Docker compose permission denied

kinghat · November 25, 2025, 7:40pm

how do i run docker w/o root privs? when i try to compose up i get a permission error:

$ docker compose up -d
unable to get image ‘amir20/dozzle:latest’: permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get “http://%2Fvar%2Frun%2Fdocker.sock/v1.51/images/amir20/dozzle:latest/json”: dial unix /var/run/docker.sock: connect: permission denied

i dont even see a docker group to add the default truenas_admin to.

tangentially, is there a future where instead of having to use the “yaml include” workaround:

include:
  - path: /mnt/storage/services/dockage/compose.yml
services: {}

to be able to run containers from our own compose files, could it just be a field where we give the path to our compose and it adds and runs it from there?

bacon · November 25, 2025, 8:02pm

You can use sudo docker compose up. Or is there a reason why you want to avoid using sudo? There is a docker group, but the TrueNAS Web UI doesn’t allow adding users to built-in groups.

perry · November 26, 2025, 9:38pm

Why do you say that? I added the docker auxiliary group to my user with no trouble using the UI (in Fangtooth), and plain docker CLI works fine for that user now. (Of course, sudo works too.)

LarsR · November 26, 2025, 9:54pm

There was a chance in goldeye that no longer allows adding users to the docker group, as far as I’ve seen

kinghat · November 26, 2025, 11:58pm

if i dont want to use the apps, or the provided yaml interface via includes, so to get an initial manager(dockage/arcane/etc) up and going i need to manually up it on my compose. im not exactly sure how that container can then start and manage others unless its because it was initially started with root

is it possible to get files and directories created by a container(arcane) to not be owned by root?

bacon · November 27, 2025, 7:45am

If you have containers that start other container then that is usually done by passing the docker socket to the container. Usually that looks like this (in compose yaml):

    volumes:
      - /var/run/docker.sock:/var/run/docker.sock

The docker daemon dockerd runs as root in most installations. That daemon is responsible for all container management, including launching of containers. Anyone who has access to the socket file (unix domain socket) can send docker API commands to dockerd and thus has full access to all docker functions.

Any management interface (dockage/portainer/..) don’t do any container management directly - they all use Docker API instead.

File owner is related to which user the container runs as. You can directly instruct docker on which user/group to user, which can look in the YAML file like this:

servives:
  myservice:
    image: ...
    user: 3003:3003

This is the most secure option. This won’t work with container management apps - they need to be root or at least in the docker group to access the socket file. At least for opening the socket file, you could drop privileges after opening. Doesn’t improve things from a security perspective - having access to docker socket means having full root access to the system (at least in the default configuration).

Many containers also have options where you can set user/group, usually via environment variables. Looking at the arcane documentation it would seem that you can set user using PUID and PGID variable.

kinghat · December 1, 2025, 4:54am

this would be another reason to put my user in the docker group. another is so when i ssh in with vscode its containers plugin can function because it also needs to be in the docker group.

bacon · December 1, 2025, 8:18am

I don’t think there is a “TrueNAS supported” way of making it work. But you can always add the user to the docker group manually:

sudo gpasswd -a "$USER" docker

Note: This only affects new ssh sessions. After that you can execute docker without sudo. Might break after a reboot and/or update, but can probably be added to a init script if really required.

Edit: For completness, to remove the user from the docker group:

sudo gpasswd -d "$USER" docker

kinghat · December 1, 2025, 4:25pm

ok it looks like ill go that route then. do you know what the difference is between adding the user via gpasswd and using usermod -aG?

error adding user to group:

$ sudo gpasswd -a “$USER” docker
Adding user truenas_admin to group docker
[sss_cache] [confdb_init] (0x0010): Unable to open config database [/var/run/sssd-cache/db/config.ldb]
Could not open available domains
[sss_cache] [confdb_init] (0x0010): Unable to open config database [/var/run/sssd-cache/db/config.ldb]
Could not open available domains

bacon · December 1, 2025, 5:26pm

I don’t know if there is any difference between the two commands.

I am also getting the error messages you posted, but the command still works.

kinghat · December 1, 2025, 5:31pm

how are you verifying that its working?

