The Cookie Machine - Click here to drag window

DUMMY TEXT - Real text set in assets/js/theCookieMachine.js

Views: 11,467โ€…    Votes:  3โ€…
Tags: 18.04   permissions   docker  
Link: ๐Ÿ” See Original Answer on Ask Ubuntu ๐Ÿ”—

URL: https://askubuntu.com/q/1174045
Title: Allow non-root user to use some Docker commands
ID: /2019/09/13/Allow-non-root-user-to-use-some-Docker-commands
Created: September 13, 2019    Edited:  June 12, 2020
Upload: November 24, 2022    Layout:  post
TOC: false    Navigation:  false    Copy to clipboard:  false


From the excellent answer found here:

Good news: the new docker (version 19.03 (currently experimental)) will be able to run rootless negating the problems that can occur using a root user. No more messing with elevated permissions, root and anything that might open up your machine when you did not want to.

Video about this from [DockerCon 2019] Hardening Docker daemon with Rootless mode

A few Caveats to the rootless Docker mode

Docker engineers say the rootless mode cannot be considered a replacement for the complete suite of Docker engine features. Some limitation to the rootless mode include:


As of docker 19.3 this is obsolete (and more dangerous than need be):

The docker manual has this to say about it:

Giving non-root access

The docker daemon always runs as the root user, and since Docker version 0.5.2, the docker daemon binds to a Unix socket instead of a TCP port. By default that Unix socket is owned by the user root, and so, by default, you can access it with sudo.

Starting in version 0.5.3, if you (or your Docker installer) create a Unix group called docker and add users to it, then the docker daemon will make the ownership of the Unix socket read/writable by the docker group when the daemon starts. The docker daemon must always run as the root user, but if you run the docker client as a user in the docker group then you donโ€™t need to add sudo to all the client commands. As of 0.9.0, you can specify that a group other than docker should own the Unix socket with the -G option.

Warning: The docker group (or the group specified with -G) is root-equivalent; see Docker Daemon Attack Surface details and this blogpost on Why we donโ€™t let non-root users run Docker in CentOS, Fedora, or RHEL (thanks michael-n).

In the recent release of the experimental rootless mode on GitHub, engineers mention rootless mode allows running dockerd as an unprivileged user, using user_namespaces(7), mount_namespaces(7), network_namespaces(7).

Users need to run dockerd-rootless.sh instead of dockerd.

$ dockerd-rootless.sh --experimental  

As Rootless mode is experimental, users need to always run dockerd-rootless.sh with โ€“experimental.


Important to read: post-installation steps for Linux (it also links to Docker Daemon Attack Surface details).

Manage Docker as a non-root user

The docker daemon binds to a Unix socket instead of a TCP port. By default that Unix socket is owned by the user root and other users can only access it using sudo. The docker daemon always runs as the root user.

If you donโ€™t want to use sudo when you use the docker command, create a Unix group called docker and add users to it. When the docker daemon starts, it makes the ownership of the Unix socket read/writable by the docker group.


    sudo groupadd docker

    sudo gpasswd -a $USER docker

    docker run hello-world

to check if you can run docker without sudo.

โ‡ง Change settings for simple scan Ubuntu 18.04.3 LTS in start up  โ‡ฉ