[CentOS-devel] CentOS Atomic SIG Image Ready for Testing

Mon Nov 10 14:09:15 UTC 2014
Lokesh Mandvekar <lsm5 at fedoraproject.org>

On Mon, Nov 10, 2014 at 08:33:41AM -0500, Daniel J Walsh wrote:
> 
> On 11/10/2014 06:53 AM, Karanbir Singh wrote:
> > On 11/10/2014 03:01 AM, Jim Perrin wrote:
> >>
> >> On 11/08/2014 12:40 PM, Aditya Patawari wrote:
> >>> Hello,
> >>>
> >>> I just tested out the CentOS-7-x86_64-AtomicHost-20141029_02.qcow2 and
> >>> found an issue with the cockpit-docker integration. To read the images
> >>> and containers currently residing on the atomic host, cockpit-agent
> >>> needs to connect to /var/run/docker.sock to which it does not have
> >>> permission. I did a "chmod o+rw /var/run/docker.sock" to make it work
> >>> on my test system.
> >>> Is this a known issue or should I file a bug somewhere?

Which docker package does this use? The one recompiled from rhel7
has the systemd support lacking as Dan mentioned, but if it's the native centos7
rpm that tracks upstream docker, that'll need some digging, as it doesn't use
socket activation and /var/run/docker.sock is set to root:docker 660.

> >>
> >> I ran into this myself, but I see you've already filed the bug for it.
> >> I'm not certain what the root cause of this is, but it is something
> >> we'll work to address properly for the next release.
> > not entirely sure at this point - but it looks like the docker rpm didnt
> > create / setup the right groups in the image build.
> >
> >
> You should not be allowing non root users to create docker containers.
> 
> http://www.projectatomic.io/blog/2014/09/granting-rights-to-users-to-use-docker-in-fedora/
> 
> There is a bug in the current systemd in rhel7 and I believe centos7
> that does not setup the
> docker.sock to be root:docker 660.  This should be fixed in the next
> version of systemd. 
> 
> But currently docker does not have the Authorization controls to allow
> you to specify which
> access you give to a user on  your system.  This allows any user which
> can read/write /run/docker.sock
> to be able to get to root by simply executing
> 
> docker run -ti -v /:/host --privileged centos chroot /host
> 
> I would strongly recommend that you do not change the permissions on
> /run/docker.sock and require any users
> to use sudo to get access to docker containers.
> _______________________________________________
> CentOS-devel mailing list
> CentOS-devel at centos.org
> http://lists.centos.org/mailman/listinfo/centos-devel

-- 
Lokesh
Freenode, OFTC: lsm5
GPG: 0xC7C3A0DD
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.centos.org/pipermail/centos-devel/attachments/20141110/e601e87a/attachment-0008.sig>