Menu
I get a Permission Denied error when trying to setup Docker in PyCharm Professional edition. I'm on Debian Jessie (BunsenLabs).
Cannot connect: io.netty.channel.AbstractChannel$AnnotatedConnectException: connect(..) failed: Permission denied: /var/run/docker.sock
caused by: java.net.ConnectException: connect(..) failed: Permission denied
It happens with both the default settings (using Unix socket) and with the TCP socket, Engine API URL = unix:///var/run/docker.sock (does it make sense?).
If we look at the permissions on the socket:
$ ls -l /var/run/docker.sock
srw-rw---- 1 root docker 0 Jul 5 11:18 /var/run/docker.sock
We see that its owned by root and the docker group.
So I tried to add my user to the docker group (with sudo usermod -a -G docker USERNAME), and restarted the Docker service (with sudo service docker restart), but it still does not work.
One way to allow PyCharm to use the socket is to run it with root permissions, i.e. sudo pycharm, but I would like to avoid this. I was also able to fix this by setting read and write permissions for others on the socket (sudo chmod o+rw /var/run/docker.sock) but now everybody can use Docker on that machine without admin privilege.
What is the most secure way to allow PyCharm to connect to the Docker socket?
Also, please note that Docker works fine on the command-line. Before the quick-and-dirty-fix (chmod o+rw), I had to use sudo docker, and had updated /etc/sudoers to not type the password for this command. Now it works even without sudo. It does not feel secure, but it's a development machine so if there is no other solution, I'll keep it like that.
EDIT: I am adding additional, important information.
First, adding my user in the Docker group was indeed the way to go. The thing is that when using sudo usermod, changes are not immediately reflected for the user account you are using. You need to log out and log in again to refresh the system. More information in this post and answer: Add user to group but not reflected when run "id".
Secondly, adding yourself in the Docker group allows privilege escalation! Any user being able to run docker without sudo (and therefore without typing a password) will also be able to run a container with the root of the system mounted in a volume: docker run -v /:/host_root -it --rm ubuntu /bin/bash. Since you are root in the container, it means you can manipulate the host system as if you were root on the host. Please take this into consideration before adding users in the docker group.
741
Restarting the Docker Engine Similar to running a docker command without the sudo command, a stopped Docker Engine triggers the permission denied error. How do you fix the error? By restarting your Docker engine.
Fix 1: Run all the docker commands with sudo If you have sudo access on your system, you may run each docker command with sudo and you won't see this 'Got permission denied while trying to connect to the Docker daemon socket' anymore.
sock is basically the Unix socket the Docker daemon listens on by default. It is also a tool used to communicate with the Docker daemon from within a container. Sometimes, containers need to bind mount the /var/run/docker. sock file.
I assume, your username is already in docker group. To check this, issue below command.
id -nG
If not, you need to add your user into the docker group by below command.
sudo groupadd docker
sudo usermod -aG docker $USER
When you execute the command, sudo systemctl start docker, it creates a docker process. That docker process contains dockerd daemon thread. The command also creates default docker.sock Unix socket. The docker.sock socket is continuously listened by dockerd daemon thread. This makes you can do kernel-level IPC with docker.pid process. To be able to use this docker socket, you need to have proper permission from the process level (docker.pid) and file level (docker.sock). So, executing below two commands should solve your issue.
sudo chmod a+rwx /var/run/docker.sock
sudo chmod a+rwx /var/run/docker.pid
As you see, it doesn't show any error in PyCharm.
Note: running sudo dockerd -H unix:///var/run/docker.sock also does the same thing as above explained.
Furthermore, you can create TCP socket so that you can use this TCP socket for your own host as well as for any remote hosts.
docker stop: sudo systemctl stop docker
dockerd -H tcp://127.0.0.1:2375 -H //you should stop docker before executing this command
start the docker: sudo systemctl start docker
And, see below successful TCP docker socket connection in PyCharm.
143
Another option worth trying is to expose your docker daemon over localhost tcp inferface - ref
Reffering to the docs, you can write your /etc/docker/daemon.json so that looks like:
{
"hosts": ["unix:///var/run/docker.sock", "tcp://127.0.0.1:2375"]
}
With that setup, you can try restarting docker and configure a TCP socket in PyCharm preferences.
21
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
