Hi all,
Happy to announce we have a CentOS Atomic Host image ready for testing! Kudos to all the folks who've worked on this so far - it's going to be a lot of fun working from these and making Atomic the best way to run containers.
Please see the post here:
http://www.projectatomic.io/blog/2014/11/centos-atomic-sig-image-ready-for-t...
Images are here:
http://buildlogs.centos.org/rolling/7/
Let the testing commence!
Best,
jzb
Hello,
I just tested out the CentOS-7-x86_64-AtomicHost-20141029_02.qcow2 and found an issue with the cockpit-docker integration. To read the images and containers currently residing on the atomic host, cockpit-agent needs to connect to /var/run/docker.sock to which it does not have permission. I did a "chmod o+rw /var/run/docker.sock" to make it work on my test system. Is this a known issue or should I file a bug somewhere?
-- Aditya Patawari http://blog.adityapatawari.com/ India
On Fri, Nov 7, 2014 at 6:46 AM, Joe Brockmeier jzb@redhat.com wrote:
Hi all,
Happy to announce we have a CentOS Atomic Host image ready for testing! Kudos to all the folks who've worked on this so far - it's going to be a lot of fun working from these and making Atomic the best way to run containers.
Please see the post here:
http://www.projectatomic.io/blog/2014/11/centos-atomic-sig-image-ready-for-t...
Images are here:
http://buildlogs.centos.org/rolling/7/
Let the testing commence!
Best,
jzb
Joe Brockmeier | Principal Cloud & Storage Analyst jzb@redhat.com | http://community.redhat.com/ Twitter: @jzb | http://dissociatedpress.net/ _______________________________________________ CentOS-devel mailing list CentOS-devel@centos.org http://lists.centos.org/mailman/listinfo/centos-devel
On Sun, Nov 09, 2014 at 12:10:24AM +0530, Aditya Patawari wrote:
I just tested out the CentOS-7-x86_64-AtomicHost-20141029_02.qcow2 and found an issue with the cockpit-docker integration. To read the images and containers currently residing on the atomic host, cockpit-agent needs to connect to /var/run/docker.sock to which it does not have permission. I did a "chmod o+rw /var/run/docker.sock" to make it work on my test system. Is this a known issue or should I file a bug somewhere?
Note that this is basically equivalent to giving everyone on the system root.
On 11/08/2014 12:40 PM, Aditya Patawari wrote:
Hello,
I just tested out the CentOS-7-x86_64-AtomicHost-20141029_02.qcow2 and found an issue with the cockpit-docker integration. To read the images and containers currently residing on the atomic host, cockpit-agent needs to connect to /var/run/docker.sock to which it does not have permission. I did a "chmod o+rw /var/run/docker.sock" to make it work on my test system. Is this a known issue or should I file a bug somewhere?
I ran into this myself, but I see you've already filed the bug for it. I'm not certain what the root cause of this is, but it is something we'll work to address properly for the next release.
On 11/10/2014 03:01 AM, Jim Perrin wrote:
On 11/08/2014 12:40 PM, Aditya Patawari wrote:
Hello,
I just tested out the CentOS-7-x86_64-AtomicHost-20141029_02.qcow2 and found an issue with the cockpit-docker integration. To read the images and containers currently residing on the atomic host, cockpit-agent needs to connect to /var/run/docker.sock to which it does not have permission. I did a "chmod o+rw /var/run/docker.sock" to make it work on my test system. Is this a known issue or should I file a bug somewhere?
I ran into this myself, but I see you've already filed the bug for it. I'm not certain what the root cause of this is, but it is something we'll work to address properly for the next release.
not entirely sure at this point - but it looks like the docker rpm didnt create / setup the right groups in the image build.
On 11/10/2014 06:53 AM, Karanbir Singh wrote:
On 11/10/2014 03:01 AM, Jim Perrin wrote:
On 11/08/2014 12:40 PM, Aditya Patawari wrote:
Hello,
I just tested out the CentOS-7-x86_64-AtomicHost-20141029_02.qcow2 and found an issue with the cockpit-docker integration. To read the images and containers currently residing on the atomic host, cockpit-agent needs to connect to /var/run/docker.sock to which it does not have permission. I did a "chmod o+rw /var/run/docker.sock" to make it work on my test system. Is this a known issue or should I file a bug somewhere?
I ran into this myself, but I see you've already filed the bug for it. I'm not certain what the root cause of this is, but it is something we'll work to address properly for the next release.
not entirely sure at this point - but it looks like the docker rpm didnt create / setup the right groups in the image build.
You should not be allowing non root users to create docker containers.
http://www.projectatomic.io/blog/2014/09/granting-rights-to-users-to-use-doc...
