troubleshooting

troubleshooting
- permission denied while trying to connect to the Docker daemon socket
- Malware Blocked - 'com.docker.vmnetd'

[!NOTE|label:references:]
Troubleshoot topics for Docker Desktop
Troubleshoot Docker Desktop
osx:
Incompatible CPU detected
VPNKit keeps breaking
windows

troubleshooting

# -- osx --
$ /Applications/Docker.app/Contents/MacOS/com.docker.diagnose
# create and upload the diagnostics id
$ /Applications/Docker.app/Contents/MacOS/com.docker.diagnose gather -upload
# self diagnose
$ /Applications/Docker.app/Contents/MacOS/com.docker.diagnose check
# check log
$ pred='process matches ".*(ocker|vpnkit).*" || (process in {"taskgated-helper", "launchservicesd", "kernel"} && eventMessage contains[c] "docker")'
$ /usr/bin/log stream --style syslog --level=debug --color=always --predicate "$pred"

# -- linux --
$ /opt/docker-desktop/bin/com.docker.diagnose
# create and upload the diagnostics id
$ /opt/docker-desktop/bin/com.docker.diagnose gather -upload
# self diagnose
$ /opt/docker-desktop/bin/com.docker.diagnose check
# check log
$ journalctl --user --unit=docker-desktop

# -- windows --
> C:\Program Files\Docker\Docker\resources\com.docker.diagnose.exe
# create and upload the diagnostics id
> & "C:\Program Files\Docker\Docker\resources\com.docker.diagnose.exe" gather -upload
> Expand-Archive -LiteralPath "%TEMP%\5DE9978A-3848-429E-8776-950FC869186F\20230607101602.zip" -DestinationPath "%TEMP%\5DE9978A-3848-429E-8776-950FC869186F\20230607101602"
# self diagnose
> & "C:\Program Files\Docker\Docker\resources\com.docker.diagnose.exe" check
# check log
> code $Env:LOCALAPPDATA\Docker\log

`permission denied while trying to connect to the Docker daemon socket`

[!NOTE|label:see also:]
* imarslo: linux/system/change group

issue shows even if the account exists in docker group

# account already been added in `docker` group
$ id marslo
uid=1100(marslo) gid=1100(marslo) groups=1100(marslo),994(docker)
$ docker ps
permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get "http://%2Fvar%2Frun%2Fdocker.sock/v1.44/containers/json": dial unix /var/run/docker.sock: connect: permission denied

# group info
$ getent group docker
docker:x:994:devops,marslo
$ getent group 994
docker:x:994:devops,marslo

# remote
$ sudo gpasswd -d marslo docker
Removing user marslo from group docker
$ id marslo
uid=1100(marslo) gid=1100(marslo) groups=1100(marslo)

# re-added
$ sudo usermod -aG docker marslo
$ id marslo
uid=1100(marslo) gid=1100(marslo) groups=1100(marslo),994(docker)
$ docker ps
permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get "http://%2Fvar%2Frun%2Fdocker.sock/v1.44/containers/json": dial unix /var/run/docker.sock: connect: permission denied

root cause

# docker group-id was 990, and it was changed to 994; but the `/var/run/docker.sock` wasn't been changed
$ ls -asltrh /var/run/docker.sock
0 srw-rw---- 1 root redwillow 0 Mar  7 15:27 /var/run/docker.sock

solution

$ sudo chown -R root:docker /var/run/docker.sock
$ docker ps
CONTAINER ID   IMAGE     COMMAND   CREATED   STATUS    PORTS     NAMES

# to change all after GID changed
$ find / -gid OLD_GID ! -type l -exec chgrp NEW_GID {} \;

Malware Blocked - 'com.docker.vmnetd'

[!NOTE|label:references:]
#7520 - [Workaround in description] Mac is detecting Docker as a malware and keeping it from starting
Malware Blocked: “com.docker.vmnetd” was not opened because it contains malware
Incident Update: Docker Desktop for Mac

status

$ sha256sum /Library/PrivilegedHelperTools/com.docker.vmnetd
bed1a0468de21d1189ab560fbfcd3432b396143c067831e096553057401fac67  /Library/PrivilegedHelperTools/com.docker.vmnetd

workaround

#!/bin/bash

# Stop the docker services
echo "Stopping Docker..."
sudo pkill '[dD]ocker'

# Stop the vmnetd service
echo "Stopping com.docker.vmnetd service..."
sudo launchctl bootout system /Library/LaunchDaemons/com.docker.vmnetd.plist

# Stop the socket service
echo "Stopping com.docker.socket service..."
sudo launchctl bootout system /Library/LaunchDaemons/com.docker.socket.plist

# Remove vmnetd binary
echo "Removing com.docker.vmnetd binary..."
sudo rm -f /Library/PrivilegedHelperTools/com.docker.vmnetd

# Remove socket binary
echo "Removing com.docker.socket binary..."
sudo rm -f /Library/PrivilegedHelperTools/com.docker.socket

# Install new binaries
echo "Install new binaries..."
sudo cp /Applications/Docker.app/Contents/Library/LaunchServices/com.docker.vmnetd /Library/PrivilegedHelperTools/
sudo cp /Applications/Docker.app/Contents/MacOS/com.docker.socket /Library/PrivilegedHelperTools/

result

$ sudo sha256sum /Library/PrivilegedHelperTools/com.docker.*
ec9c5cbef5bf903e17569393cabe452499370b5ec89bdd819054806e20a0dca1  /Library/PrivilegedHelperTools/com.docker.socket
be868fea1cf597f45ecc1892564ccac333c79c94d0c49f26c28fc7931bede017  /Library/PrivilegedHelperTools/com.docker.vmnetd

solution

[!NOTE|label:references:]
Uninstall Docker Desktop

remove docker desktop

$ /Applications/Docker.app/Contents/MacOS/uninstall
Password:
Uninstalling Docker Desktop...
Error: unlinkat /Users/<USER_HOME>/Library/Containers/com.docker.docker/.com.apple.containermanagerd.metadata.plist: operation not permitted

