Fix Docker Permission Denied on Docker.sock in Jenkins Pipeline
Resolve 'Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock' error in Jenkins on Ubuntu 16.04. Add jenkins user to docker group, restart services, verify permissions for seamless docker jenkins builds.
How to fix ‘Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock’ error in Jenkins pipeline on Ubuntu 16.04?
I am new to Docker and set up a Jenkins job on Ubuntu 16.04 with this pipeline script:
node {
stage('Build') {
docker.image('maven:3.3.3').inside {
sh 'mvn --version'
}
}
}
The job fails with the following error:
Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock
What are the steps to resolve this Docker socket permission issue in a Jenkins environment?
The “docker permission denied” error hits hard when your Jenkins pipeline tries to spin up a docker.image('maven:3.3.3').inside container but can’t reach the Docker daemon socket at unix:///var/run/docker.sock. This docker sock permission denied issue boils down to the jenkins user not being in the docker group, blocking access on Ubuntu 16.04 setups. Quick fix: run sudo usermod -aG docker jenkins, restart the Jenkins service with sudo service jenkins restart (or reboot), and verify with id jenkins—your docker jenkins builds should sail through after that.
Contents
- Understanding the Docker Permission Denied Error on /var/run/docker.sock
- Why Jenkins Fails to Connect to Docker Daemon Socket
- Step-by-Step Fix: Add Jenkins User to Docker Group
- Verifying Docker Socket Permissions and Group Membership
- Restarting Services on Ubuntu 16.04 for Jenkins Docker Pipeline
- Insecure Workarounds and Security Risks to Avoid
- Advanced Setup for Dockerized Jenkins Agents
- Sources
- Conclusion
Understanding the Docker Permission Denied Error on /var/run/docker.sock
Picture this: your Jenkins job kicks off, the Groovy pipeline calls docker.image('maven:3.3.3').inside, and bam—Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock. Frustrating, right? This docker daemon socket permission denied snag is super common in docker jenkins environments, especially on Ubuntu 16.04 where the socket lives at /var/run/docker.sock with tight permissions like srw-rw---- root:docker.
Why here? Docker’s Unix socket acts as the control channel for the daemon. Non-root users (hello, jenkins) get locked out unless explicitly allowed. In your case, the pipeline’s sh 'mvn --version' never runs because the container can’t even start. According to experts on Stack Overflow, it’s almost always a group membership issue, not a Docker install problem.
But don’t panic—it’s fixable in minutes. The socket’s owned by root and the docker group, so jenkins needs an invite.
Why Jenkins Fails to Connect to Docker Daemon Socket
Jenkins runs as the jenkins user by default. Docker? It demands membership in the docker group to poke the daemon socket without sudo. Your pipeline script looks innocent:
node {
stage('Build') {
docker.image('maven:3.3.3').inside {
sh 'mvn --version'
}
}
}
Yet it bombs because that .inside block mounts /var/run/docker.sock into the maven container, and the jenkins process lacks rights. On Ubuntu 16.04, group changes don’t apply instantly—sessions cache them. TheServerSide nails it: Jenkins can’t talk to Docker without group access, halting docker sock connect permission denied woes mid-build.
Ever seen docker ps work as root but fail as jenkins? Same root cause. Native Jenkins installs exacerbate this since the agent runs on-host, sharing the socket directly.
Step-by-Step Fix: Add Jenkins User to Docker Group
Ready to crush this? SSH into your Ubuntu 16.04 Jenkins host as root or sudo user. Here’s the playbook:
- Check if the docker group exists:
getent group docker
If not, create it: sudo groupadd docker.
- Add jenkins to the group (the magic command):
sudo usermod -aG docker jenkins
-aG appends without overwriting other groups. Baeldung swears by this for docker permission denied fixes.
- Apply without logout (handy for testing):
sudo -u jenkins newgrp docker
- Test socket access as jenkins:
sudo -u jenkins docker ps
No errors? You’re golden.
This grants jenkins docker jenkins superpowers securely—no sudo wrappers needed in pipelines.
Verifying Docker Socket Permissions and Group Membership
Don’t skip checks—half the time, folks miss this and reboot forever. Inspect the socket:
ls -l /var/run/docker.sock
Expect: srw-rw---- 1 root docker .... Now confirm jenkins:
id jenkins
Look for docker in groups. Or grep:
grep docker /etc/group
Should list jenkins at the end.
If GID mismatches (rare on Ubuntu), align with:
sudo groupmod -g $(stat -c %g /var/run/docker.sock) docker
Stack Overflow contributors emphasize these steps prevent docker sock permission denied callbacks. Run your pipeline again—mvn --version should print happily.
