causify-ai
Fix Docker "Permission Denied" Error When Connecting to Docker Daemon Socket
Error:
permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock
Affected Workflow: Running Docker commands (e.g., docker run, docker compose) as a non-root user.
Root Cause: Docker requires root-equivalent privileges. By default, only the root user or members of the docker group have access to the Docker socket (/var/run/docker.sock). New users are not automatically added to the docker group.
FYI @gpsaggese , @sonniki and @samarth9008
When do you encounter this error? Please report the full stacktrace including the command you ran when you got the error. Is this related to #388 ?
Yes, issue is related to #388 ("Sudo password requested running invoke on Linux locally"), but is distinct.
My Issue's Root Cause: Missing Docker group permissions + Sudo prompt in container (Two separate issues) #388's Root Cause: Sudo prompt in container (Focuses only on the sudo prompt)
Steps to Reproduce #419
Set up the development environment on a Linux system.
Run the following command:
invoke docker_bash
Observe the error and sudo password prompt.
Full Stack Trace and Command Output:
(client_venv.helpers) shrysh@shrysh-Nitro-AN515-52:~/src/helpers1$ invoke docker_bash
07:02:25 - INFO hdbg.py init_logger:1018 > cmd='/home/shrysh/src/venv/client_venv.helpers/bin/invoke docker_bash'
# docker_bash: base_image='', stage='dev', version='', use_entrypoint=True, as_user=True, generate_docker_compose_file=True, container_dir_name='.', skip_pull=False
07:02:25 - WARN hserver.py _raise_invalid_host:349 Don't recognize host: host_os_name=Linux, am_host_os_name=None
07:02:25 - WARN hserver.py _raise_invalid_host:349 Don't recognize host: host_os_name=Linux, am_host_os_name=None
07:02:25 - WARN hserver.py _raise_invalid_host:349 Don't recognize host: host_os_name=Linux, am_host_os_name=None
# docker_pull: stage='dev', version=None, skip_pull=False
# docker_login: target_registry='aws_ecr.ck'
07:02:25 - WARN lib_tasks_docker.py docker_login:405 Skipping logging in for Helpers
07:02:25 - INFO lib_tasks_docker.py _docker_pull:230 image='causify/helpers:dev'
docker pull causify/helpers:dev
dev: Pulling from causify/helpers
Digest: sha256:43ac049013f992d7efc4a8196bfa15dc0b3f7559e52848adf825c3c7b5c84ca3
Status: Image is up to date for causify/helpers:dev
docker.io/causify/helpers:dev
IMAGE=causify/helpers:dev \
docker compose \
--file /home/shrysh/src/helpers1/devops/compose/docker-compose.yml \
--env-file devops/env/default.env \
run \
--rm \
--name shrysh.helpers.app.helpers1.20250323_123225 \
--user $(id -u):$(id -g) \
app \
bash
WARN[0000] The "CSFY_FORCE_TEST_FAIL" variable is not set. Defaulting to a blank string.
WARN[0000] The "CSFY_AWS_ACCESS_KEY_ID" variable is not set. Defaulting to a blank string.
WARN[0000] The "CSFY_AWS_DEFAULT_REGION" variable is not set. Defaulting to a blank string.
WARN[0000] The "CSFY_AWS_SECRET_ACCESS_KEY" variable is not set. Defaulting to a blank string.
WARN[0000] The "CSFY_AWS_SESSION_TOKEN" variable is not set. Defaulting to a blank string.
WARN[0000] The "CSFY_TELEGRAM_TOKEN" variable is not set. Defaulting to a blank string.
WARN[0000] The "OPENAI_API_KEY" variable is not set. Defaulting to a blank string.
WARN[0000] /home/shrysh/src/helpers1/devops/compose/docker-compose.yml: the attribute `version` is obsolete, it will be ignored, please remove it to avoid potential confusion
##> devops/docker_run/entrypoint.sh
UID=1000
GID=1000
CSFY_USE_HELPERS_AS_NESTED_MODULE=0
CSFY_HOST_GIT_ROOT_PATH=/home/shrysh/src/helpers1
CSFY_GIT_ROOT_PATH=/app
CSFY_HELPERS_ROOT_PATH=/app
> source /app/dev_scripts_helpers/thin_client/thin_client_utils.sh ...
