From 6b4bef9861addfbfa3ecc845885d1c0e6d850558 Mon Sep 17 00:00:00 2001
From: Felipe Santos <felipecassiors@gmail.com>
Date: Tue, 19 May 2026 00:56:04 -0300
Subject: [PATCH] feat: automatically add socket's group when using
 `--use-api-socket`

Signed-off-by: Felipe Santos <felipecassiors@gmail.com>
---
 cli/command/container/create.go               |  8 ++++---
 cli/command/container/use_api_socket_unix.go  | 24 +++++++++++++++++++
 .../container/use_api_socket_windows.go       |  4 ++++
 3 files changed, 33 insertions(+), 3 deletions(-)
 create mode 100644 cli/command/container/use_api_socket_unix.go
 create mode 100644 cli/command/container/use_api_socket_windows.go

diff --git a/cli/command/container/create.go b/cli/command/container/create.go
index 2598323d7e6e..33d494d8db5d 100644
--- a/cli/command/container/create.go
+++ b/cli/command/container/create.go
@@ -255,12 +255,14 @@ func createContainer(ctx context.Context, dockerCLI command.Cli, containerCfg *c
 		}
 
 		// hard-code engine socket path until https://github.com/moby/moby/pull/43459 gives us a discovery mechanism
-		containerCfg.HostConfig.Mounts = append(containerCfg.HostConfig.Mounts, mount.Mount{
+		const dockerSocketPath = "/var/run/docker.sock"
+		hostConfig.Mounts = append(hostConfig.Mounts, mount.Mount{
 			Type:        mount.TypeBind,
-			Source:      "/var/run/docker.sock",
-			Target:      "/var/run/docker.sock",
+			Source:      dockerSocketPath,
+			Target:      dockerSocketPath,
 			BindOptions: &mount.BindOptions{},
 		})
+		addSocketGroup(&hostConfig.GroupAdd, dockerSocketPath)
 
 		/*
 
diff --git a/cli/command/container/use_api_socket_unix.go b/cli/command/container/use_api_socket_unix.go
new file mode 100644
index 000000000000..2671e6232857
--- /dev/null
+++ b/cli/command/container/use_api_socket_unix.go
@@ -0,0 +1,24 @@
+//go:build !windows
+
+package container
+
+import (
+	"os"
+	"strconv"
+	"syscall"
+)
+
+// addSocketGroup appends the GID of the socket file at path to groupAdd, so
+// non-root users can access the socket without an explicit --group-add flag.
+// Errors are silently ignored; this is best-effort.
+func addSocketGroup(groupAdd *[]string, path string) {
+	fi, err := os.Stat(path)
+	if err != nil {
+		return
+	}
+	stat, ok := fi.Sys().(*syscall.Stat_t)
+	if !ok {
+		return
+	}
+	*groupAdd = append(*groupAdd, strconv.FormatUint(uint64(stat.Gid), 10))
+}
diff --git a/cli/command/container/use_api_socket_windows.go b/cli/command/container/use_api_socket_windows.go
new file mode 100644
index 000000000000..5f12d4331154
--- /dev/null
+++ b/cli/command/container/use_api_socket_windows.go
@@ -0,0 +1,4 @@
+package container
+
+// addSocketGroup is a no-op on Windows.
+func addSocketGroup(_ *[]string, _ string) {}