$ sudo gpasswd -a “$USER” docker
[sudo] password for truenas_admin:
Adding user truenas_admin to group docker
[sss_cache] [confdb_init] (0x0010): Unable to open config database [/var/run/sssd-cache/db/config.ldb]
Could not open available domains
[sss_cache] [confdb_init] (0x0010): Unable to open config database [/var/run/sssd-cache/db/config.ldb]
Could not open available domains

$ groups
truenas_admin builtin_administrators

$ docker compose ls
permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get “http://%2Fvar%2Frun%2Fdocker.sock/v1.51/containers/json?filters=%7B%22label%22%3A%7B%22com.docker.compose.config-hash%22%3Atrue%2C%22com.docker.compose.project%22%3Atrue%7D%7D”: dial unix /var/run/docker.sock: connect: permission denied

bacon · December 1, 2025, 6:04pm

You need to reconnect the ssh session. After that, groups should show the docker group.

kinghat · December 1, 2025, 7:55pm

thanks for pointing that out. that was a duh moment

so if i want to be able to use vscode to remote in and manage containers(solved) and run sudo for whatever needed(already possible), how do i get it to allow vscode to install itself in the home dir of truenas_admin? apparently allowing that changed in a previous release: VSCODE SSH Server Error - #3 by awalkerix and i need to use a different home dir on my pool. can i just change truenas_admins home dir like that or whats the best way to go about setting this up?

awalkerix · December 1, 2025, 8:01pm

Is there a particular reason you must use the truenas_admin user? Adding new accounts and using them should be fairly trivial.

kinghat · December 1, 2025, 8:07pm

since i was adding truenas_admin to the docker group i thought i might as well just keep that restricted to it since im doing all the other admin stuffs in the ui via that user. is there a reason not to use it or how would you structure this?

bacon · December 2, 2025, 11:44am

I would also suggest creating a new user. Changing the home directory of the truenas_admin user isn’t supported via the web user interface. Creating a new user will definitely have less chance of breaking things.

In general, it’s probably a good idea to keep the truenas_admin home on the boot pool. If the main pool ever fails to import you still have a user with a valid home directory. Don’t know what would happen if truenas_admin has a non-existent or non-accessible home directory. Shell access would probably would still work, but why risk it.

kinghat · December 4, 2025, 9:03pm

im now trying to give my vscode user that i created, and made a home for, ability to write into my services dataset, which is owned by truenas_admin. here are the current settings:

dataset settings:

vscode user permissions:

if i manually ssh in i can create files as exampled here with git init:

% ls -la
total 26
drwxrwxr-x 10 truenas_admin truenas_admin  11 Dec  4 14:34 .
drwxr-xr-x  4 root          root            4 Dec  1 14:16 ..
-rwxrwxr-x  1 root          root          112 Nov 29 11:20 .env.global
drwxr-xr-x  7 vscode        vscode         10 Dec  4 14:34 .git
drwxrwxr-x  3 truenas_admin truenas_admin   4 Dec  1 10:41 arcane
...

vscode groups(notice its not showing the docker group i added previously):

% groups
vscode truenas_admin

when i connect with vscode and try to create a workspace file in the same services dataset i dont have permission. ive closed the terminal, reloaded vscode and reconnected and its the same. also notice it show the vscode user in the docker group but not the truenas_admin group:

ps:

upon further digging it appears that vscode keeps the server alive after disconnect for faster future connects. the provide kill commands to terminate the server but those dont work and you have to run: ps uxa | grep .vscode-server | awk '{print $2}' | xargs kill -9 and reconnect or restart truenas

relevant issues:

github.com/microsoft/vscode-remote-release

New groups are not applied on the Remote-SSH session without rebooting the remote machine

opened 04:09PM - 02 Nov 21 UTC

closed 06:29PM - 10 Jan 22 UTC

JaneX8

ssh info-needed

As far as I can tell these two closed issues (https://github.com/microsoft/vscod…e-remote-release/issues/1997, https://github.com/microsoft/vscode-remote-release/issues/4058) still apply and this is annoying as hell as it took me a lot of time to figure out that the issue was VScode and not my remote setup. Below steps are 100% reproducable. - VSCode Version: 1.61.2 - Local OS Version: Windows 10 21H1 - Remote OS Version: Ubuntu 20.04.3 LTS - Remote Extension/Connection Type: Visual Studio Code Remote - SSH extension (https://code.visualstudio.com/docs/remote/ssh) - Logs: n/a **Description**: I am scoping user folders for different Docker containers. **Note that Docker has nothing to do with this issue.** For this reason I am creating groups and users on my remote Ubuntu machine and applying them to specific folders. I also add the user that I used for Remote SSH in VScode to the newly created groups. And this change is not applied, also not after adding it manually to the current session, after reconnecting and after reopening VScode altogether. The only thing that seems to fix it is to reboot my remote machine. I did not find a solution for this other then rebooting the whole server, which seems a bit dramatic. **Steps to Reproduce (on the remote machine):** For this example let's assume the user I use to connect to the server over Remote-SSH in VScode is `remoteUser` and the remote folder I am trying to access as that user is `/tmp/test`. For the sake of completeness, I use the following permissions on that (parent) folder: ``` sudo chown root:root /tmp sudo find /tmp -type d -exec chmod 0775 {} + sudo find /tmp -type f -exec chmod 0660 {} + sudo chown -R 5000:5000 /tmp/test sudo find /tmp/test -type d -exec chmod 0770 {} + sudo find /tmp/test -type f -exec chmod 0660 {} + ``` 1. `sudo groupadd --gid 5000 newDockerGroup` 2. `sudo usermod -a -G newDockerGroup remoteUser` (adding `remoteUser` to the newly created group) 3. `groups remoteUser` viewing the current groups `remoteUser` is member of. The result does contain `newDockerGroup` as expected. 4. In the vscode terminal on my current session as remoteUser I run: `id -Gn` and it **does not** contain `newDockerGroup`. This is unexpected behaviour. 5. I run `newgrp newDockerGroup`. Now after checking `id -Gn` again as user remoteUser, it does contain `newDockerGroup`. This is expected. Now the user is applied on the current Terminal session and I can browse, open and write in that folder as user `remoteUser` using Terminal. But the Remote-SSH session isn't changed and the file explorer in vscode does not allow me to navigate that folder. Reconnecting the session, reopening vscode does not fix this issue and will return to a state where `id -Gn` results in an answer **without the newly generated group**. The only way so far to fix this is rebooting the entire remote machine. After which everything works find in vscode. _I tried restarting the remote SSH service without success. If there is another workaround to restart specific processes (remotely) to get this fixed I would love to know because restarting the whole remote host is not an option._ _Moreover I open VSCode and from the Remote Explorer tab in vscode I open a new window which allows me to browse the remote files in the Explorer tab._

