How to Safely Add Your GitLab Runner to the Docker Group for Streamlined Permissions
Most developers hack around Docker permission errors by giving runners sudo access or running them as root—here's why adding the GitLab Runner to the Docker group is the smarter, safer alternative that scales with your infrastructure.
If you’re running CI/CD pipelines that involve building or running Docker containers, you’ve likely bumped into frustrating permission issues with your GitLab Runner. The default error message probably looks something like this:
Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get http:///var/run/docker.sock/v1.24/images/json: dial unix /var/run/docker.sock: connect: permission denied
It’s tempting to just give your runner sudo rights or run it as root just to bypass this problem. But that approach can open serious security risks and make your setup hard to maintain as you add more runners or developers.
The better way? Add your GitLab Runner user to the Docker group, which allows it to interact with the Docker daemon without being root.
Why Adding to the Docker Group Matters
- Least Privilege Principle: Instead of broad root permissions, you grant only the minimum required rights.
- Easier Management: Multiple users or services can be added or removed cleanly.
- Security: Running unprivileged users with Docker access limits exposure in case of compromises.
- Smooth CI/CD Pipelines: No unexpected permission denials during builds and deployments.
Step-by-Step Guide: Adding GitLab Runner to the Docker Group
1. Verify Your Setup
Make sure Docker is installed and running on your host machine:
sudo systemctl status docker
Confirm you can run docker commands as yourself:
docker ps
If that works without sudo, then your user is already part of the docker group.
2. Find Out Which User Runs GitLab Runner
GitLab Runner usually runs under its own dedicated user account called gitlab-runner. Check this by looking at the runner process or service:
ps aux | grep gitlab-runner
Or check the user for the service:
systemctl status gitlab-runner
You should see something like User=gitlab-runner.
3. Add GitLab Runner User to Docker Group
Use this command:
sudo usermod -aG docker gitlab-runner
This appends (-a) the docker group (-G docker) to gitlab-runner's supplementary groups without removing existing ones.
4. Restart GitLab Runner Service
For changes in group membership to take effect, restart the runner service:
sudo systemctl restart gitlab-runner
Alternatively, if you’re using a shell executor and running jobs manually, log out and log back in for group changes to apply.
5. Test Your Runner With a Simple Job
Create a .gitlab-ci.yml snippet that just checks Docker access:
test-docker-access:
script:
- docker info
Trigger this pipeline — if it outputs Docker daemon information without permission errors, congratulations!
Common Pitfalls & Tips
- Docker Socket Location: Make sure your runner indeed accesses
/var/run/docker.sock. Custom setups may differ. - Group Changes Not Applied Yet: If errors persist after adding user to group, double-check by running
groups gitlab-runner. If you don’t seedockerlisted, it means the process hasn’t refreshed its groups. - Avoid Running Runners as Root: It may “work” but reduces safety and increases risk significantly.
- Docker-in-Docker (dind) Considerations: If you’re using dind services inside GitLab CI, permissions might be handled differently; usually adding to docker group applies on host level jobs accessing host’s daemon.
Why Not Just Use Sudo?
Some might suggest tweaking your .gitlab-ci.yml job commands:
script:
- sudo docker build -t myimage .
But this requires granting passwordless sudo rights which introduces security risks and complicates maintenance due to privilege escalations.
By using group membership instead:
- You eliminate sudo overhead.
- Your jobs are safer by not escalating privileges unnecessarily.
- Administration is clearer when auditing who can run Docker commands.
Conclusion
Avoid shortcuts that compromise security or introduce brittle hacks into your CI/CD systems. Properly adding your GitLab Runner user to the Docker group is a simple fix that improves reliability, security, and scalability of container-based builds and deployments.
Follow these steps next time you onboard a new runner or diagnose mysterious pipeline permission errors — your future self (and teammates) will thank you!
Happy building! 🚀
If this helped you out or if you have questions about runner setup, drop a comment below!