Hide Forgot
+++ This bug was initially created as a clone of Bug #1390921 +++ Description of problem: When using docker by docker in a systems CI configuration there is no guaranteed consistent GID that is safe to use for the socket to be mounted into the container. The RHEL package just does a groupadd -r dockerroot and the Fedora package doesn't even create such a group in the scripts. It's useful, and important in a docker by docker situation, to provide the group to the socket (via the -G option in DOCKER_OPTS) to lock down socket usage without requiring a sudo configuration as well (for example in the Jenkins docker pipeline world it looks for docker specifically and can't use an alias of docker=sudo docker). However since there is not an allocated GID it's possible, even likely, for the container to end up with a GID different from the host and then using -v to mount results in a clash and permission issues - this is even more likely when building a container on one host that might be used on another so the Dockerfile cannot have a lookup of the GID during build for a RUN groupadd. Version-Release number of selected component (if applicable): docker-1.10.3-46.el7.centos.14.x86_64 How reproducible: always Steps to Reproduce: 1. dnf install docker 2. getent group | grep dockerroot 3. Actual results: no group on fedora, a dynamically allocated group on rhel/centos Expected results: consistent group gid
We don't want to assign a docker root, since we consider it unsafe behaviour.
We have no plans to ship another version of Docker at this time. RHEL7 is in final support stages where only security fixes will get released. Customers should move to use Podman which is available starting in RHEL 7.6.