AM_CONTAINER_VERSION='1.2.0'
CSFY_USE_HELPERS_AS_NESTED_MODULE=0
##> devops/docker_run/docker_setenv.sh
> source /app/dev_scripts_helpers/thin_client/thin_client_utils.sh ...
# activate_docker_venv()
# set_path()
PATH=.:./devops:./papers:./.git:./aws:./dev_scripts_helpers:./import_check:./config_root:./linters:./.github:./docs:./helpers::/app:/venv/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
# set_pythonpath()
PYTHONPATH=/app:
# Configure env
WARNING: /var/run/docker.sock doesn't exist
# set_up_docker_git()
git --version: git version 2.43.0
/app
# invoke print_env
03:02:35 - INFO hdbg.py init_logger:1018 > cmd='/venv/bin/invoke print_env'
03:02:35 - WARN hserver.py _raise_invalid_host:349 Don't recognize host: host_os_name=Linux, am_host_os_name=None
03:02:35 - WARN hserver.py _raise_invalid_host:349 Don't recognize host: host_os_name=Linux, am_host_os_name=None
[sudo] password for ubuntu:
sudo: a password is required
03:02:37 - WARN hserver.py _raise_invalid_host:349 Don't recognize host: host_os_name=Linux, am_host_os_name=None
03:02:37 - WARN hserver.py _raise_invalid_host:349 Don't recognize host: host_os_name=Linux, am_host_os_name=None
03:02:39 - INFO font_manager.py _load_fontmanager:1639 generated new fontManager
Do you mean this warning?
WARNING: /var/run/docker.sock doesn't exist
Because I don't think it affects the functionality, i.e. you can still get into bash and work there in spite of the warning, correct?
Not just the warning, for me, personally I was unable to run the invoke command as a whole and would throw an error inside the container.
I was unable to run the invoke command as a whole
So running i docker_bash didn't ultimately get you into bash inside the container? Or what do you mean?
and would throw an error inside the container.
Then for the full context, please provide the stacktrace of this error, since it's not in the stacktrace you provided above.
So running
i docker_bashdidn't ultimately get you into bash inside the container? Or what do you mean? Correct, at the very least for my machine it did not allow me to invoke docker bash.
Like I mentioned in #388, I believe this can be fixed by adding our (Causify) user to the docker group (sudo usermod -aG docker $USER + reboot).
The above step can be mentioned in the On-boarding steps. Should I go ahead and add the command prompts for that in the documentation and later create a PR for the same @sonniki ?
@Shr3yash
permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock
From my experience, the error you are seeing is local to your system only. Its because your own system doesn't have "docker" user in sudo group thats why it requires sudo password when running docker related "processes" in the local system. I think this is a common problem when installing docker for the first time. The steps to resolve this are provided here
https://www.digitalocean.com/community/questions/how-to-fix-docker-got-permission-denied-while-trying-to-connect-to-the-docker-daemon-socket
Regarding https://github.com/causify-ai/helpers/issues/388, its completely different error that appears when running our internal docker invokes such as i docker_bash. It asks for sudo password when bashing inside the docker container(you might not see it at all) and not when running the docker "processes"(The error that was posted in this issue).
I don't think the 2 errors are related at all.
Do you see [sudo] password for ubuntu: as shown in the last line of the below linked error trace when running i docker_bash or i lint ....?
https://github.com/causify-ai/helpers/issues/388#issue-2929573899
I agree with @samarth9008 analysis. Let's
- understand the root cause and find the solution
- document the solution for others
Also let's do these things quickly since those are simple issues.
Yes, these issues are resolved for me. Just need to document the solution for others. I will go ahead and provide the documentation for others, if they face the same issue. @gpsaggese @samarth9008
@samarth9008, I do see [sudo] password for ubuntu: as shown in the last line of the below linked error trace when running i docker_bash or i lint.
@samarth9008, I do see [sudo] password for ubuntu: as shown in the last line of the below linked error trace when running i docker_bash or i lint.
So were you able to solve that issue? If so feel free to document the solution in that filed issue and in a doc by doing a PR and any code changes that might require.