Description of problem: When using docker by docker in a systems CI configuration there is no guaranteed consistent GID that is safe to use for the socket to be mounted into the container. The RHEL package just does a groupadd -r dockerroot and the Fedora package doesn't even create such a group in the scripts. It's useful, and important in a docker by docker situation, to provide the group to the socket (via the -G option in DOCKER_OPTS) to lock down socket usage without requiring a sudo configuration as well (for example in the Jenkins docker pipeline world it looks for docker specifically and can't use an alias of docker=sudo docker). However since there is not an allocated GID it's possible, even likely, for the container to end up with a GID different from the host and then using -v to mount results in a clash and permission issues - this is even more likely when building a container on one host that might be used on another so the Dockerfile cannot have a lookup of the GID during build for a RUN groupadd. Version-Release number of selected component (if applicable): docker-1.12.3-2.git91ae1d1.fc25.x86_64 How reproducible: always Steps to Reproduce: 1. dnf install docker 2. getent group | grep dockerroot 3. Actual results: no group on fedora, a dynamically allocated group on rhel/centos Expected results: consistent group gid
We don't like to make the docker socket available to general users since it has little authorization and authentication in it. If I can write to the docker.sock, I get full access to root on the host, and their is no auditing/logging. http://www.projectatomic.io/blog/2015/08/why-we-dont-let-non-root-users-run-docker-in-centos-fedora-or-rhel/ We prefer the sudo solution.
I also prefer the sudo solution in general, but as I mentioned there are some tools like the Jenkins plugins that specially look for and call the docker binary directly so an alias or similar solution to make docker actually sudo docker doesn't work, which is when you need the socket. I certainly wouldn't want it set this way by default that would be horrible. This is just about having FPC assign a gid (and RH using that in the docker in extras too) to keep things consistent in the event a socket and mounting of it is required.
BTW The dockerroot is different then the docker group. dockerroot is about running containers with usernamespace and all alternative root in the namespace.
But in the Fedora side that is dockerremap if I'm remembering right... Can we try and get done consistency between these? It'll make testing and development much easier. A gid dedicated to docker socket use that is kept consistent through static allocation would still be of use though.
Do you know how to go about this?
Yes it needs an FPC ticket and then an appropriate %pre using the allocated UID/GID. Currently the RHEL package has a pre for dockerroot but is doing dynamic allocation: https://git.centos.org/blob/rpms!!docker.git/f0cd60cecb60a1f677c42b645b557a763c8694f9/SPECS!docker.spec#L518 The Fedora package matched the behaviour of the RHEL one up till this commit: https://pkgs.fedoraproject.org/cgit/rpms/docker.git/commit/?id=0773320d3fe873aa2824c7d81cb8d7a49690f2fe At present the Fedora docker packages don't create any user at all For the soft static allocation a ticket needs to be opened by the maintainer with FPC stating the rationale behind it: https://fedoraproject.org/wiki/Packaging:UsersAndGroups#Soft_static_allocation
Fedora 25 changed to end-of-life (EOL) status on 2017-12-12. Fedora 25 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. If you experience problems, please add a comment to this bug. Thank you for reporting this bug and we are sorry it could not be fixed.