我在Ubuntu机器上安装了Docker。
当我运行时,
sudo docker run hello-world
一切正常,但是我想删除 sudo 命令以使命令短。
如果我在没有 sudo 的情况下编写命令,
docker run hello-world
则显示以下内容:
docker:在尝试连接到docker守护程序插座的同时,获得了许可: /create:dialix/var/run/docker.sock:连接:拒绝许可。请参阅“ Docker Run - -Help'。
当我尝试运行时也会发生同样的事情:
docker-compose up
如何解决这个问题?
I installed Docker on my Ubuntu machine.
When I run
sudo docker run hello-world
all is ok, but I want to remove the sudo command to make the command shorter.
If I write the command without sudo
docker run hello-world
it displays the following:
docker: Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Post http://%2Fvar%2Frun%2Fdocker.sock/v1.35/containers/create: dial unix /var/run/docker.sock: connect: permission denied. See 'docker run --help'.
The same happens when I try to run:
docker-compose up
How can I resolve this?
发布评论
评论(29)
重新启动机器对我有用。
Rebooting the machine worked for me.
我也遇到了一个类似的问题,但是我想创建的容器需要将/var/run/docker.sock挂载为音量(Portainer代理),而在不同的名称空间下运行它们时。通常,一个容器不在乎其启动的命名空间 - 这是重点 - 但是由于访问是由不同的名称空间进行的,因此必须规避这一点。
将
- userns = host添加到容器的运行命令中,使其能够使用正确的权限。相当特定的用例,但是经过比我想承认更多的研究时间后,我只是认为如果其他人最终在这种情况下,我应该与世界分享:)
I ran into a similar problem as well, but where the container I wanted to create needed to mount /var/run/docker.sock as a volume (Portainer Agent), while running it all under a different namespace. Normally a container does not care about which namespace it is started in -- that is sort of the point -- but since access was made from a different namespace, this had to be circumvented.
Adding
--userns=hostto the run command for the container enabled it to use the attain the correct permissions.Quite a specific use case, but after more research hours than I want to admit I just thought I should share it with the world if someone else ends up in this situation :)
我尝试以
sudo赞扬这一点,这是可以的。i try this commend with
sudocommend and it was ok.sudo docker pull hello-worldorsudo docker run hello-worldDocker守护程序绑定到UNIX插座而不是TCP端口。
默认情况下,Unix套接字由用户 root 拥有,而其他用户只能使用 sudo 访问它。 Docker守护程序总是以根用户的身份运行。
如果您不想使用sudo将Docker命令序列,请创建一个名为Docker的UNIX组并将用户添加到其中。当Docker守护程序开始时,它会创建由Docker组成员访问的UNIX套接字。
要创建Docker组并添加您的用户:
创建Docker Group
将您的用户添加到Docker Group
在
登录并重新登录,以便对您的组成员资格进行重新评估。
如果在虚拟机上进行测试,则可能有必要重新启动虚拟机以进行更改以生效。
在桌面Linux环境(例如X Windows)上,完全登录会话,然后登录。
在Linux上,您还可以运行以下命令来激活组的更改:
验证您可以在没有Docker命令的情况下运行Docker命令Sudo。下面的命令下载测试图像并将其运行在容器中。集装箱运行时,它会打印信息消息并退出
如果您最初使用Sudo运行Docker CLI命令,然后将用户添加到Docker组之前,您可能会看到以下错误,这表明您的〜/.docker/.docker/< /strong>目录是由于sudo命令而具有错误的权限创建的。
要解决此问题,要么删除〜/.docker/目录(它是自动重新创建的,但是丢失了任何自定义设置),要么使用以下命令更改其所有权和权限:
所有其他帖子安装可以在此处找到Linux上Docker的步骤 https://docs.docker.com/engine/install/linux-postinstall/
The Docker daemon binds to a Unix socket instead of a TCP port.
By default that Unix socket is owned by the user root and other users can only access it using sudo. The Docker daemon always runs as the root user.
If you don’t want to preface the docker command with sudo, create a Unix group called docker and add users to it. When the Docker daemon starts, it creates a Unix socket accessible by members of the docker group.
To create the docker group and add your user:
Create the docker group
Add your user to the docker group
Log out and log back in so that your group membership is re-evaluated.
If testing on a virtual machine, it may be necessary to restart the virtual machine for changes to take effect.
On a desktop Linux environment such as X Windows, log out of your session completely and then log back in.
On Linux, you can also run the following command to activate the changes to groups:
Verify that you can run docker commands without sudo. The below command downloads a test image and runs it in a container. When the container runs, it prints an informational message and exits
If you initially ran Docker CLI commands using sudo before adding your user to the docker group, you may see the following error, which indicates that your ~/.docker/ directory was created with incorrect permissions due to the sudo commands.
To fix this problem, either remove the ~/.docker/ directory (it is recreated automatically, but any custom settings are lost), or change its ownership and permissions using the following commands:
All other post installation steps for docker on linux can be found here https://docs.docker.com/engine/install/linux-postinstall/
在Linux环境中,安装
Docker和docker-compose需要重新启动才能更避免启动以避免此问题In the Linux environment, after installing
dockeranddocker-composereboot is required for work docker better to avoid this issue问题绝对不是这个问题,但是由于这是搜索错误消息时的第一个搜索结果,所以我将其留在这里。
首先,检查docker服务是否使用以下命令运行:
Sytemctl status docker.service如果它不运行,请尝试启动:
sudo systemctl start docker.service...并再次检查状态:
SystemCtl状态Docker.service如果尚未启动,请调查原因。可能,您已经修改了配置文件并犯了一个错误(就像我在修改
/etc/docker/daemon.json.json时所做的那样)It is definitely not the case the question was about, but as it is the first search result while googling the error message, I'll leave it here.
First of all, check if docker service is running using the following command:
systemctl status docker.serviceIf it is not running, try starting it:
sudo systemctl start docker.service... and check the status again:
systemctl status docker.serviceIf it has not started, investigate the reason. Probably, you have modified a config file and made an error (like I did while modifying
/etc/docker/daemon.json)我尝试了所有描述的方法,没有任何帮助解决问题。解决方案是在运行硒和硒素-UI时使用 - 使用驱动器参数。以下是我的Dockerfile的完整列表。
I tried all the described methods and nothing helped to solve the problem. The solution was to use the --use-drivers parameter when running selenoid and selenoid-ui. Below is the full listing of my Dockerfile.
就我而言,正是进程本身(CI服务器代理)试图运行Docker命令无法运行它,但是当我尝试从同一用户中运行同一命令时工作。
重新启动运行CI服务器代理的守护程序解决了问题。
命令以前没有在代理中没有工作的原因是因为代理在我安装Docker并授予Docker Group Permissions之前正在运行,并且代理进程使用了缓存的旧许可并且失败了。重新启动该过程删除了缓存并使事情奏效。
In my case it was the process itself (CI server agent) that was trying to run a docker command wasn't able to run it, but when I tried to run same command from within the same user it worked.
Restarting the daemon that runs CI server agent solved the problem.
The reason why command wasn't working from within agent before is because the agent was running before I installed docker and granted docker group permissions, and agent process used cached old permissions and was failing. Restarting the process dropped the cache and make things work out.
Docker已经创建了一个指南运行Docker守护程序作为非root用户(无根模式)< /a>。
Docker already created a guide to Run the Docker daemon as a non-root user (Rootless mode).
对于Mac用户:
for mac users :
最直接的解决方案是键入
sudo chmod 640/var/run/docker.sock每次启动计算机时。但是,此方法击败了任何可能已有的系统安全性,并向所有人打开了Docker插座。如果您可以接受-eg:机器的唯一用户 - 请使用它。
但是,每次启动计算机时都需要它,您可以通过添加
到
/etc/init/docker-chmod.conffile file/etc/init/docker-chmod.conf文件来使其通过启动进行运行。The most straightforward solution is to type
sudo chmod 640 /var/run/docker.sockevery time you boot your machine. However, this method defeats any system security that may be in place and opens up the Docker socket to everybody. If this is acceptable to you -e.g.: the only user of your machine- then use it.
Nevertheless, it will be required every time you boot your machine, you can make it run with booting by adding
to the
/etc/init/docker-chmod.conffile.安装Docker后,创建“ Docker”组并添加了用户,编辑Docker Service单元文件:
将两行添加到[服务]部分:
保存文件( ctrl - x x < /kbd>, y , enter )
运行并启用Docker服务:
After you installed docker, created 'docker' group and added user to it, edit docker service unit file:
Add two lines into the section [Service]:
Save the file (Ctrl-X, y, Enter)
Run and enable the Docker service:
在CentOS上安装Docker之后。在命令下运行时,我的错误下方是错误的。
更改docker.socket的权限。socket
验证使用以下Docker命令
After Docker Installation on Centos. While running below command I got below error.
Change Group and Permission for docker.socket
Verify by using below docker command
一个简单的黑客是执行“超级用户” 。
要访问超级用户或root用户,请以下内容:
at user@computer :
输入密码后,您将处于 root@Computer :
A simple hack is to execute as a "Super User".