github.com/microsoft/vscode-remote-release

[Remote-SSH Bug]: New groups are not applied on the Remote-SSH session

opened 06:24PM - 27 Mar 24 UTC

closed 01:00AM - 13 Dec 24 UTC

maxballenger

ssh

### Is there an existing issue for this bug? - [X] I have searched the existi…ng issues ### Required Troubleshooting Steps - [X] I have followed these troubleshooting steps - [X] I have tried both values of the `remote.SSH.useLocalServer` setting ### Connect Locally It connects successfully ### -> _No response_ ### Expected Behavior 1. Add user to a new group on remote machine. 2. User restarts the VSCode server on remote machine using `RemoteSSH: Kill VSCode Server on Host`. 3. Reconnect to remote machine from VSCode 4. User has permissions granted by new group ### Steps To Reproduce This is essentially a duplicate of #5813 1. Create a temp folder and file owned by a group to which the current user does not belong ``` ballenger@system:~$ mkdir ./tmp ballenger@system:~$ mkdir ./tmp/test ballenger@system:~$ touch ./tmp/test/test ballenger@system:~$ sudo find ./tmp -type d -exec chmod 0775 {} + ballenger@system:~$ sudo find ./tmp -type f -exec chmod 0660 {} + ballenger@system:~$ sudo chown -R 5000:5000 ./tmp/test ballenger@system:~$ sudo find ./tmp/test -type d -exec chmod 0770 {} + ballenger@system:~$ sudo find ./tmp/test -type f -exec chmod 0660 {} + ballenger@system:~$ sudo groupadd --gid 5000 newTestGroup ``` 2. Add the current user to the group ``` ballenger@system:~$ sudo usermod -a -G newTestGroup ballenger ballenger@system:~$ groups ballenger sudo ballenger@system:~$ groups ballenger ballenger : ballenger sudo newTestGroup ballenger@system:~$ id -Gn ballenger sudo ballenger@system:~$ newgrp newTestGroup ballenger@system:~$ id -Gn newTestGroup sudo ballenger ``` 3. Confirm that the user can access the folder ``` ballenger@system:~$ cd tmp ballenger@system:~/tmp$ ls -l total 4 drwxrwx--- 2 5000 newTestGroup 4096 Mar 27 14:12 test ballenger@system:~/tmp$ cd ./test/ ballenger@system:~/tmp/test$ ls -l total 0 -rw-rw---- 1 5000 newTestGroup 0 Mar 27 14:12 test ``` 4. Kill the VSCode server on the remote host using `RemoteSSH: Kill VSCode Server on Host` 5. Check group membership again - user is not part of the group anymore and user cannot access the folder ``` ballenger@system:~$ id -Gn ballenger sudo ballenger@system:~$ cd tmp ballenger@system:~/tmp$ ls test ballenger@system:~/tmp$ ls -l total 4 drwxrwx--- 2 5000 newTestGroup 4096 Mar 27 14:12 test ballenger@system:~/tmp$ cd test/ bash: cd: test/: Permission denied ``` ### Remote-SSH Log <details> <summary>Remote-SSH Log</summary> <p> ``` [14:21:22.552] Log Level: 2 [14:21:22.558] VS Code version: 1.87.2 [14:21:22.559] Remote-SSH version: remote-ssh@0.109.0 [14:21:22.559] linux x64 [14:21:22.559] SSH Resolver called for "ssh-remote+xx", attempt 1 [14:21:22.560] "remote.SSH.useLocalServer": true [14:21:22.560] "remote.SSH.useExecServer": false [14:21:22.560] "remote.SSH.path": undefined [14:21:22.560] "remote.SSH.configFile": undefined [14:21:22.560] "remote.SSH.useFlock": true [14:21:22.560] "remote.SSH.lockfilesInTmp": false [14:21:22.560] "remote.SSH.localServerDownload": auto [14:21:22.560] "remote.SSH.remoteServerListenOnSocket": false [14:21:22.560] "remote.SSH.showLoginTerminal": false [14:21:22.560] "remote.SSH.defaultExtensions": [] [14:21:22.560] "remote.SSH.loglevel": 2 [14:21:22.560] "remote.SSH.enableDynamicForwarding": true [14:21:22.560] "remote.SSH.enableRemoteCommand": false [14:21:22.560] "remote.SSH.serverPickPortsFromRange": {} [14:21:22.560] "remote.SSH.serverInstallPath": {} [14:21:22.563] SSH Resolver called for host: xx [14:21:22.563] Setting up SSH remote "xx" [14:21:22.565] Acquiring local install lock: /tmp/vscode-remote-ssh-8b29e492-install.lock [14:21:22.565] Looking for existing server data file at /home/ballenger/.config/Code/User/globalStorage/ms-vscode-remote.remote-ssh/vscode-ssh-host-8b29e492-863d2581ecda6849923a2118d93a088b0745d9d6-0.109.0-tr/data.json [14:21:22.565] Using commit id "863d2581ecda6849923a2118d93a088b0745d9d6" and quality "stable" for server [14:21:22.567] Install and start server if needed ``` </p> </details> ### Anything else? _No response_

