Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1390922

Summary: allocated GID for docker socket usage
Product: Red Hat Enterprise Linux 7 Reporter: James Hogarth <james.hogarth>
Component: dockerAssignee: Daniel Walsh <dwalsh>
Status: CLOSED WONTFIX QA Contact: atomic-bugs <atomic-bugs>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.2CC: adimania, admiller, amurdaca, dwalsh, extras-qa, ichavero, jcajka, jchaloup, lsm5, marianne, miminar, nalin, pasik, riek, tsweeney
Target Milestone: rcKeywords: Extras
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1390921 Environment:
Last Closed: 2020-06-09 21:12:51 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description James Hogarth 2016-11-02 09:17:03 UTC 
+++ This bug was initially created as a clone of Bug #1390921 +++

Description of problem:
When using docker by docker in a systems CI configuration there is no guaranteed consistent GID that is safe to use for the socket to be mounted into the container.

The RHEL package just does a groupadd -r dockerroot and the Fedora package doesn't even create such a group in the scripts.

It's useful, and important in a docker by docker situation, to provide the group to the socket (via the -G option in DOCKER_OPTS) to lock down socket usage without requiring a sudo configuration as well (for example in the Jenkins docker pipeline world it looks for docker specifically and can't use an alias of docker=sudo docker).

However since there is not an allocated GID it's possible, even likely, for the container to end up with a GID different from the host and then using -v to mount results in a clash and permission issues - this is even more likely when building a container on one host that might be used on another so the Dockerfile cannot have a lookup of the GID during build for a RUN groupadd.

Version-Release number of selected component (if applicable):
docker-1.10.3-46.el7.centos.14.x86_64

How reproducible:
always

Steps to Reproduce:
1. dnf install docker
2. getent group | grep dockerroot
3. 

Actual results:
no group on fedora, a dynamically allocated group on rhel/centos

Expected results:
consistent group gid
Comment 2 Daniel Walsh 2017-06-30 16:07:49 UTC 
We don't want to assign a docker root, since we consider it unsafe behaviour.
Comment 3 Tom Sweeney 2020-06-09 21:12:51 UTC 
We have no plans to ship another version of Docker at this time. RHEL7 is in final support stages where only security fixes will get released.  Customers should move to use Podman which is available starting in RHEL 7.6.