$ rm -rf ~/Library/Group\ Containers/group.com.docker
$ rm -rf ~/.docker

re-intall docker desktop

$ sudo hdiutil attach Docker.dmg
$ sudo /Volumes/Docker/Docker.app/Contents/MacOS/install
$ sudo hdiutil detach /Volumes/Docker

Previoustricky Nextwindows

Last updated 2 months ago

Was this helpful?

# -- osx -- $ /Applications/Docker.app/Contents/MacOS/com.docker.diagnose # create and upload the diagnostics id $ /Applications/Docker.app/Contents/MacOS/com.docker.diagnose gather -upload # self diagnose $ /Applications/Docker.app/Contents/MacOS/com.docker.diagnose check # check log $ pred='process matches ".*(ocker|vpnkit).*" || (process in {"taskgated-helper", "launchservicesd", "kernel"} && eventMessage contains[c] "docker")' $ /usr/bin/log stream --style syslog --level=debug --color=always --predicate "$pred" # -- linux -- $ /opt/docker-desktop/bin/com.docker.diagnose # create and upload the diagnostics id $ /opt/docker-desktop/bin/com.docker.diagnose gather -upload # self diagnose $ /opt/docker-desktop/bin/com.docker.diagnose check # check log $ journalctl --user --unit=docker-desktop # -- windows -- > C:\Program Files\Docker\Docker\resources\com.docker.diagnose.exe # create and upload the diagnostics id > & "C:\Program Files\Docker\Docker\resources\com.docker.diagnose.exe" gather -upload > Expand-Archive -LiteralPath "%TEMP%\5DE9978A-3848-429E-8776-950FC869186F\20230607101602.zip" -DestinationPath "%TEMP%\5DE9978A-3848-429E-8776-950FC869186F\20230607101602" # self diagnose > & "C:\Program Files\Docker\Docker\resources\com.docker.diagnose.exe" check # check log > code $Env:LOCALAPPDATA\Docker\log

# account already been added in `docker` group $ id marslo uid=1100(marslo) gid=1100(marslo) groups=1100(marslo),994(docker) $ docker ps permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get "http://%2Fvar%2Frun%2Fdocker.sock/v1.44/containers/json": dial unix /var/run/docker.sock: connect: permission denied # group info $ getent group docker docker:x:994:devops,marslo $ getent group 994 docker:x:994:devops,marslo # remote $ sudo gpasswd -d marslo docker Removing user marslo from group docker $ id marslo uid=1100(marslo) gid=1100(marslo) groups=1100(marslo) # re-added $ sudo usermod -aG docker marslo $ id marslo uid=1100(marslo) gid=1100(marslo) groups=1100(marslo),994(docker) $ docker ps permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get "http://%2Fvar%2Frun%2Fdocker.sock/v1.44/containers/json": dial unix /var/run/docker.sock: connect: permission denied

# docker group-id was 990, and it was changed to 994; but the `/var/run/docker.sock` wasn't been changed $ ls -asltrh /var/run/docker.sock 0 srw-rw---- 1 root redwillow 0 Mar 7 15:27 /var/run/docker.sock

$ sudo chown -R root:docker /var/run/docker.sock $ docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES # to change all after GID changed $ find / -gid OLD_GID ! -type l -exec chgrp NEW_GID {} \;

#!/bin/bash # Stop the docker services echo "Stopping Docker..." sudo pkill '[dD]ocker' # Stop the vmnetd service echo "Stopping com.docker.vmnetd service..." sudo launchctl bootout system /Library/LaunchDaemons/com.docker.vmnetd.plist # Stop the socket service echo "Stopping com.docker.socket service..." sudo launchctl bootout system /Library/LaunchDaemons/com.docker.socket.plist # Remove vmnetd binary echo "Removing com.docker.vmnetd binary..." sudo rm -f /Library/PrivilegedHelperTools/com.docker.vmnetd # Remove socket binary echo "Removing com.docker.socket binary..." sudo rm -f /Library/PrivilegedHelperTools/com.docker.socket # Install new binaries echo "Install new binaries..." sudo cp /Applications/Docker.app/Contents/Library/LaunchServices/com.docker.vmnetd /Library/PrivilegedHelperTools/ sudo cp /Applications/Docker.app/Contents/MacOS/com.docker.socket /Library/PrivilegedHelperTools/

$ sudo sha256sum /Library/PrivilegedHelperTools/com.docker.* ec9c5cbef5bf903e17569393cabe452499370b5ec89bdd819054806e20a0dca1 /Library/PrivilegedHelperTools/com.docker.socket be868fea1cf597f45ecc1892564ccac333c79c94d0c49f26c28fc7931bede017 /Library/PrivilegedHelperTools/com.docker.vmnetd

$ /Applications/Docker.app/Contents/MacOS/uninstall Password: Uninstalling Docker Desktop... Error: unlinkat /Users/<USER_HOME>/Library/Containers/com.docker.docker/.com.apple.containermanagerd.metadata.plist: operation not permitted $ rm -rf ~/Library/Group\ Containers/group.com.docker $ rm -rf ~/.docker