Running Docker commands with sudo ensures that the Docker command is executed with the security rights of root (by using sudo) or by a user who is a member of the docker group.
However, we get an error message when we try running Docker commands without the sudo:
$ docker run hello-world
docker: Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Post "http://%2Fvar%2Frun%2Fdocker.sock/v1.24/containers/create": dial unix /var/run/docker.sock: connect: permission denied. See 'docker run --help'.
In this quick tutorial, we’ll learn how to run Docker commands without sudo.
2. Linux sudo Command
In Linux, we can run a command as a superuser by prefixing the command with sudo. sudo stands for “Super User Do.”
By prefixing any command with sudo, the system executes the command with administrative rights. Users that want to use the sudo command need to have an entry in the /etc/sudoers file found in the system directory.
3. Linux Groups and Users
Linux enables several users to log in simultaneously and operate the system without interference. A user’s default group is its primary group, as specified in the Linux system’s /etc/passwd file.
Docker is a free and open platform for building, delivering, and operating apps. Docker allows us to bundle and run an application in a container, which is a loosely isolated environment. Continuous Integration and Delivery (CI/CD) procedures benefit greatly from containers.
To get information about a user sally, we can use the id command:
$ id sally
uid=1000(sally) gid=1001(example_group) groups=1001(example_group),27(sudo)
After creating users in primary groups, we can associate these users with secondary groups. Linux systems store their groups in the /etc/group file.
To find the group(s) sally belongs to, we can run:
$ groups sally
user: group sudo
We can add varying levels of permissions to a group, and all members of the same group share the group’s permissions.
3.1. Adding Users to Linux Groups
Let’s add our user sally to a secondary group called myuser:
$ sudo usermod -aG myuser sally
In the same vein, to run Docker commands without the prefix sudo, we’d create a Unix group called docker and then add our user sally to the docker group:
$ sudo groupadd docker
$ sudo usermod -aG docker sally
$ su - sally
To make these changes effective, we’ll log out and log back in. This action will allow the system to re-evaluate our group membership.
When testing on a virtual machine, it may be necessary to restart the virtual machine for changes to take effect. We try our permission by running Docker commands:
$ docker run hello-world
latest: Pulling from library/hello-world
2db29710123e: Pull complete
Status: Downloaded newer image for hello-world:latest
We can now run Docker commands without sudo.
In conclusion, we can execute Docker commands with full administrative privileges and security. The Docker daemon binds to a Unix socket, and the root user owns this Unix socket. Other users need to prefix their docker commands with sudo to access the Docker daemon.
By adding our Linux username to the Unix group docker, we can bypass this. When the Docker daemon starts, it creates a Unix socket accessible by the members of the docker group.
Running Docker commands with the sudo command is a sound security restriction. However, users added to the Unix group docker can run Docker commands as root users while maintaining their usernames.
Adding users to groups is also helpful in granting access to other users of our Linux machine, as groups help allow multiple independent users’ accounts to collaborate and share files.