Cannot manipulate docker sockets from another docker container using latest Ubuntu2404 (September)

[hernandikrammes]

Description

I've been using Ubuntu2404 image for running my local tests which depend on the ability of a docker container manipulation. A test container manipulate another docker container in run time (like simulating a primary database drop, killing the container, and then after some time ramping it back again).

Since today (09-10-2025) I'm unable to get my test docker to access the another docker container. I keep receiving

'''
dial unix /var/run/docker.sock: connect: permission denied'
'''

Nothing changed in our environment.
I only notice the change in ubuntu version (I'm always using latest for long time now)

Problem happen at image:
Image: ubuntu-24.04
Version: 20250907.24.1
Included Software: https://github.com/actions/runner-images/blob/ubuntu24/20250907.24/images/ubuntu/Ubuntu2404-Readme.md
Image Release: https://github.com/actions/runner-images/releases/tag/ubuntu24%2F20250907.24

Image that worked correctly:
Image: ubuntu-24.04
Version: 20250831.1.0
Included Software: https://github.com/actions/runner-images/blob/ubuntu24/20250831.1/images/ubuntu/Ubuntu2404-Readme.md
Image Release: https://github.com/actions/runner-images/releases/tag/ubuntu24%2F20250831.1

Platforms affected

• Azure DevOps
• GitHub Actions - Standard Runners
• GitHub Actions - Larger Runners

Runner images affected

• Ubuntu 22.04
• Ubuntu 24.04
• macOS 13
• macOS 13 Arm64
• macOS 14
• macOS 14 Arm64
• macOS 15
• macOS 15 Arm64
• Windows Server 2019
• Windows Server 2022
• Windows Server 2025

Image version and build link

Image: ubuntu-24.04
Version: 20250907.24.1
Included Software: https://github.com/actions/runner-images/blob/ubuntu24/20250907.24/images/ubuntu/Ubuntu2404-Readme.md
Image Release: https://github.com/actions/runner-images/releases/tag/ubuntu24%2F20250907.24

Is it regression?

yes

Expected behavior

Docker container has to be able to access docker.sock to manipualte another docker container inside this image.

Actual behavior

One docker container cannot manipulate another docker container via the exposed docker.sock file to inside the container.

Repro steps

• Create one docker containers
• Mount the /var/run/docker.sock:/var/run/docker.sock sindie the container
• Install docker inside the container

• Create another docker container

• Inside the first docker container, try to stop the first docker container, or execute some command
• It will fail with permission denied

[akilesh-amaran]

Hi @hernandikrammes ,Thank you for bringing this issue to our attention. We will look into this issue and will update you after investigation.

[hernandikrammes]

Just to make very clear the steps, some clarifications @akilesh-amaran:

1 Create one docker containers
2 Mount the /var/run/docker.sock:/var/run/docker.sock inside the container; (NOTE: when running on my local machine I need to setup the permission for this file to chmod 666 /var/run/docker.sock when running with GitHubAction on the aforementioned case, I never needed to setup this permission, it always worked fine)
3 Install docker inside the container
4 Create another docker container on the host
5 Inside the first docker container, try to stop the second docker container, or execute some command on it
6 It will fail with permission denied

[bvwells]

We suspect that the gids changed in version: 20250907.24.1. They are now:

groups=1001(vsts),4(adm),100(users),118(docker),999(systemd-journal)

[hernandikrammes]

Do you known how can we fix to have the same behavior as before on my runs?

[bvwells]

I think if you chmod /var/run/docker.sock it should work...

[shamil-mubarakshin]

Hey @hernandikrammes, I'm trying to reproduce the issue with provided instructions and not hitting it, workflow completes successfully https://github.com/shamil-mubarakshin/tests-repository/actions/runs/17797126517/job/50587310657.
For further investigation could you provide more detailed info about your case? Repro steps, preferably in a .yml form would be of great help