hi, according to the wiki page: https://wiki.centos.org/Cloud/Docker there should have to be a docker group exists in docker rpm. --------------------------- sudo usermod -a -G docker <your-user> --------------------------- is this still valid? or how can an average user can run docker without sudo? thanks in advance. regards.
On 12/07/2015 09:04 AM, Farkas Levente wrote:
hi, according to the wiki page: https://wiki.centos.org/Cloud/Docker there should have to be a docker group exists in docker rpm.
This was the case. The group has since been removed by default as upstream (RH) considers it a GIANT security hole (spoiler: they're right).
sudo usermod -a -G docker <your-user>
is this still valid?
Yes, but you first have to add the docker group yourself.
or how can an average user can run docker without sudo?
a simple "groupadd docker" will work, then restart the docker service and add your user to that group.
Note, it's *trivial* to escalate this to gain root on the host system, so using the docker group is essentially passwordless sudo.
On 12/07/2015 05:17 PM, Jim Perrin wrote:
sudo usermod -a -G docker <your-user>
is this still valid?
Yes, but you first have to add the docker group yourself.
or how can an average user can run docker without sudo?
a simple "groupadd docker" will work, then restart the docker service and add your user to that group.
Note, it's *trivial* to escalate this to gain root on the host system, so using the docker group is essentially passwordless sudo.
but the name of the docker group is somehow hardcoded into docker itself?
On 12/07/2015 10:24 AM, Farkas Levente wrote:
On 12/07/2015 05:17 PM, Jim Perrin wrote:
sudo usermod -a -G docker <your-user>
is this still valid?
Yes, but you first have to add the docker group yourself.
or how can an average user can run docker without sudo?
a simple "groupadd docker" will work, then restart the docker service and add your user to that group.
Note, it's *trivial* to escalate this to gain root on the host system, so using the docker group is essentially passwordless sudo.
but the name of the docker group is somehow hardcoded into docker itself?
Correct.
On Mon, Dec 07, 2015 at 10:17:30AM -0600, Jim Perrin wrote:
or how can an average user can run docker without sudo?
a simple "groupadd docker" will work, then restart the docker service and add your user to that group.
Note, it's *trivial* to escalate this to gain root on the host system, so using the docker group is essentially passwordless sudo.
I think you also need to modify the docker socket so it's writable by the docker group.
On 12/07/2015 07:10 PM, Jonathan Billings wrote:
On Mon, Dec 07, 2015 at 10:17:30AM -0600, Jim Perrin wrote:
or how can an average user can run docker without sudo?
a simple "groupadd docker" will work, then restart the docker service and add your user to that group.
Note, it's *trivial* to escalate this to gain root on the host system, so using the docker group is essentially passwordless sudo.
I think you also need to modify the docker socket so it's writable by the docker group.
imho the centos wiki should have to contain these info too.
On Mon, Dec 07, 2015 at 07:35:13PM +0100, Farkas Levente wrote:
I think you also need to modify the docker socket so it's writable by the docker group.
imho the centos wiki should have to contain these info too.
I think that in general, we don't want people ever doing this, except on air-gapped nuclear fallout bunkers. (I jest, but...)
On 12/07/2015 02:01 PM, Jonathan Billings wrote:
On Mon, Dec 07, 2015 at 07:35:13PM +0100, Farkas Levente wrote:
I think you also need to modify the docker socket so it's writable by the docker group.
imho the centos wiki should have to contain these info too.
I think that in general, we don't want people ever doing this, except on air-gapped nuclear fallout bunkers. (I jest, but...)
Here is my reasoning.
http://www.projectatomic.io/blog/2015/08/why-we-dont-let-non-root-users-run-...
On 12/07/2015 09:54 PM, Daniel J Walsh wrote:
On 12/07/2015 02:01 PM, Jonathan Billings wrote:
On Mon, Dec 07, 2015 at 07:35:13PM +0100, Farkas Levente wrote:
I think you also need to modify the docker socket so it's writable by the docker group.
imho the centos wiki should have to contain these info too.
I think that in general, we don't want people ever doing this, except on air-gapped nuclear fallout bunkers. (I jest, but...)
Here is my reasoning.
http://www.projectatomic.io/blog/2015/08/why-we-dont-let-non-root-users-run-...
nice and clear. would someone with access to the centos wiki page edit it: https://wiki.centos.org/Cloud/Docker
On 12/08/2015 05:31 AM, Farkas Levente wrote:
nice and clear. would someone with access to the centos wiki page edit it: https://wiki.centos.org/Cloud/Docker
I've updated the wiki page to remove references to the docker group, and linked to Dan's blog post about why.
On 12/08/2015 08:26 AM, Jim Perrin wrote:
On 12/08/2015 05:31 AM, Farkas Levente wrote:
nice and clear. would someone with access to the centos wiki page edit it: https://wiki.centos.org/Cloud/Docker
I've updated the wiki page to remove references to the docker group, and linked to Dan's blog post about why.
BTW there is some movement on Authentication and Authorization in the docker daemon, we also have a patch for logging, which might eventually allow us to use the docker group, iff these get merged.
On 12/08/2015 07:38 AM, Daniel J Walsh wrote:
On 12/08/2015 08:26 AM, Jim Perrin wrote:
On 12/08/2015 05:31 AM, Farkas Levente wrote:
nice and clear. would someone with access to the centos wiki page edit it: https://wiki.centos.org/Cloud/Docker
I've updated the wiki page to remove references to the docker group, and linked to Dan's blog post about why.
BTW there is some movement on Authentication and Authorization in the docker daemon, we also have a patch for logging, which might eventually allow us to use the docker group, iff these get merged.
This would be absolutely amazing to have for several reasons. Is there any way for the community to help push for these? Github comments on the PRs/issues maybe?
On 12/08/2015 08:50 AM, Jim Perrin wrote:
On 12/08/2015 07:38 AM, Daniel J Walsh wrote:
On 12/08/2015 08:26 AM, Jim Perrin wrote:
On 12/08/2015 05:31 AM, Farkas Levente wrote:
nice and clear. would someone with access to the centos wiki page edit it: https://wiki.centos.org/Cloud/Docker
I've updated the wiki page to remove references to the docker group, and linked to Dan's blog post about why.
BTW there is some movement on Authentication and Authorization in the docker daemon, we also have a patch for logging, which might eventually allow us to use the docker group, iff these get merged.
This would be absolutely amazing to have for several reasons. Is there any way for the community to help push for these? Github comments on the PRs/issues maybe?
Authorization Patch: https://github.com/docker/docker/pull/15365
Authentication: https://github.com/docker/docker/pull/13697
-
Daniel J Walsh -
Farkas Levente -
Jim Perrin -
Jonathan Billings