in Networking

How to Run Docker as a non-root User

There are times when you would like to run Docker containers as a non-root user without using sudo.

This could be for a variety of reasons including giving standard users permission to run Docker containers without any other permissions, or just for enhanced security practices.

If you attempt to run Docker as a normal user without permissions you will see a clearly identifiable error.

[[email protected] demo]$ docker ps
Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get http://%2Fvar%2Frun%2Fdocker.sock/v1.26/containers/json: dial unix /var/run/docker.sock: connect: permission denied

We can tell by the error that Docker is running but we don’t have permission to run it.  we can first rectify this by adding the user to the docker group.

[[email protected] ~]$ sudo usermod -G docker demo
[[email protected] ~]$ id demo
uid=1001(demo) gid=1003(demo) groups=1003(demo),1002(docker)

Now if we attempt to run Docker on the demo user it should succeed.

We successfully gave Docker permissions to the demo user, however if your host system uses SElinux then please continue reading for further information.

[[email protected] ~]$ id
uid=1001(demo) gid=1003(demo) groups=1003(demo),1002(docker) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[[email protected] ~]$ docker ps
CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS               NAMES

One final thing to note is with SElinux, accessing volumes may provide troublesome. This can be shown in the example below.

[[email protected] ~]$ mkdir demo
[[email protected] ~]$ touch demo/test.txt
[[email protected] ~]$ docker run -it --rm -v /home/demo/demo:/demo alpine
/ # ls demo/
ls: can't open 'demo/': Permission denied
/ # exit
[[email protected] ~]$ ls -Z demo/
-rw-rw-r--. demo demo unconfined_u:object_r:user_home_t:s0 test.txt

This can be fixed in two ways. The first, and easiest way is to tell Docker to modify the SElinux label for you. This should be used with caution as the modifications as performed on the host.

Also keep in mind that once Docker has made the modification once, it will generally persist and you won’t need to specify z again in the future.

[[email protected] ~]$ mkdir demo
[[email protected] ~]$ touch demo/test.txt
[[email protected] ~]$ docker run -it --rm -v /home/demo/demo:/demo alpine
/ # ls demo/
test.txt
/ # exit
[[email protected] ~]$ ls -lZ demo
-rw-rw-r--. demo demo system_u:object_r:container_file_t:s0 test.txt

The second way is to apply the SElinux label manually before running Docker, and then not using the z modifier.

[[email protected] ~]$ chcon -Rt svirt_sandbox_file_t demo
[[email protected] ~]$ docker run -it --rm -v /home/demo/demo:/demo alpine
/ # ls demo/
test.txt
/ # exit
[[email protected] ~]$ ls -lZ demo
-rw-rw-r--. demo demo unconfined_u:object_r:container_file_t:s0 test.txt

That should cover all your needs to run Docker as a non-root user. Once again, please be careful using chcon on important system folders.