TechOverflow Logo
TechOverflow

How to fix docker 'Got permission denied while trying to connect to the Docker daemon socket'

Problem:

You are running a command like docker ps but you get this error message:

Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get http://%2Fvar%2Frun%2Fdocker.sock/v1.39/containers/json: dial unix /var/run/docker.sock: connect: permission denied

Solution

As a quick fix, running the command as root using sudo (e.g. sudo docker ps) will solve the issue temporarily.

The issue here is that the user you’re running the command as is not a member of the docker group. In order to add it to the docker group, run

sudo usermod -a -G docker $USER

After running that command, you need to logout and log back in to your computer (or terminate your SSH session and re-connect in case you are logged in using SSH) - else, the group change does not take effect.

Running groups should show you that you now belong to the docker group:

$ groups
uli sudo www-data lxd docker # Check if docker appears here!

After that, retry running the command (e.g. docker ps) - the error should now have disappeared.

SeeĀ What does sudo usermod -a -G group $USER do on Linux? for details on what this command changes on your system and what the parameters mean.

Background information

When you run any docker command on Linux, the docker binary will try to connect to /var/run/docker.sock. This allows you to run docker commands as non-root-user without using sudo all the time.

When you start the docker daemon, it will create /var/run/docker.sock as a unix socket for client applications to connect to.

You can have a look at the owner, group and permissions of the docker socket by using stat /var/run/docker.sock on the command line:

$ stat /var/run/docker.sock
  File: /var/run/docker.sock
  Size: 0               Blocks: 0          IO Block: 4096   socket
Device: 16h/22d Inode: 677         Links: 1
Access: (0660/srw-rw----)  Uid: (    0/    root)   Gid: (  999/  docker)
Access: 2019-04-30 01:32:21.718150679 +0200
Modify: 2019-04-24 18:37:39.236357175 +0200
Change: 2019-04-24 18:37:39.240357175 +0200
 Birth: -

For our purposes, the interesting information is Uid: ( 0/ root) Gid: ( 999/ docker) which tells you that the docker socket is owned by the user root and the group docker. The group ID might be different on your computer, but only the name of the group is relevant.

Given the permissions Access: (0660/srw-rw----), both the owner (root) and the group (docker) can read & write (rw) to the docker socket. This means that if you are either the user root (which you can become temporarily using sudo) or you are a member of the docker group, you will be able to connect to that socket and communicate with the docker daemon.

Note that the docker daemon itself (dockerd) is running as root, which you can check using

$ ps aux | grep dockerd
root      2680  0.1  0.3 1247872 19828 ?       Ssl  Apr24   7:44 /usr/bin/dockerd -H fd://

For more information on the docker daemon, see the official Docker daemon guide.