Linux post-installation steps for Docker Engine
These optional post-installation procedures shows you how to configure your Linux host machine to work better with Docker.
Manage Docker as a non-root user
The Docker daemon binds to a Unix socket, not a TCP port. By default it’s the root user that owns the Unix socket, and other users can only access it using sudo . The Docker daemon always runs as the root user.
If you don’t want to preface the docker command with sudo , create a Unix group called docker and add users to it. When the Docker daemon starts, it creates a Unix socket accessible by members of the docker group. On some Linux distributions, the system automatically creates this group when installing Docker Engine using a package manager. In that case, there is no need for you to manually create the group.
Warning
The docker group grants root-level privileges to the user. For details on how this impacts security in your system, see Docker Daemon Attack Surface.
To create the docker group and add your user:
$ sudo usermod -aG docker $USER If you’re running Linux in a virtual machine, it may be necessary to restart the virtual machine for changes to take effect.
This command downloads a test image and runs it in a container. When the container runs, it prints a message and exits. If you initially ran Docker CLI commands using sudo before adding your user to the docker group, you may see the following error:
WARNING: Error loading config file: /home/user/.docker/config.json - stat /home/user/.docker/config.json: permission denied This error indicates that the permission settings for the ~/.docker/ directory are incorrect, due to having used the sudo command earlier. To fix this problem, either remove the ~/.docker/ directory (it’s recreated automatically, but any custom settings are lost), or change its ownership and permissions using the following commands:
$ sudo chown "$USER":"$USER" /home/"$USER"/.docker -R $ sudo chmod g+rwx "$HOME/.docker" -R Configure Docker to start on boot with systemd
Many modern Linux distributions use systemd to manage which services start when the system boots. On Debian and Ubuntu, the Docker service starts on boot by default. To automatically start Docker and containerd on boot for other Linux distributions using systemd, run the following commands:
$ sudo systemctl enable docker.service $ sudo systemctl enable containerd.service To stop this behavior, use disable instead.
$ sudo systemctl disable docker.service $ sudo systemctl disable containerd.service If you need to add an HTTP proxy, set a different directory or partition for the Docker runtime files, or make other customizations, see customize your systemd Docker daemon options.
Configure default logging driver
Docker provides logging drivers for collecting and viewing log data from all containers running on a host. The default logging driver, json-file , writes log data to JSON-formatted files on the host filesystem. Over time, these log files expand in size, leading to potential exhaustion of disk resources.
To avoid issues with overusing disk for log data, consider one of the following options:
- Configure the json-file logging driver to turn on log rotation.
- Use an alternative logging driver such as the “local” logging driver that performs log rotation by default.
- Use a logging driver that sends logs to a remote logging aggregator.
Next steps
- Read the Get started training modules to learn how to build an image and run it as a containerized application.
- Review the topics in Develop with Docker to learn how to build new applications using Docker.
Is it possible to use docker without sudo?
According to the answers of this question about docker, running it as a non-root is as easy as adding the non-root username to the docker group, and logging out and back in. And sure enough, when I used it as sudo for the hello-world image that went well. But for another test image called whalefortune I still get the access denied error — see below. Is it not generally possible any more to run docker as non-root? I am using Ubuntu 19.04, which is a later version than the examples, and there were mentions of a possible security breach running dockers as non-root. My idea was to run nvidia-docker as a normal user, would that be possible (or even a good idea)?
$ sudo docker run --rm hello-world Unable to find image 'hello-world:latest' locally latest: Pulling from library/hello-world 1b930d010525: Pull complete Digest: sha256:6540fc08ee6e6b7b63468dc3317e3303aae178cb8a45ed3123180328bcc1d20f Status: Downloaded newer image for hello-world:latest Hello from Docker! This message shows that your installation appears to be working correctly. To generate this message, Docker took the following steps: 1. The Docker client contacted the Docker daemon. 2. The Docker daemon pulled the "hello-world" image from the Docker Hub. (amd64) 3. The Docker daemon created a new container from that image which runs the executable that produces the output you are currently reading. 4. The Docker daemon streamed that output to the Docker client, which sent it to your terminal. To try something more ambitious, you can run an Ubuntu container with: $ docker run -it ubuntu bash Share images, automate workflows, and more with a free Docker ID: https://hub.docker.com/ For more examples and ideas, visit: https://docs.docker.com/get-started/ $ docker run --rm dbkdoc/whalefortune docker: Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Post http://%2Fvar%2Frun%2Fdocker.sock/v1.40/containers/create: dial unix /var/run/docker.sock: connect: permission denied. See 'docker run --help'. How to run docker on ubuntu without the sudo [duplicate]
Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Post http://%2Fvar%2Frun%2Fdocker.sock/v1.24/build?buildargs=%7B%7D&cachefrom=%5B%5D&cgroupparent=&cpuperiod=0&cpuquota=0&cpusetcpus=&cpusetmems=&cpushares=0&dockerfile=Dockerfile&labels=%7B%7D&memory=0&memswap=0&networkmode=default&rm=1&shmsize=0&t=getting-started&target=&ulimits=null&version=1: dial unix /var/run/docker.sock: connect: permission denied
Thanks @BMitch for having found that duplicate! But it seems the answer I proposed here was not mentioned at all in the duplicate thread. Would you have some advice about this? (e.g., to cross-post my answer there? or just do nothing 🙂
@ErikMD if your answer applies there, then I’d post it there. I don’t see an issue having a duplicate answer posted when only one of the questions is still open.
2 Answers 2
You should add user to docker group:
sudo usermod -aG docker $USER After you may have to restart Ubuntu
TL;DR: Unlike what many tutorials on the web propose (add your user account to the docker group, which is risky! see below), you could just add an alias in your .bashrc to avoid typing sudo , while having the «password prompt protection».
To be more precise: the Docker daemon socket is owned by root:docker :
$ ls -l /var/run/docker.sock srw-rw---- 1 root docker 0 janv. 28 14:23 /var/run/docker.sock so with this default setup, you need to prepend all docker CLI commands by sudo .
To avoid this, you can either:
- Add $USER to the docker group (but that’s quite risky to do this on your personal workstation, as this would amount to provide your user account with root permissions without any sudo password prompt nor auditing). See also this page in the official Docker documentation:
https://docs.docker.com/engine/security/#docker-daemon-attack-surface - Or, to prepend sudo automatically but avoid typing sudo docker manually, a good practice consists in adding the following alias in your ~/.bashrc file (see e.g. this thread for details):
__docker() < if [[ "$" =~ "bash-completion" ]]; then docker "$@" else sudo docker "$@" fi > alias docker=__docker $ docker run --rm -it debian:10 # asks your password $ \docker run --help # does not ask your password thanks to '\'