Red Hat Bugzilla – Bug 1249986
Recover ability to run docker client as non-root user
Last modified: 2015-08-04 11:29:48 EDT
Description of problem:
In the past, a user of the docker group could run docker commands without sudo. Now, only root can.
Docker by its nature can be used in many environments. Using it for development speeds it up very much. Using sudo (and probably typing a password) for almost every command in development is disgusting.
But docker by its nature can be insecure too.
Quoting from bug 1119282:
(Lars Kellogg-Stedman from bug 1119282 comment #23)
> hallajs: it was an intentional configuration change that running "docker"
> requires root privileges, because having docker access effectively gives you
> root on the system. Because this is a security issue, the default
> configuration is unlikely to change.
> If you don't have these particular concerns in your own environment, you can
> simply configure your system to have a `docker` group, make sure you're a
> member of that group, and make sure the `docker` daemon is configured to use
> that group when it creates the socket.
(Yajo from bug 1119282 comment #24)
> The same is true with `sudo`, and you don't need to create the `wheel` group.
(Lars Kellogg-Stedman from bug 1119282 comment #25)
> Yajo: While true, that's because sudo's primary purpose is privilege
> escalation. That is *not* the primary purpose of Docker, and it is highly
> likely that the privilege-escalating aspects of Docker are not necessarily
> obvious to everyone using it.
I opened this new bug to discuss it.
So here is my suggestion: What about a new rpm package (something like docker-group-insecure) that adds the docker group and binds it to the docker socket automatically?
SysAdmins installing a rpm with "insecure" in its name will probably read the description and know the risks they face. Those who use their computer for development (among them, me) will thank this package very much.
You can setup sudo to run without a password, you could even setup an alias or script to run
sudo docker $*
Why is this not enough?
We are working on getting proper logging into docker to give us at least what sudo gives us.
I want to know that dwalsh ran
docker run -ti --privileged -v /:/host fedora chroot /host
Which gives me full root. With current docker their is no log of this ever happening.
We are also working on proper authentication and authorization into the docker daemon.
If you want to get docker to be able to run by non root users then comment/demand that docker merge our patches. Not for us to setup insecure programs to get root access without any audit trail.
I'm not sure that installing something like "docker-group-insecure" is much easier than creating a "docker" group yourself:
groupadd -r docker
And then adding "-G docker" to OPTIONS in /etc/sysconfig/docker:
OPTIONS=-G docker --selinux-enabled
...and restarting docker. These are the only configuration changes necessary; then you can add people to the docker group and they will be able to run docker as themselves.
RE: using sudo without password, add this line for your user ('yajo' in this case) to /etc/sudoers
yajo ALL=(ALL) NOPASSWD: ALL
...and to ~/.bashrc add:
alias docker="sudo docker"