Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Better documentation about if/when docker needs to be run as root #132

Closed
cespare opened this issue Mar 22, 2013 · 8 comments
Closed

Better documentation about if/when docker needs to be run as root #132

cespare opened this issue Mar 22, 2013 · 8 comments

Comments

@cespare
Copy link
Contributor

cespare commented Mar 22, 2013

Playing around with docker following some of the things listed in the readme, I noticed that I often had to run commands as root or they wouldn't work. A common symptom is spouting a list of JSON config files that docker doesn't have permission to read. But at other times, I didn't need to run as root -- usually after starting the daemon mode. (This was confirmed by @shykes and other folks in IRC who mentioned that the readme directions are partly outdated and from a time when the daemon -- as root -- always had to be running.)

For instance, I believe that this little example about "starting a long-running worker process":

(docker -d || echo "Docker daemon already running") &
JOB=$(docker run base /bin/sh -c "while true; do echo Hello world; sleep 1; done")
docker logs $JOB
docker kill $JOB

works correctly if the first docker -d command is run with sudo. But it wasn't always clear to me when it was and wasn't required, and why.

It would be good to audit the use of sudo (or lack thereof) throughout the readme examples.

@ghost ghost assigned mzdaniel Mar 23, 2013
@shin-
Copy link
Contributor

shin- commented Mar 25, 2013

Hi,

I understand how this could be confusing. Basically, docker -d (daemonized docker) needs to be run as root because it will handle all sorts of operations that can't be executed by normal users, such as mounting aufs filesystems and such. Once docker -d is running, you can use docker commands as a simple client since the only thing it does is send commands to the daemon.

If you don't launch the docker -d process, the docker command will start an ephemereal daemon process. If you're doing simple operations like listing containers or images, it will probably run fine as a normal users, but commands like docker run will obviously still need to be run as root.

Hope that helps clarifying it!

@cespare
Copy link
Contributor Author

cespare commented Apr 9, 2013

Looking back on this ticket after using docker a lot over the past couple of weeks, my position is that we should get rid of standalone mode entirely. The root/non-root confusion will be reduced as a nice side-effect.

@sa2ajj
Copy link
Contributor

sa2ajj commented Apr 9, 2013

@cespare, 👍

@shykes
Copy link
Contributor

shykes commented Apr 9, 2013

It looks like we might need to deprecate standalone mode... I summarized the arguments for it in #364. Please weigh in if you have an opinion.

@pwaller
Copy link
Contributor

pwaller commented Apr 29, 2013

By the way, if CONFIG_USER_NS is turned on, then it is possible for an unprivileged user on the host to have privileges to mount inside the container.

Given that, is it possible that docker will support running as non-root in the future? Has this been discussed before?

@metalivedev
Copy link
Contributor

@pwaller I think you should reenter the CONFIG_USER_NS idea as a new issue and label it as a feature request. This issue was about documenting the requirements for root vs non-root, and now that the docker daemon must be running (per #364) and must be run as root to become a daemon, the documentation becomes simpler.

Running the daemon as non-root would be a new feature request and separate from this documentation issue.

I'll review the docs to make sure we always talk about starting the daemon with sudo and then I'll close this ticket.

@metalivedev
Copy link
Contributor

I've confirmed that the current docs always show docker used in a situation where the daemon is already running as root (e.g. the vagrant installations) or demonstrate starting the daemon with sudo (eg the examples)

Closing.

@tphyahoo
Copy link

Could this have label project/security added?

runcom added a commit to runcom/docker that referenced this issue Apr 23, 2016
BACKPORT: Fixes for --cgroup-parent slices to expand correctly
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

8 participants