On 11/10/2014 06:53 AM, Karanbir Singh wrote: > On 11/10/2014 03:01 AM, Jim Perrin wrote: >> >> On 11/08/2014 12:40 PM, Aditya Patawari wrote: >>> Hello, >>> >>> I just tested out the CentOS-7-x86_64-AtomicHost-20141029_02.qcow2 and >>> found an issue with the cockpit-docker integration. To read the images >>> and containers currently residing on the atomic host, cockpit-agent >>> needs to connect to /var/run/docker.sock to which it does not have >>> permission. I did a "chmod o+rw /var/run/docker.sock" to make it work >>> on my test system. >>> Is this a known issue or should I file a bug somewhere? >> >> I ran into this myself, but I see you've already filed the bug for it. >> I'm not certain what the root cause of this is, but it is something >> we'll work to address properly for the next release. > not entirely sure at this point - but it looks like the docker rpm didnt > create / setup the right groups in the image build. > > You should not be allowing non root users to create docker containers. http://www.projectatomic.io/blog/2014/09/granting-rights-to-users-to-use-docker-in-fedora/ There is a bug in the current systemd in rhel7 and I believe centos7 that does not setup the docker.sock to be root:docker 660. This should be fixed in the next version of systemd. But currently docker does not have the Authorization controls to allow you to specify which access you give to a user on your system. This allows any user which can read/write /run/docker.sock to be able to get to root by simply executing docker run -ti -v /:/host --privileged centos chroot /host I would strongly recommend that you do not change the permissions on /run/docker.sock and require any users to use sudo to get access to docker containers.