To access the super user or root user, follow:
At user@computer:
After you enter your password, you'll be at root@computer:
如果您想以非root用户的身份运行Docker,则需要将您的用户添加到
Docker组中。docker组(如果不存在):dockergroup:dockergroup(避免使用登录并再次登录;
如果 href =“ https://docs.docker.com/engine/install/linux-postinstall/#manage-docker-as-a-a-non-root-user- “:
⚠️警告
If you want to run Docker as a non-root user, then you need to add your user to the
dockergroup.dockergroup if it does not exist:dockergroup:dockergroup (to avoid having to log out and log in again; but if not enough, try to reboot):Reboot if you still get an error:
From the official Docker documentation "Manage Docker as a non-root user":
⚠️ Warning
升级后,我获得了拒绝的许可。
执行'mkb'邮政安装步骤没有任何更改,因为我的用户已经在'docker'组中;我重试了两次,但没有成功。
搜索时间后,以下解决方案最终工作:
解决方案来自 olshansk 。
看起来升级未经足够的“ Docker”组重新创建了插座。
问题
这个硬性 chmod 打开安全孔,每个重新启动后,此错误一次又一次地开始,您必须每次重新执行上述命令。我想要一劳永逸的解决方案。为此,您有两个问题:
1)
systemd:仅使用所有者'root'和group创建套接字'root'。您可以使用此命令检查第一个问题:
在
如果一切都很好,您应该看到'
root/docker'不是'root/root/root'。2) 图形登录 的问题: linux-account-lyly-belongs-to-One Group
您可以使用此命令检查第二个问题:
如果一切都正确,则应在列表中看到 docker 组。
如果不尝试命令
如果您看到 docker 组是因为错误。
解决方案
如果您设法获得图形登录的解决方法,这应该可以完成工作:
但是,如果您无法管理此错误,那么一个不好的解决方案可能就是这样:
这项工作是因为您处于图形环境中,并且可能计算机上唯一的用户。
在两种情况下
After an upgrade I got the permission denied.
Doing the steps of 'mkb' post install steps don't have change anything because my user was already in the 'docker' group; I retry-it twice any way without success.
After an search hour this following solution finaly worked :
Solution came from Olshansk.
Look like the upgrade have recreate the socket without enough permission for the 'docker' group.
Problems
This hard chmod open security hole and after each reboot, this error start again and again and you have to re-execute the above command each time. I want a solution once and for all. For that you have two problems :
1 ) Problem with
SystemD: The socket will be create only with owner 'root' and group 'root'.You can check this first problem with this command :
If every this is good, you should see '
root/docker' not 'root/root'.2 ) Problem with graphical Login : https://superuser.com/questions/1348196/why-my-linux-account-only-belongs-to-one-group
You can check this second problem with this command :
If everything is correct you should see the docker group in the list.
If not try the command
if you see then the docker group it is because of the bug.
Solutions
If you manage to to get a workaround for the graphical login, this should do the job :
But If you can't manage this bug, a not so bad solution could be this :
This work because you are in a graphical environnement and probably the only user on your computer.
In both case you need a reboot (or
sudo chmod 666 /var/run/docker.sock)Docker组到Docker守护程序
/var/run/docker.sockdockergroupto the docker daemon
/var/run/docker.sock如果创建Docker组并将您的用户添加到它不起作用(以前答案中描述的最佳解决方案),那么这是第二个最佳选择:
它的作用是更改
Docker的所有权。袜子向您的用户文件。注意:使用
chmod 666,这是一种非常不好的做法,因为它实际上允许所有人访问和修改docker.sock.sockfile。。If creating a docker group and adding your user to it doesn't work (the best solution, described in the previous answers), then this one is the second best alternative:
What it does is changing the ownership of the
docker.sockfile to your user.Note: It's a really bad practice to use
chmod 666, because it gives permissions to practically everyone to access and modify thedocker.sockfile.我们总是忘记
acls。请参阅setfacl。We always forget about
ACLs. Seesetfacl.FIX DOCKER问题:(许可拒绝)
sudo groupAdd dockergrep -po -po'^sudo。+: \ k。*$'/etc/groupexport user = demousersudo usermod -ag docker $ usernewgrp dockerdocker run hello hello -world重新启动如果它不起作用,请运行此命令:
sudo chmod 660 /var/run/docker.sockFix Docker Issue: (Permission denied)
sudo groupadd dockergrep -Po '^sudo.+:\K.*$' /etc/groupexport USER=demoUsersudo usermod -aG docker $USERnewgrp dockerdocker run hello-worldrebootIf it does not work, run this command:
sudo chmod 660 /var/run/docker.sock您可以随时尝试
在段落noreferrer“> https://docs.docker.com/install/linux/linux/linux-postinstall/ docs。在执行此操作之后,如果问题持续存在,您可以运行以下命令来解决它:
You can always try
