connecting to docker socket inside container with different user than root is broken after updating to 4.19

[szaimen]

• I have tried with the latest version of Docker Desktop
• I have tried disabling enabled experimental features
• I have uploaded Diagnostics
• Diagnostics ID: C857ED5F-7E60-421A-ADEE-29B71A07CE6A/20230501125903

Actual behavior

After updating Docker Desktop on Windows to v4.19 when trying to connect to a bind-mounted tcp unix socket inside a container that runs as unprivileged (non-root user) process. Connecting to the socket as root user inside the container still works but it apparently broke due to the update because it worked also with the unprivileged user before the update.

Expected behavior

It should be possible to connect to the socket even as non-root user if read permissions are set correct.

Information

• Windows Version: Windows 11 Pro 22H2
• Docker Desktop Version: 4.19
• WSL2 or Hyper-V backend? WSL2
• Are you running inside a virtualized Windows e.g. on a cloud server or a VM: No

Output of & "C:\Program Files\Docker\Docker\resources\com.docker.diagnose.exe" check

Steps to reproduce the behavior

1. Update to Docker Desktop 4.19 on Windows
2. run via command prompt:

# docker info works with root user
docker run -it --rm -v //var/run/docker.sock:/var/run/docker.sock:ro docker:cli docker info

Output

Client:
 Context:    default
 Debug Mode: false
 Plugins:
  buildx: Docker Buildx (Docker Inc.)
    Version:  v0.10.4
    Path:     /usr/local/libexec/docker/cli-plugins/docker-buildx
  compose: Docker Compose (Docker Inc.)
    Version:  v2.17.3
    Path:     /usr/local/libexec/docker/cli-plugins/docker-compose

Server:
 Containers: 2
  Running: 2
  Paused: 0
  Stopped: 0
 Images: 4
 Server Version: 23.0.5
 Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
  Using metacopy: false
  Native Overlay Diff: true
  userxattr: false
 Logging Driver: json-file
 Cgroup Driver: cgroupfs
 Cgroup Version: 1
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
 Swarm: inactive
 Runtimes: io.containerd.runc.v2 runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: 2806fc1057397dbaeefbea0e4e17bddfbd388f38
 runc version: v1.1.5-0-gf19387a
 init version: de40ad0
 Security Options:
  seccomp
   Profile: builtin
 Kernel Version: 5.15.90.1-microsoft-standard-WSL2
 Operating System: Docker Desktop
 OSType: linux
 Architecture: x86_64
 CPUs: 8
 Total Memory: 7.682GiB
 Name: docker-desktop
 ID: 98271cca-a380-4fa6-8246-56d88c255a12
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 HTTP Proxy: http.docker.internal:3128
 HTTPS Proxy: http.docker.internal:3128
 No Proxy: hubproxy.docker.internal
 Registry: https://index.docker.io/v1/
 Experimental: true
 Insecure Registries:
  hubproxy.docker.internal:5555
  127.0.0.0/8
 Live Restore Enabled: false

WARNING: No blkio throttle.read_bps_device support
WARNING: No blkio throttle.write_bps_device support
WARNING: No blkio throttle.read_iops_device support
WARNING: No blkio throttle.write_iops_device support

# docker info does not work with different user even though it has read access to the socket
docker run -it --rm -v //var/run/docker.sock:/var/run/docker.sock:ro docker:cli sh -c "apk add shadow sudo && ls -l /var/run/docker.sock && adduser -D -S www-data -G www-data && sudo -u www-data docker info"

Output

fetch https://dl-cdn.alpinelinux.org/alpine/v3.17/main/x86_64/APKINDEX.tar.gz
fetch https://dl-cdn.alpinelinux.org/alpine/v3.17/community/x86_64/APKINDEX.tar.gz
(1/3) Installing linux-pam (1.5.2-r1)
(2/3) Installing shadow (4.13-r0)
(3/3) Installing sudo (1.9.12_p2-r1)
Executing busybox-1.35.0-r29.trigger
OK: 17 MiB in 25 packages
srwxr-xr-x    1 root     root             0 May  1 12:49 /var/run/docker.sock
Client:
 Context:    default
 Debug Mode: false
 Plugins:
  buildx: Docker Buildx (Docker Inc.)
    Version:  v0.10.4
    Path:     /usr/local/libexec/docker/cli-plugins/docker-buildx
  compose: Docker Compose (Docker Inc.)
    Version:  v2.17.3
    Path:     /usr/local/libexec/docker/cli-plugins/docker-compose

