How to grant permissions to users using Docker in Fedora

How to grant permissions to users using Docker in Fedora

This article translated from Daniel J Walsh an open source article:Http://opensource.com/business/14/10/docker-user-rights-fedora
In the Docker-dev mailing list, someone asked about the fedora documentation that described how to add users to the Docker group. The user wants to have his users do a Docker search, trying to find the image they can use.

From the Docker installation documentation for Fedora:

Grant user permissions to use Dockerfedora 19 and 20 with Docker0.11. If you are still using the 0.11 version of the package that has been updated to 1.0 of FEDORA20, you will need to grant the rights to Docker users. The Docker command-line tool/var/run/docker.sockdocker daemons by contacting a group of Docker-owned socket files. One must be a member of the group in order to contact the docker-d process.

Fortunately, this file is a bit wrong and you also need to add users to the Docker group so that they use Docker from a non-root account. I hope all the issues have such a policy.

In Fedora and Rhel we have the following permissions on Docker.sock:

# ls-l/run/docker.sock SRW-RW----. 1 root Docker 0 Sep 12:54/run/docker.sock

This means that only the root user or user in the Docker group can send this socket. In addition, because Docker runs the Asdocker_t,selinux to prevent the fully enclosed domain from connecting to this docker.sock.

No authorization control from Docker

Docker does not currently have any authorization controls. If you can talk to Docker sockets or Docker listening network ports, you can talk about it and you can execute all Docker commands.

For example, if I add "Dwalsh" to the Docker group on my machine, I can execute it.

> Docker run-ti--rm--privileged--net=host-v/:/host fedora/bin/sh # Chroot/host

At this point you, or any user with these permissions, have full control on your system.

Adding users to the Docker group should be considered as joining:

Username= All Nopasswd:all

To the/etc/sudoers file. The user runs any application on his machine that can become root, even if no one knows it. I believe that a better and more secure solution is to write scripts that allow users to allow access.

Cat/usr/bin/dockersearch #!/bin/sh Docker Search [email protected]

Then set sudo:

USERNAME all= (All) nopasswd:/usr/bin/dockersearch

I want to eventually join some kind of authorization database to Docker, so that administrators can configure which commands you will allow users to execute, as well as containers in which you may allow them to start/stop.

First eliminate the ability to perform Docker run--privileged or Docker run--cap, removing is a step in the right direction. But if you've seen my other positions, you know, need more work to do to make the container contain.

Originally published by the author Www.projectatomic.io use Docker in Fedora for grant user rights. ”。

This article is translated from a open source article by Daniel J Walsh: Http://opensource.com/business/14/10/docker-user-rights-fedora

How to grant permissions to users using Docker in Fedora