Manage Docker as a non-root userparagraph in the https://docs.docker.com/install/linux/linux-postinstall/ docs.After doing this also if the problem persists then you can run the following command to solve it:
为了解决该问题,我搜索了我的Docker和Docker-Compose已安装在哪里。就我而言,
docker是在/usr/bin/docker和docker-compose中安装的bin/docker-compose 路径。然后,我将其写在我的终端:docker:
to
docker-compose:现在我不需要在命令中写入docker docker dord
sudo/**** ****************************************************** ****************/
errata:
@mkasberg评论了此问题的最佳解决方案。我引用评论:
可能有效的是,您可能会遇到问题。另外,这是一个安全漏洞。正如Docs所说,只要将自己加入Docker Group,您会更好。 sudo groupadd docker,sudo usermod -ag docker $ user。文档:https://docs.docks.docks.docker.com/安装/linux/linux-postinstall/To fix that issue, I searched where is my docker and docker-compose installed. In my case,
dockerwas installed in/usr/bin/dockeranddocker-composewas installed in/usr/local/bin/docker-composepath. Then, I write this in my terminal:To docker:
To
docker-compose:Now I don't need write in my commands docker the word
sudo/***********************************************************************/
ERRATA:
The best solution of this issue was commented by @mkasberg. I quote comment:
That might work, you might run into issues down the road. Also, it's a security vulnerability. You'd be better off just adding yourself to the docker group, as the docs say. sudo groupadd docker, sudo usermod -aG docker $USER.Docs:https://docs.docker.com/install/linux/linux-postinstall/Ubuntu 21.04 SystemD套接字所有权
让我序言,这是我在本地开发过程中的一个完全合适的解决方案,我在这里搜索
ubuntu docker许可错误,所以我将其留在这里。我没有Unix插座,所以我对其进行了讨论。
对于开发环境的另一个更永久的解决方案是修改UNIX插座创建的用户所有权。这将为您的用户提供所有权,因此它将在重新启动之间粘贴:
Docker.Socket:
ubuntu 21.04 systemd socket ownership
Let me preface, this was a perfectly suitable solution for me during local development and I got here searching for
ubuntu docker permission errorso i'll just leave this here.I didn't own the unix socket, so I chowned it.
Another, more permanent solution for your dev environment, is to modify the user ownership of the unix socket creation. This will give your user the ownership, so it'll stick between restarts:
docker.socket:
认真的家伙。请勿在您的组中添加Docker或修改Socket Posix(无硬化的Selinux),这是制作root Privesc的简单方法。只需在您的
.bashrc中添加一个别名。它更简单,更安全为:别名dc ='sudo docker'。Seriously guys. Do not add Docker in your groups or modify the socket posix (without a hardening SELinux), it's a simple way to make a root privesc. Just add an alias in your
.bashrc. It's simpler and safer as:alias dc='sudo docker'.您只需要此文件的支票权限/var/run/docker.sock
应该是666
chmod 666/var/run/docker.sock
You just need the check permissions for this file /var/run/docker.sock
it should be 666
chmod 666 /var/run/docker.sock
对我来说,这项工作是:
进入容器中并修改文件的ACL,
这比使用CHMOD是更好的解决方案。
This work for me:
Get inside the container and modify the file's ACL
It's a better solution than use chmod.
Lightdm和Kwallet船的弹药似乎没有通过登录而通过补充群体。为了解决这个问题,我还在
sudo usermod -ag docker $ userdocker ,发表
在重新启动<之前,我必须在
/etc/pam.d/lightdm.d/lightdm中 评论。 /strong>,让Docker-Group实际产生效果。错误: https://bugs.launchpad.net/lightdm/lightdm/lightdm/+blightdm/++bug/+bug/178141418 在这里: https://bugzilla.redhat.com/show_bug.cgi.cgi.cgi.cgi?id=158149555814955
lightdm and kwallet ship with a bug that seems to not pass the supplementary groups at login. To solve this, I also, beside
sudo usermod -aG docker $USER, had to comment outto
in
/etc/pam.d/lightdmbefore rebooting, for the docker-group to actually have effect.bug: https://bugs.launchpad.net/lightdm/+bug/1781418 and here: https://bugzilla.redhat.com/show_bug.cgi?id=1581495
您可以按照以下步骤操作,这将适用于您:
sudo groupAdd dockersudo usermod -ag docker $ usersudo chown root:docker/var/run/docker.socksudo chown“ $ user”“ $ user”:“ $ user”/home/home/“ $ user” $ user “ /.docker -rsudo chmod g+rwx“ $ home/.docker” -r在该测试之后您可以运行
Docker PS -Ayou can follow these steps and this will work for you:
sudo groupadd dockersudo usermod -aG docker $USERgroupsnewgrp dockersudo chown root:docker /var/run/docker.socksudo chown "$USER":"$USER" /home/"$USER"/.docker -Rsudo chmod g+rwx "$HOME/.docker" -RAfter that test you can run
docker ps -a