Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

docker group or not #2

Closed
cgwalters opened this issue Jul 10, 2018 · 10 comments · Fixed by coreos/fedora-coreos-config#175
Closed

docker group or not #2

cgwalters opened this issue Jul 10, 2018 · 10 comments · Fixed by coreos/fedora-coreos-config#175
Labels
jira for syncing to jira kind/design

Comments

@cgwalters
Copy link
Member

We need to decide whether to include a docker group or not. Today CL does, Fedora does not. Context: https://www.projectatomic.io/blog/2015/08/why-we-dont-let-non-root-users-run-docker-in-centos-fedora-or-rhel/
@JasonGiedymin
Copy link

Prefer from a security standpoint that docker group not exist. Many enterprise customers will appreciate that. At least as a good default. To force the group creation by default would bring multiple dependencies into the fold from a security perspective. That is, a dependency on having strong auditing in place, and have a strong means to react to said auditing. Something across the spectrum not all have.

I understand that from a "part-time user" standpoint (read: non sysadmin with responsibility over many nodes) it could be difficult to use. At the same time, It shouldn't be too difficult to create such a group and chown across the things that need chowning.

To me the question is what group do you focus on? Enterprise, or (for lack of a better name) Desktop Users? Do you offer a different flavor of the OS?

Maybe you make docker groups package that when installed does all the work, let the user decide?

@bgilbert
Copy link
Contributor

If we made it optional, that would likely happen via an Ignition config and maybe some CT sugar. "Installing packages" on Fedora CoreOS is not exactly a thing.

@JasonGiedymin
Copy link

JasonGiedymin commented Jul 25, 2018 via email

@bgilbert
Copy link
Contributor

I'm hoping we don't have any of those either. 😁

@JasonGiedymin
Copy link

That’s cool too. Anything to make my life easier.

@ajeddeloh ajeddeloh mentioned this issue Aug 8, 2018
Closed
@bgilbert bgilbert mentioned this issue Mar 9, 2019
Closed
36 tasks
@lucab lucab mentioned this issue Jul 19, 2019
Open
@chrisweeksnz
Copy link

chrisweeksnz commented Aug 19, 2019
edited

The Fedora CoreOS tech preview has a docker group added, but configured so that users can't be added to it. The group appears to exist in /etc/gshadow, but not in /etc/group.

Running echo "$(getent group docker)" >> /etc/group restores normal function to the docker group (eg. usermod -aG docker myusername will grant access to the docker daemon).

@dustymabe
Copy link
Member

So the open question here is whether we do one of these two options:

  • we add a docker group to /etc/group so that usermod -aG docker myusername works?
  • we encourage users to use sudo docker instead

@dustymabe dustymabe added the meeting topics for meetings label Sep 4, 2019
@dustymabe
Copy link
Member

dustymabe commented Sep 11, 2019
edited

We discussed this in the Fedora CoreOS meeting today.

* we are going to try to prioritize systemd-sysusers work for FCOS
    stable, but we will hackishly try to add docker to the /etc/group
    file to smooth the path for users who are currently using FCOS
    preview releases  (dustymabe, 17:06:48)

Basically we are going to prioritize work that will make usermod work generically in the future. In the short term we'll hack in the docker group to /etc/group so that other users don't hit this same issue in FCOS preview.

@dustymabe dustymabe added jira for syncing to jira and removed meeting topics for meetings labels Sep 11, 2019
dustymabe added a commit to dustymabe/fedora-coreos-config that referenced this issue Sep 19, 2019
@dustymabe
fedora-coreos-base: add the docker group to /etc/group file
573c2a7 
This is a short term solution to fix an issue where running
`usermod -aG docker username` doesn't work.

Fixes: coreos/fedora-coreos-tracker#2
@dustymabe dustymabe mentioned this issue Sep 19, 2019
Merged
jlebon pushed a commit to coreos/fedora-coreos-config that referenced this issue Sep 20, 2019
@dustymabe @jlebon
fedora-coreos-base: add the docker group to /etc/group file
99ddc6e 
This is a short term solution to fix an issue where running
`usermod -aG docker username` doesn't work.

Fixes: coreos/fedora-coreos-tracker#2
@ajeddeloh
Copy link
Contributor

coreos/fedora-coreos-config#175 is a short term solution, do we want to reopen until we have the final solution? cc @dustymabe @jlebon

@dustymabe
Copy link
Member

We are tracking the long term solution in coreos/rpm-ostree#49. It's not a ticket in this tracker though.

If we want to track here then I'd suggest we open a new ticket that isn't specific to the docker group.

@lucab lucab mentioned this issue Jun 8, 2020
Closed
@anuraagrijal3138 anuraagrijal3138 mentioned this issue Jun 30, 2020
Closed
Closed
@openstacker openstacker mentioned this issue Apr 6, 2021
Closed
@Veritasosrb Veritasosrb mentioned this issue Jul 25, 2022
Open
@fifofonix fifofonix mentioned this issue Jun 9, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
jira for syncing to jira kind/design
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fedora-coreos-base: add the docker group to /etc/group file dustymabe/fedora-coreos-config
6 participants
@cgwalters @JasonGiedymin @bgilbert @ajeddeloh @dustymabe @chrisweeksnz