the filesystem that contains /var/run has been mounted with ACLs enabled, this can also be achieved via ACLs.

sudo setfacl -m user:$USER:rw /var/run/docker.sock

I'm only including this for completeness.

In general, I recommend to avoid ACLs whenever a good alternative based on groups is available: It is better if the privileges in a system can be understood by looking at group memberships only. Having to scan the file system for ACL entries in order to understand system privileges is an additional burden for security audits.

Warning 1: This has the same root equivalence as adding $USER to the docker group. You can still start a container in a way that has root access to the host filesystem.

Warning 2: ACLs are significantly more difficult for security audits than group-based security. Probably avoid ACLs if possible when you can use groups instead, at least in audit-relevant environments.

miu · Answer 4 · 2020-11-20T04:06:23+08:00

miu

2020-11-20T04:06:23+08:002020-11-20T04:06:23+08:00

After creating the docker group and adding my user to it with

sudo groupadd docker
sudo usermod -aG docker $USER

... I still had to give the /var/run/docker.sock socket and /var/run/docker directory the proper permissions to make it work:

sudo chown root:docker /var/run/docker.sock
sudo chown -R root:docker /var/run/docker

Logout and login again (with that user) then you'll be able to run docker commands without sudo:

docker run hello-world

BTW: This was fixed in Ubuntu 21.10 and is only necessary for Ubuntu versions lower than that.

29

ostrokach · Answer 5 · 2021-03-23T10:29:50+08:00

ostrokach

2021-03-23T10:29:50+08:002021-03-23T10:29:50+08:00

Docker containers need to be ran by a root user. You can add yourself to the docker group (e.g. by running sudo usermod -aG docker $USER), but this makes it easy for anyone with access to the $USER account to gain root access to the machine (e.g. by mounting a root volume in a privileged container).

A more security-conscious way of running Docker containers as a non-root user would be to use Podman: https://podman.io/. From its website:

Podman is a daemonless container engine for developing, managing, and running OCI Containers on your Linux System. Containers can either be run as root or in rootless mode. Simply put: alias docker=podman.

Another alternative is Singularity, which is more commonly deployed in HPC environments: https://sylabs.io/.

5

How can I use docker without sudo?

How to install Google Chrome

Is there a command to list all users? Also to add, delete, modify users, in the terminal?

How to delete a non-empty directory in Terminal?

How to unzip a zip file from the Terminal?

How can I copy the contents of a folder to another folder in a different directory using terminal?

How do I install a .deb file via the command line?

How do I run .sh scripts?

How do I install a .tar.gz (or .tar.bz2) file?

How to list all installed packages

Unable to lock the administration directory (/var/lib/dpkg/) is another process using it?