Docker Unix / TCP socket (with unix:///var/run/docker.sock): Permission Denied

I get a Permission Denied error when trying to setup Docker in PyCharm Professional edition. I'm on Debian Jessie (BunsenLabs).


It happens with both the default settings (using Unix socket) and with the TCP socket, Engine API URL = unix:///var/run/docker.sock (does it make sense?)

If we look at the permission on the socket:

$ ls -l /var/run/docker.sock
srw-rw---- 1 root docker 0 Jul  5 11:18 /var/run/docker.sock

 

We see that its owned by root and the docker group.

So I tried to add my user to the docker group, and restarted the Docker service, but it still does not work.

 

The only way to allow PyCharm to use the socket is to run it with root permissions, i.e. sudo pycharm, but I would like to avoid this.

11 comments
Comment actions Permalink

Solution: I simply needed to reboot after adding myself in the docker group. To make sure it's taken into account, try to run the command 'groups'. If it shows "docker" in the output, you should be good to go. If not, try to reboot and see again.

 

Another solution was suggested here: https://stackoverflow.com/questions/51191094/pycharm-docker-unix-tcp-socket-with-unix-var-run-docker-sock-permission/51194496#51194496

1
Comment actions Permalink

In fact, you don't need to reboot. Simply log out and log in again. Explanation here: https://stackoverflow.com/questions/7537197/add-user-to-group-but-not-reflected-when-run-id#7537275

0
Comment actions Permalink

I assume, your username is already in docker group. To check this, issue below command.

id -nG
If not you need to add your user into the docker group by below command.

sudo groupadd docker
sudo usermod -aG docker $USER

When you execute the command, `sudo systemctl start docker`, it creates a docker process. That docker process contains `dockerd` daemon thread. The command also creates default `docker.sock` Unix socket. The `docker.sock` socket is continuously listened by `dockerd` daemon thread. This makes you can do kernel-level IPC with `docker.pid` process. To be able to use this docker socket, you need to have proper permission from the process level (`docker.pid`) and file level (`docker.sock`). So, executing below two commands should solve your issue.

sudo chmod a+rwx /var/run/docker.sock
sudo chmod a+rwx /var/run/docker.pid

As you see, it doesn't show any error in PyCharm.



5
Comment actions Permalink

This is a quite dangerous suggestion
sudo chmod a+rwx /var/run/docker.sock
This will give excessive rights to everyone, ultimately giving every user administrator privileges as root in docker is the machine root.

1
Comment actions Permalink

DO NOT DO WHAT infouniversities suggest !

This is ridiculously insecure.

1
Comment actions Permalink

Well the infouniversities' solution worked for me. Better insecure than not working at all. Is there any other way?

-1
Comment actions Permalink

Please, at least check how this command works. No need at all for a+rwx. This is doing way more than making it work. I rather use the command line with sudo to manipulate docker, but if that is too much work, or annoying, fine tune without a free-for-all command like that.

2
Comment actions Permalink

chmod a+rwx /var/run/docker.sock is not needed and make the docker socket available to any user on the system. That means everyone on the system has root access without password. IMHO docker group is not secure either (even if it's kind of official) as it also gives root access without password but just for the members of that group.

When you can access the docker socket, you can do whatever you want on your system :

docker run -ti --privileged -v /:/mnt debian bash

0
Comment actions Permalink

Thanks, but it does not answer my (nor op's) question. If I knew how to "fine tune without a free-for-all command like that" I wouldn't have spent hours on googling how make docker working so I can use (a really good) IDE support.

0
Comment actions Permalink

I am not quite sure what you are looking for here. There are several solutions in this thread already.

Start by opening you console and just type: man chmod. You will be given the options.

a+rwx is terrible, this will fuck you computer in many ways, and probably invisible ways. Use the group solution if you must, it is just a a single command: sudo usermod -aG docker ... The IDE will work the same and you will not lose any features.

Personally, I use the console to manipulate docker with sudo. A more complex solution is to run the IDE with a different user and give that user the group privilege.

I use this IDE as well, and I know it is frustrating, but you can use the features and be safe.

Pick any solution you want, except the free for all one: it will fuck your computer, if not now, eventually. It is a serious relaxing in your security and no one used to Linux would tell you to do that.. but it is your computer in the end..

Totally in accord with nOOdl3, use the group solution if you are looking for a simple solution, it is not perfect but better. There is a huge difference between a "a" and a "g" on chmod. Check the manpage.

0
Comment actions Permalink

Thanks, I will try that.

0

Please sign in to leave a comment.