cannot connect to the docker daemon at unix:///var/run/docker.sock. is the docker daemon running?

Cannot connect to the docker daemon at unix:///var/run/docker.sock. is the docker daemon running?

The above error is very common in docker as there any many factors that cause this and we will see the practical use cases of then and the explanation with solutions.

Firstly the socket file is the main Unix/Linux pipe that is used by the dockerd which provides a self-sufficient runtime environment for the docker containers.

We generally come across the issues with the following error stating "Docker: Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock” as the aprticular user executing docker cli is not authorized

We have a simple fix for this issue, As a Best practice on linux server running docker daemon, we need to update the following file /etc/sysconfig/docker with relevant docker group as shown below:

# /etc/sysconfig/docker

# Modify these options if you want to change the way the docker daemon runs
OPTIONS='--selinux-enabled --log-driver=journald --signature-verification=false -G dockerroot'

We have added the new Value of -G dockerroot to the OPTIONS= in /etc/sysconfig/docker
-G is the Flag to add the linux group and dockerroot is the privileged docker linux group for the docker daemon on centos/RHEL systems.
We now need to save the file and restart the docker daemon as we have modified the configuration file for the Docker daemon.

[vamshi@node01 ~]$ sudo systemctl restart docker

We now need to ensure the user accessing the docker command is part of the group dockerroot using usermod command as shown below.

[root@node01 ~]# sudo usermod -aG dockerroot vamshi

We now verify the user group information and verify the user is part of the group dockerroot.

[root@node01 ~]# id vamshi
uid=1001(vamshi) gid=1001(vamshi) groups=1001(vamshi),10(wheel),994(dockerroot)

You need relogin back if you are using the username to apply the linux group changes and once you login back you will be able to access the docker with the user account.

This process works for centos systems as we have modified the file /etc/sysconfig/docker and
The same approach can be implemented on Debian/Ubuntu systems by modifying /etc/default/docker which we will look at another post.

Now lets look at the second approach to the problem which is more of getting your hands dirty..
You will now modify the socket file by Hand as we will demonstrate in the following demonstration.

For us to be able to access this, we have to be have a read permission to this socket.
The permissions on /var/run/docker.sock will be as follows:

[vamshi@node02 ~]$ ls -l /var/run/docker.sock
srw-rw----. 1 root root 0 Apr 07 14:02 /var/run/docker.sock

As I mentioned earlier this being a socket file, as the symbol s is indicated at the start of the file permission attributes in the above output.

To overcome this issue, we have to create a docker group on the docker server as follows:

[vamshi@node02 ~]$ sudo groupadd docker

We check the group entity with the following command:

[vamshi@node02 ~]$ sudo getent group docker
docker:x:1009:

Now applying the docker group ownership to /var/run/docker.sock

[vamshi@node02 ~]$ sudo chgrp docker /var/run/docker.sock

And Here is the socket file attributes with updated group ownership:

[vamshi@node01 ~]$ ls -l /var/run/docker.sock 
srw-rw----. 1 root docker 0 Apr 07 14:09 /var/run/docker.sock

Now we have to add our user to the docker group to gain the rw permissions.
We do that in the following steps:

# sudo usermod -aG docker vamshi

Now we confirm the group members as below:

[vamshi@node02 ~]$ sudo getent group docker
docker:x:1009:vamshi

Now we need to logout and login back to this system and we will be able to access the docker command with the user.

The Other issues you might face while accessing the docker cli is probably accessing the docker server over a network where in the connection is established over the TCP connection with the docker server.

The docker server is also capable of handling the requests over the network provided it is exposed over a TCP port.
In most of the docker client server architecture, The Docker server listens on a tcp port over the network and This will be the second scenario where you have to access the docker server over the tcp socket and have to enable to the DOCKER_HOST with the docker server details over tcp.

You can try to connect to the docker server as follows

[user@docker-client ~]$ docker -H tcp://<Your-Docker-Server-IP>:<Port> version

Below is a practical command example:

[vamshi@jenkins-slave01 ~]$ docker -H tcp://10.100.0.10:4243 version

This scenario is most common with build agents like the jenkins slave and containers which run the post build and perform deployments. and is more common in the jenkins build environment..

The third most probable cause being that the actual docker server is not running if you have a local only setup and you can confirm by running the simple troubleshooting steps below by checking the process list and grep for docker process
ps -ef | grep docker and ensure that you have the docker services is started sudo systemctl status docker and ensure that its enabled on startup with sudo systemctl enable docker

Please refer our other Devops documents and do share your best practices in comments.

Leave a Comment