it turns out that manually adding a user to the docker group will get overridden if you change that users groups on the frontend.

kinghat · December 15, 2025, 8:01pm

in trying to setup a user as the owner of all my data with a UID:GID of 1000:1000 but when i created it with an UID of 1000 it still set the GID as something else(3000). maybe i missed that i can set the GID as well when creating a user manually creating a group with the ID of 1000 is possible and i can put the user in that group but it still has the primary group of 3000. can i change that somehow? it wont let me remove my user from that group so i can delete it:

Error Name: EINVAL
Error Code: 22
Reason: [EINVAL] group_update.users: This group is primary for the following users: kinghat. You can’t remove them.

Error Class: ValidationErrors
Extra: [
[
“group_update.users”,
“This group is primary for the following users: kinghat. You can’t remove them.”,
22
]
]
Trace: Traceback (most recent call last):
File “/usr/lib/python3/dist-packages/middlewared/api/base/server/ws_handler/rpc.py”, line 360, in process_method_call
result = await method.call(app, id_, params)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File “/usr/lib/python3/dist-packages/middlewared/api/base/server/method.py”, line 57, in call
result = await self.middleware.call_with_audit(self.name, self.serviceobj, methodobj, params, app,
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File “/usr/lib/python3/dist-packages/middlewared/main.py”, line 954, in call_with_audit
result = await self._call(method, serviceobj, methodobj, params, app=app,
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File “/usr/lib/python3/dist-packages/middlewared/main.py”, line 771, in _call
return await methodobj(*prepared_call.args)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File “/usr/lib/python3/dist-packages/middlewared/service/crud_service.py”, line 186, in update
return await self.middleware._call(
^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File “/usr/lib/python3/dist-packages/middlewared/main.py”, line 771, in _call
return await methodobj(*prepared_call.args)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File “/usr/lib/python3/dist-packages/middlewared/service/crud_service.py”, line 214, in nf
rv = await func(*args, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^
File “/usr/lib/python3/dist-packages/middlewared/api/base/decorator.py”, line 108, in wrapped
result = await func(*args)
^^^^^^^^^^^^^^^^^
File “/usr/lib/python3/dist-packages/middlewared/plugins/account.py”, line 2093, in do_update
verrors.check()
File “/usr/lib/python3/dist-packages/middlewared/service_exception.py”, line 71, in check
raise self
middlewared.service_exception.ValidationErrors: [EINVAL] group_update.users: This group is primary for the following users: kinghat. You can’t remove them.

bacon · December 15, 2025, 8:08pm

Can’t you change the primary group of the user in the user editor?

kinghat · December 16, 2025, 2:13am

i was able to do it there, thanks. was mentally stuck in the groups tab.

im trying to setup an init command to set the docker group where i want it because it keeps being reset on reboot. maybe im not allow to run this here, though, because its not functioning using sudo or not, or increasing the timeout:

also calling via its path doesnt work either: /usr/sbin/usermod or /sbin/usermod. neither does trying to usegpasswd -a vscode docker.