Server:
ERROR: permission denied while trying to connect to the Docker daemon socket at unix:///web.archive.org/web/20251119165626/https://var/run/docker.sock: Get "http://%2Fvar%2Frun%2Fdocker.sock/v1.24/info": dial unix /var/run/docker.sock: connect: permission denied
errors pretty printing info

[djs55]

@szaimen thanks for your report. I suspect this is the same as docker/for-mac#6823 . Could you check

• the ownership and permissions you're seeing on the /var/run/docker.sock inside the container
• the versions of both Docker Desktop and the docker:cli image which work and which don't? So far I've not found a combination of those which works with a non-root user. I'm not sure whether it's a change in Docker or in the docker:cli image. Could you show me the ownership and permissions of the socket in a combination which works?

[szaimen]

@szaimen thanks for your report. I suspect this is the same as docker/for-mac#6823 .

Yes, this looks like the same issue.

• the ownership and permissions you're seeing on the /var/run/docker.sock inside the container

The ownership is fine. The socket is readable by the user. (see the output of ls -l in the second command above).

• the versions of both Docker Desktop and the docker:cli image which work and which don't? So far I've not found a combination of those which works with a non-root user. I'm not sure whether it's a change in Docker or in the docker:cli image. Could you show me the ownership and permissions of the socket in a combination which works?

It worked in my testing fine with Docker Desktop 4.18 in combination with the same docker:cli image docker:23.0.5-cli. I would also give it another try but I am not sure how to get back to Docker Dekstop 4.18 now that I upgraded to 4.19.

[jeffrozica]

I created another issue for this, but having a similar issue. Here are my notes on this.

Docker desktop version 4.19.0 broke my -v /var/run/docker.sock.raw /var/run/docker.sock. About 2 years ago, this solved my docker socket permission denied error (See below).... It was working fine up through version 4.18, but after the v4.19 upgrade, it broke again. Getting this error again. Had to revert back to version 4.18. Same issue on Windows and Mac versions.

"""
Got permission denied while trying to connect to the Docker daemon socket at unix:///web.archive.org/web/20251119165626/https://var/run/docker.sock: Get http://%2Fvar%2Frun%2Fdocker.sock/v1.40/containers/json: dial unix /var/run/docker.sock: connect: permission denied
"""

Again, no issues until I went to docker desktop version 4.19 and its the same issue on MAC and WINDOWS. The docker.sock.raw was the only viable option for me to fix this.

[jeffrozica]

NOTE REGARDING GOING BACK TO PRIOR DOCKER DESKTOP VERSION: At least on the MAC, to revert back to version 4.18, I just manually l downloaded it and reinstalled. It asked me to overlap my prior version and that worked. Did not loose any images, settings, etc.. Not sure on Windows, if you can do that, but you can try. If just reinstalling on top of existing version doesn't work, you have to uninstall 4.19 and reinstall 4.18 from scratch, but then you have to set up everything again and redo your docker images

[vbode]

I am running into the same issue on Windows.

[FlattusBlastus]

Please prioritize this fix.

[nerlins]

OMFG. Somebody in docker respond to this and help us...

[bobloadmire]

how are you guys downgrading docker desktop on windows? installer just says installation up to date, and exits. if they are going to release alpha code in stable we need options to downgrade.

[vbode]

I use chocolatey to manage my installed software. It also allows you to easily downgrade docker desktop.

[briantho]

hi, can anyone confirm this is still an issue with the new release 4.20? I want to make sure before I upgrade docker desktop, as I already went through the downgrade process and nextcloud is happy running on 4.18

[jctace]

hi, can anyone confirm this is still an issue with the new release 4.20? I want to make sure before I upgrade docker desktop, as I already went through the downgrade process and nextcloud is happy running on 4.18

Yes still an issue with 4.20

[nerlins]

Why is this still an issue in another release? Are the people at Docker even looking into this problem? This doesn't seem like a bug but an intentional change and they're not speaking up about it.

Here's a thought. For $5 a month someone could actually purchase official support for Docker Desktop through Docker themselves. I'm wondering if anyone is paying for this support and what would be the response to the problem then?

[racineda]

Adding my +1 one here. Glad I'm not alone.