[CentOS-devel] CentOS Atomic SIG Image Ready for Testing

Mon Nov 10 13:33:41 UTC 2014
Daniel J Walsh <dwalsh at redhat.com>

On 11/10/2014 06:53 AM, Karanbir Singh wrote:
> On 11/10/2014 03:01 AM, Jim Perrin wrote:
>>
>> On 11/08/2014 12:40 PM, Aditya Patawari wrote:
>>> Hello,
>>>
>>> I just tested out the CentOS-7-x86_64-AtomicHost-20141029_02.qcow2 and
>>> found an issue with the cockpit-docker integration. To read the images
>>> and containers currently residing on the atomic host, cockpit-agent
>>> needs to connect to /var/run/docker.sock to which it does not have
>>> permission. I did a "chmod o+rw /var/run/docker.sock" to make it work
>>> on my test system.
>>> Is this a known issue or should I file a bug somewhere?
>>
>> I ran into this myself, but I see you've already filed the bug for it.
>> I'm not certain what the root cause of this is, but it is something
>> we'll work to address properly for the next release.
> not entirely sure at this point - but it looks like the docker rpm didnt
> create / setup the right groups in the image build.
>
>
You should not be allowing non root users to create docker containers.

http://www.projectatomic.io/blog/2014/09/granting-rights-to-users-to-use-docker-in-fedora/

There is a bug in the current systemd in rhel7 and I believe centos7
that does not setup the
docker.sock to be root:docker 660.  This should be fixed in the next
version of systemd. 

But currently docker does not have the Authorization controls to allow
you to specify which
access you give to a user on  your system.  This allows any user which
can read/write /run/docker.sock
to be able to get to root by simply executing

docker run -ti -v /:/host --privileged centos chroot /host

I would strongly recommend that you do not change the permissions on
/run/docker.sock and require any users
to use sudo to get access to docker containers.