Aim:
- able to run
dockercommands withoutAdministratorprivileges. - Preparation for running
dockercommands in GitHub Actions that’s running on Self-hosted runners. See [[GitHub Actions - Self-hosted Windows Runners - enable docker build]]
When running docker build on local dev machine, we’re greeted with the error:
error during connect: In the default daemon configuration on Windows, the docker client must be run with elevated privileges to connect.: Post http://%2F%2F.%2Fpipe%2Fdocker_engine/v1.24/images/create?fromImage=mcr.microsoft.com%2Fwindows%2Fnanoserver&tag=1809: open //./pipe/docker_engine: The system cannot find the file specified.
Troubleshooting
- Is the docker service running? Check with
PS > Get-Service dockerOutput is
1
2
3
Status Name DisplayName
------ ---- -----------
Running Docker Docker Engine
- Who can access this pipe
docker_engine? Run[System.IO.Directory]::GetAccessControl("\\.\pipe\docker_engine") | Format-Table. Output is
1
2
3
4
5
PS C:\Users\user> [System.IO.Directory]::GetAccessControl("\\.\pipe\docker_engine") | Format-Table
Path Owner Access
---- ----- ------
domain\user NT AUTHORITY\SYSTEM Allow FullControl...
- Who can access this pipe
docker_engine_windows? Run[System.IO.Directory]::GetAccessControl("\\.\pipe\docker_engine_windows") | Format-Table. Output is
1
2
3
4
5
PS C:\Users\user> [System.IO.Directory]::GetAccessControl("\\.\pipe\docker_engine_windows") | Format-Table
Path Owner Access
---- ----- ------
BUILTIN\Administrators NT AUTHORITY\SYSTEM Allow FullControl...
The Fix
Grant the user access only to the Docker Pipe as in https://github.com/tfenster/dockeraccesshelper and not to the whole machine.
1
2
3
4
5
6
7
8
9
10
11
# GrantAccessToDockerPipe.ps1
# account that's to be granted access. When on laptop, I use juliusg.
$account="juliusg"
$npipe = "\\.\pipe\docker_engine"
$dInfo = New-Object "System.IO.DirectoryInfo" -ArgumentList $npipe
$dSec = $dInfo.GetAccessControl()
$fullControl =[System.Security.AccessControl.FileSystemRights]::FullControl
$allow =[System.Security.AccessControl.AccessControlType]::Allow
$rule = New-Object "System.Security.AccessControl.FileSystemAccessRule" -ArgumentList $account,$fullControl,$allow
$dSec.AddAccessRule($rule)
$dInfo.SetAccessControl($dSec)
Testing
Open PowerShell and run that script.
In another PowerShell window, check the following:
- Is the docker service running? Check with
PS > Get-Service dockerOutput is
1
2
3
Status Name DisplayName
------ ---- -----------
Running Docker Docker Engine
- If it’s not running, restart it with
PS > Get-Service docker | Restart-Serviceand not withdockerd.dockerdstarts new instance of the Docker Daemon)
References
- Grant user access to docker pipe https://github.com/tfenster/dockeraccesshelper based on https://www.axians-infoma.de/techblog/allow-access-to-the-docker-engine-without-admin-rights-on-windows/
- Docker Daemon config: https://docs.docker.com/config/daemon/
- config.json:
C:\ProgramData\docker\config\daemon.jsonon Windows - docker daemon directory
C:\ProgramData\dockeron Windows. The Docker daemon persists all data in a single directory. This tracks everything related to Docker, including containers, images, volumes, service definition, and secrets.
- config.json: