Bug 1249986 - Recover ability to run docker client as non-root user
Recover ability to run docker client as non-root user
Product: Fedora
Classification: Fedora
Component: docker (Show other bugs)
x86_64 Linux
unspecified Severity unspecified
: ---
: ---
Assigned To: Lokesh Mandvekar
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2015-08-04 06:06 EDT by Yajo
Modified: 2015-08-04 11:29 EDT (History)
10 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2015-08-04 10:34:37 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Yajo 2015-08-04 06:06:16 EDT
Description of problem:
In the past, a user of the docker group could run docker commands without sudo. Now, only root can.

Docker by its nature can be used in many environments. Using it for development speeds it up very much. Using sudo (and probably typing a password) for almost every command in development is disgusting.

But docker by its nature can be insecure too.

Quoting from bug 1119282:

(Lars Kellogg-Stedman from bug 1119282 comment #23)
> hallajs: it was an intentional configuration change that running "docker"
> requires root privileges, because having docker access effectively gives you
> root on the system.  Because this is a security issue, the default
> configuration is unlikely to change.
> If you don't have these particular concerns in your own environment, you can
> simply configure your system to have a `docker` group, make sure you're a
> member of that group, and make sure the `docker` daemon is configured to use
> that group when it creates the socket.

(Yajo from bug 1119282 comment #24)
> The same is true with `sudo`, and you don't need to create the `wheel` group.

(Lars Kellogg-Stedman from bug 1119282 comment #25)
> Yajo: While true, that's because sudo's primary purpose is privilege
> escalation.  That is *not* the primary purpose of Docker, and it is highly
> likely that the privilege-escalating aspects of Docker are not necessarily
> obvious to everyone using it.

I opened this new bug to discuss it.

So here is my suggestion: What about a new rpm package (something like docker-group-insecure) that adds the docker group and binds it to the docker socket automatically?

SysAdmins installing a rpm with "insecure" in its name will probably read the description and know the risks they face. Those who use their computer for development (among them, me) will thank this package very much.
Comment 1 Daniel Walsh 2015-08-04 08:26:44 EDT
You can setup sudo to run without a password, you could even setup an alias or script to run

sudo docker $*

Why is this not enough?

We are working on getting proper logging into docker to give us at least what sudo gives us.

I want to know that dwalsh ran 

docker run -ti --privileged -v /:/host fedora chroot /host

Which gives me full root.  With current docker their is no log of this ever happening.

We are also working on proper authentication and authorization into the docker daemon.  

If you want to get docker to be able to run by non root users then comment/demand that docker merge our patches.  Not for us to setup insecure programs to get root access without any audit trail.
Comment 2 Lars Kellogg-Stedman 2015-08-04 09:57:01 EDT
I'm not sure that installing something like "docker-group-insecure" is much easier than creating a "docker" group yourself:

  groupadd -r docker

And then adding "-G docker" to OPTIONS in /etc/sysconfig/docker:

  OPTIONS=-G docker --selinux-enabled

...and restarting docker.  These are the only configuration changes necessary; then you can add people to the docker group and they will be able to run docker as themselves.
Comment 3 Lokesh Mandvekar 2015-08-04 10:34:37 EDT
RE: using sudo without password, add this line for your user ('yajo' in this case) to /etc/sudoers


...and to ~/.bashrc add:

alias docker="sudo docker"

Note You need to log in before you can comment on or make changes to this bug.