There is a bug in the current systemd in rhel7 and I believe centos7 that does not setup the docker.sock to be root:docker 660. This should be fixed in the next version of systemd.
But currently docker does not have the Authorization controls to allow you to specify which access you give to a user on your system. This allows any user which can read/write /run/docker.sock to be able to get to root by simply executing
docker run -ti -v /:/host --privileged centos chroot /host
I would strongly recommend that you do not change the permissions on /run/docker.sock and require any users to use sudo to get access to docker containers.
On Mon, Nov 10, 2014 at 08:33:41AM -0500, Daniel J Walsh wrote:
On 11/10/2014 06:53 AM, Karanbir Singh wrote:
On 11/10/2014 03:01 AM, Jim Perrin wrote:
On 11/08/2014 12:40 PM, Aditya Patawari wrote:
Hello,
I just tested out the CentOS-7-x86_64-AtomicHost-20141029_02.qcow2 and found an issue with the cockpit-docker integration. To read the images and containers currently residing on the atomic host, cockpit-agent needs to connect to /var/run/docker.sock to which it does not have permission. I did a "chmod o+rw /var/run/docker.sock" to make it work on my test system. Is this a known issue or should I file a bug somewhere?
Which docker package does this use? The one recompiled from rhel7 has the systemd support lacking as Dan mentioned, but if it's the native centos7 rpm that tracks upstream docker, that'll need some digging, as it doesn't use socket activation and /var/run/docker.sock is set to root:docker 660.
I ran into this myself, but I see you've already filed the bug for it. I'm not certain what the root cause of this is, but it is something we'll work to address properly for the next release.
not entirely sure at this point - but it looks like the docker rpm didnt create / setup the right groups in the image build.
You should not be allowing non root users to create docker containers.
http://www.projectatomic.io/blog/2014/09/granting-rights-to-users-to-use-doc...
There is a bug in the current systemd in rhel7 and I believe centos7 that does not setup the docker.sock to be root:docker 660. This should be fixed in the next version of systemd.
But currently docker does not have the Authorization controls to allow you to specify which access you give to a user on your system. This allows any user which can read/write /run/docker.sock to be able to get to root by simply executing
docker run -ti -v /:/host --privileged centos chroot /host
I would strongly recommend that you do not change the permissions on /run/docker.sock and require any users to use sudo to get access to docker containers. _______________________________________________ CentOS-devel mailing list CentOS-devel@centos.org http://lists.centos.org/mailman/listinfo/centos-devel
On Sun, Nov 09, 2014 at 12:10:24AM +0530, Aditya Patawari wrote:
I just tested out the CentOS-7-x86_64-AtomicHost-20141029_02.qcow2 and found an issue with the cockpit-docker integration. To read the images and containers currently residing on the atomic host, cockpit-agent needs to connect to /var/run/docker.sock to which it does not have permission. I did a "chmod o+rw /var/run/docker.sock" to make it work on my test system. Is this a known issue or should I file a bug somewhere?
I haven't run into this. I'd file it as a bug against Cockpit upstream, and we can try to work with upstream to get this figured out if it's a bug.
Best,
jzb
On 11/08/2014 12:40 PM, Aditya Patawari wrote:
Is this a known issue or should I file a bug somewhere?
Are you using root or another use to run containers?
Dan said "You should not be allowing non root users to create docker containers."
So what's the best practice we want to be pushing here, and is that possible under the current setup?
Best,
jzb
On 11/11/2014 11:00 AM, Joe Brockmeier wrote:
On 11/08/2014 12:40 PM, Aditya Patawari wrote:
Is this a known issue or should I file a bug somewhere?
Are you using root or another use to run containers?
Dan said "You should not be allowing non root users to create docker containers."
So what's the best practice we want to be pushing here, and is that possible under the current setup?
Best,
jzb
CentOS-devel mailing list CentOS-devel@centos.org http://lists.centos.org/mailman/listinfo/centos-devel
Personally if it is a single user machine and you have sudo setup to be used without a password, then set this up also.
If this is a multi-user system, and you don't want all of your uses to be able to run as root, then don't do it. I would recommend just using sudo docker or better yet build a script that executes a specific docker command that you user could run.
dockerstart.sh docker start foobar
dockerexec.sh docker exec -ti foobar /bin/sh
docker stop.sh docker stop foobar
Then setup lines in sudoers to allow specific users to execute these scripts, only.
-
Aditya Patawari -
Daniel J Walsh -
Jim Perrin -
Joe Brockmeier -
Karanbir Singh -
Lokesh Mandvekar -
Matthew Miller