Restarting Services on Ubuntu 16.04 for Jenkins Docker Pipeline
Ubuntu 16.04’s Upstart/systemd hybrid means group changes need a nudge. Options:
- Jenkins restart (lightest):
sudo service jenkins restart
- Docker restart (if socket sticky):
sudo service docker restart
sudo service jenkins restart
- Reboot (nuclear, but surefire):
sudo reboot
TheServerSide recommends reboot for stubborn sessions.
Post-restart, tail Jenkins logs: sudo tail -f /var/log/jenkins/jenkins.log. Trigger the job. Success? Pipeline greenlights docker jenkins harmony.
Pro tip: Automate in Ansible or a setup script for repeatability.
Insecure Workarounds and Security Risks to Avoid
Tempted by sudo chmod 777 /var/run/docker.sock? Don’t. It opens root escalation—any container can mount host rootfs and pwn your box. Baeldung warns: world-readable sockets = privilege escalation city.
Skip sudo docker prefixes too—they clutter pipelines. No docker run -u root hacks. Stick to groups for docker connect permission denied safety.
Advanced Setup for Dockerized Jenkins Agents
Running Jenkins in Docker? Mount the socket: -v /var/run/docker.sock:/var/run/docker.sock. But GID sync is key:
-
Get host GID:
stat -c %g /var/run/docker.sock(often 999+). -
In agent Dockerfile:
RUN groupmod -g <HOST_GID> docker && \
usermod -aG docker jenkins
- Run with
--group-add $(stat -c %g /var/run/docker.sock).
Stack Overflow details this for permission denied docker container scenarios. Kubernetes? Use docker-in-docker sidecars instead.
Sources
- Stack Overflow — Comprehensive fixes for Jenkins Docker socket permission denied including groupmod and newgrp: https://stackoverflow.com/questions/47854463/docker-got-permission-denied-while-trying-to-connect-to-the-docker-daemon-socke
- TheServerSide — Step-by-step resolution for docker jenkins daemon access on Ubuntu with service restarts: https://www.theserverside.com/blog/Coffee-Talk-Java-News-Stories-and-Opinions/Fix-Jenkins-Docker-Permission-denied-daemon-error
- Baeldung — Detailed explanation of docker.sock permissions, group addition, and security risks of chmod: https://www.baeldung.com/linux/docker-permission-denied-daemon-socket-error
Conclusion
Fixing the docker sock permission denied error in your Jenkins pipeline on Ubuntu 16.04 is straightforward: add jenkins to the docker group, verify with id and docker ps, restart services, and test. Skip insecure chmod tricks—group membership keeps things secure and scalable for docker jenkins workflows. Once sorted, your docker.image().inside blocks will fire reliably, letting you focus on builds, not babysitting sockets. If GIDs trip you up in Dockerized setups, double-check mounts. Smooth sailing ahead!
To fix the docker permission denied error when Jenkins tries to connect to the Docker daemon socket at unix:///var/run/docker.sock, add the jenkins user to the docker group using sudo usermod -a -G docker jenkins, then restart Jenkins with sudo service jenkins restart. Verify membership with grep docker /etc/group or id jenkins, and use newgrp docker to apply changes without logout. Avoid insecure chmod 777 /var/run/docker.sock due to root escalation risks. For Dockerized Jenkins, mount /var/run/docker.sock, match host Docker GID with groupmod -g $(stat -c %g /var/run/docker.sock) docker, and install Docker in the agent container.
- Key steps:
sudo usermod -aG docker jenkinssudo service jenkins restart- Test with
docker psas jenkins user
Resolve the docker sock permission denied issue in Jenkins by running sudo usermod -a -G docker jenkins on the host, then reboot the machine to apply group changes. This allows Jenkins to access the Docker daemon socket without permission denied errors during pipeline builds like docker.image().inside. Restart ensures docker jenkins integration works seamlessly on Ubuntu setups.
Verification:
- Reboot or
newgrp docker - Run
docker psas jenkins - Test pipeline stage with
sh 'mvn --version'
The docker daemon socket permission denied error stems from /var/run/docker.sock permissions (srw-rw---- root:docker); fix by creating/adding user to docker group via sudo groupadd docker if needed, then sudo usermod -aG docker $USER (or jenkins). Logout/login or newgrp docker, and restart Docker service with sudo systemctl restart docker. Avoid chmod 666/777 as it enables container root escalation (e.g., mounting host root). Prefix with sudo temporarily for docker sock connect permission denied issues, but prioritize group membership for secure docker permission denied resolution.
Steps for Ubuntu 16.04:
sudo usermod -aG docker jenkinssudo service docker restartsudo service jenkins restart- Verify:
ls -l /var/run/docker.sock
