dockerd ignores sssd docker group

[ap0phi5]

Previously on 1.11, there was a systemd implementation of docker.socket that defined the socket to run as root:docker (SocketGroup=docker).

With the 1.12 implementation of dockerd, --group=docker seems to be is ignored if the group isn't explicitly defined in /etc/group.

On site here, we manage user accounts and groups with FreeIPA - this uses sssd, rather than local accounts. As such, there is no entry for docker in /etc/group, meaning the upgrade to 1.12 knocked out non-root user access to the docker socket. The temporary fix for this was to manually add an entry for docker with the correct GID into /etc/group.

Looking at the source, I suspect the existence of group docker is being checked using:
grep docker /etc/group
rather than:
getent group docker

[ap0phi5]

#24804

[grisaitis]

i think this issue can be closed. the OP's issue appears to be fixed by 6cb8392

[cpuguy83]

Seems so, thanks!

[RulerOf]

I ran into this problem on a server running an old version of docker before this was fixed.

Specifying the gid number directly in /etc/sysconfig/docker is a viable workaround:

dockergid=$(getent group docker | cut -d: -f3)
sudo sed -i /etc/sysconfig/docker -e "s/other_args=.*/other_args=--group=$dockergid/g"