How to Fix 'Got permission denied while trying to connect to the Docker daemon socket'
Resolve Docker permission denied and connection refused errors by configuring the docker group, fixing socket ownership, and managing SELinux contexts.
- The most common cause is the current user lacking membership in the 'docker' system group, preventing access to /var/run/docker.sock.
- SELinux or AppArmor security profiles can cause 'permission denied' errors inside the container when mounting host volumes.
- Connection refused or timeout errors often indicate the Docker daemon is not running or is bound to the wrong interface.
- Quick fix: Run 'sudo usermod -aG docker $USER' followed by 'newgrp docker' to grant your user access without needing sudo.
| Method | When to Use | Time | Risk |
|---|---|---|---|
| Add user to docker group | Standard developer workstation setup | 1 min | Medium (grants root-equivalent access) |
| Rootless Docker | Production environments requiring high security | 15 mins | Low |
| SELinux :z flag on volumes | Mounting host directories on RHEL/CentOS/Fedora | 1 min | Low |
| Chown docker.sock | Temporary debugging of socket issues | 1 min | High (reverts on reboot) |
Understanding the Error
One of the most frequent hurdles developers face when starting with containerization is the infamous error message: Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get "http://%2Fvar%2Frun%2Fdocker.sock/v1.24/containers/json": dial unix /var/run/docker.sock: connect: permission denied.
To understand why this happens, you have to understand Docker's architecture. Docker operates on a client-server model. The docker CLI command you type in your terminal is merely the client. The actual heavy lifting—building, running, and managing containers—is done by the Docker daemon (dockerd). The client and the daemon communicate via a UNIX socket, typically located at /var/run/docker.sock.
By default, this UNIX socket is owned by the root user, and other users can only access it via sudo. If you run a docker command as a standard user without sudo, the OS blocks your access to the socket, resulting in the 'permission denied' error.
While this is the most common manifestation, 'permission denied' can also occur in other contexts, such as an application inside a container failing to access a mounted host volume, or TLS certificate issues preventing access to a remote Docker registry.
Step 1: Diagnose the Exact Failure
Before making system changes, verify the current state of your Docker installation and user permissions.
Check Socket Permissions:
Run ls -l /var/run/docker.sock. You should see output similar to:
srw-rw---- 1 root docker 0 Feb 23 10:00 /var/run/docker.sock
This tells you that the socket is owned by root, but the group docker has read and write access.
Check Your User Groups:
Run groups. If you do not see docker in the list of outputted groups, your current user does not have permission to write to the socket.
Check Daemon Status:
If you see docker connection refused or docker timeout instead of permission denied, the daemon might be down entirely. Run systemctl status docker to ensure it is active and running. A docker crash or docker failed state in systemd means you need to check journalctl -u docker.service for daemon-level panics or misconfigurations.
Step 2: The Primary Fix - The Docker Group
The most standard and officially documented fix for local development environments is to add your user to the docker group.
- Create the docker group if it doesn't already exist (it usually does after installation):
sudo groupadd docker - Add your user to the docker group:
sudo usermod -aG docker $USER - Apply the new group membership. You can either log out and log back in, or run:
newgrp docker
Security Warning: Adding a user to the docker group is effectively granting them root-level privileges. A user with Docker access can easily map the host's root filesystem into a container and modify system files. This is acceptable for personal workstations but should be strictly avoided in multi-tenant or production systems.
Step 3: Fixing Volume Mount Permission Denied (SELinux)
Sometimes, the docker CLI works fine, but the application inside the container throws an access denied or permission denied error when trying to read or write to a file mapped via a bind mount (-v /host/path:/container/path).
If you are on an SELinux-enabled distribution (like RHEL, Fedora, or Rocky Linux), SELinux labels will prevent the container process from accessing host files, even if the standard Linux rwx permissions look correct.
The Fix: Append the :z or :Z flag to your volume mount.
docker run -v /host/path:/container/path:z ...(Shared label: multiple containers can access it)docker run -v /host/path:/container/path:Z ...(Private label: only this specific container can access it)
This instructs Docker to automatically relabel the host directory with the correct SELinux context (container_file_t) so the container can access it.
Step 4: Troubleshooting Advanced Scenarios
Rootless Docker
If you are operating in an environment where you cannot have root privileges, or you want to adhere to the principle of least privilege, you should configure Rootless Docker. This runs both the daemon and containers entirely within user namespaces. If Rootless Docker is misconfigured, you might see docker not working or socket errors. Ensure the DOCKER_HOST environment variable is set correctly to your user-specific socket (e.g., export DOCKER_HOST=unix://$XDG_RUNTIME_DIR/docker.sock).
Docker Certificate Expired
If you receive a permission denied or handshake failure when pushing to a private registry or connecting to a remote Docker daemon via TCP, it is often a TLS issue. Ensure your client certificates in ~/.docker/tls/ or the daemon certificates in /etc/docker/certs.d/ are valid. Run openssl x509 -in client-cert.pem -text -noout to check expiration dates.
Kubernetes Conflations: CrashLoopBackOff & ImagePullBackOff
Often, developers search for Docker errors when they are actually interacting with a Kubernetes cluster. If a container repeatedly fails to start due to internal application errors (like a permission denied inside the app code) or an Out Of Memory (OOMKilled) event, Kubernetes will put the pod into CrashLoopBackOff. If Kubernetes lacks permissions (image pull secrets) to pull the image from a private Docker registry, you will see ImagePullBackOff. To fix the latter, ensure you have created a docker-registry secret in your namespace and attached it to your Pod's imagePullSecrets.
By systematically verifying socket permissions, user groups, and host security modules like SELinux, you can quickly resolve Docker access issues and return to a productive development workflow.
Frequently Asked Questions
# 1. Diagnose current permissions
ls -l /var/run/docker.sock
groups
# 2. The standard fix: add user to docker group
sudo groupadd docker
sudo usermod -aG docker $USER
newgrp docker
# 3. Test that it works without sudo
docker run hello-world
# 4. If using SELinux, fix volume mount permissions
docker run -d -v /my/host/data:/app/data:z my-image
# 5. Fix connection refused (restart the daemon)
sudo systemctl enable --now docker
sudo systemctl status dockerError Medic Editorial
Error Medic Editorial is a collective of senior Site Reliability Engineers and DevOps practitioners dedicated to solving complex infrastructure bugs and documenting best practices for the cloud-native ecosystem.