TestForge Blog
← All Posts
#docker #troubleshooting #devops #linux

Docker permission denied — Complete Fix Guide

Every cause and fix for Docker permission denied errors. Covers /var/run/docker.sock access, volume mount permissions, and file permission issues inside containers.

TestForge Team ·

Three Types of Permission Errors

Type 1: Docker Socket Access Denied

permission denied while trying to connect to the Docker daemon socket
at unix:///var/run/docker.sock

Type 2: File Not Executable Inside Container

exec /app/entrypoint.sh: permission denied

Type 3: Volume Mount File Permission Denied

open /data/config.yaml: permission denied

Fix Type 1: Docker Socket Permission

Cause

docker.sock is accessible only by root or the docker group by default.

ls -la /var/run/docker.sock
# srw-rw---- 1 root docker ...
sudo usermod -aG docker $USER

# Log out and back in for it to take effect
# Or start a new shell:
newgrp docker

# Verify
docker ps
sudo chmod 666 /var/run/docker.sock
# Security note: reverts on reboot

docker.sock in CI/CD

# GitHub Actions
- name: Build
  run: docker build .
  # GitHub Actions runners already include the docker group — no extra config needed

# Jenkins running inside a container
docker run -v /var/run/docker.sock:/var/run/docker.sock jenkins/jenkins
# Add the jenkins user to the docker group
docker exec jenkins usermod -aG docker jenkins

Fix Type 2: File Execution Permission

Cause

Scripts copied into a Dockerfile don’t have the execute bit set.

# Problem
COPY entrypoint.sh /app/entrypoint.sh
ENTRYPOINT ["/app/entrypoint.sh"]  # permission denied!

# Fix
COPY entrypoint.sh /app/entrypoint.sh
RUN chmod +x /app/entrypoint.sh
ENTRYPOINT ["/app/entrypoint.sh"]

Scripts Written on Windows

.sh files created on Windows lack the execute bit and may have CRLF line endings.

# Fix with Git attributes
echo "*.sh text eol=lf" >> .gitattributes

# Or fix inside Dockerfile
RUN apt-get install -y dos2unix && dos2unix /app/entrypoint.sh && chmod +x /app/entrypoint.sh

Fix Type 3: Volume Mount Permission

Cause

The process inside the container doesn’t have write permission to the mounted host directory.

# Check the user inside the container
docker exec my-container id
# uid=1000(appuser) gid=1000(appuser)

# Check host directory permissions
ls -la /host/data/
# drwxr-x--- root root  → appuser(1000) cannot write

Solution A: Change Host Directory Ownership

sudo chown -R 1000:1000 /host/data/
# or
sudo chmod 777 /host/data/  # lower security

Solution B: Match UID in Dockerfile

# Match the UID of the host directory owner
ARG UID=1000
RUN useradd -u $UID -m appuser
USER appuser

Solution C: Set User in docker-compose

services:
  app:
    image: my-app
    user: "1000:1000"
    volumes:
      - ./data:/app/data

Kubernetes Permission Issues

# Specify UID/GID via securityContext
spec:
  securityContext:
    runAsUser: 1000
    runAsGroup: 1000
    fsGroup: 1000  # Sets group ownership of volume mount files to 1000
  containers:
  - name: app
    securityContext:
      runAsNonRoot: true
      allowPrivilegeEscalation: false

Quick Diagnostic Commands

# 1. Current user inside the container
docker exec my-container id

# 2. File/directory permissions
docker exec my-container ls -la /app/

# 3. Enter container as root for investigation
docker exec -it --user root my-container /bin/sh

# 4. Override entrypoint as root (temporary debug)
docker run --user root -it my-image /bin/sh