Shulou(Shulou.com)06/01 Report--

Editor to share with you how to grant users the right to use Docker in Fedora, I believe most people do not know much about it, so share this article for your reference, I hope you can learn a lot after reading this article, let's go to know it!

Grant users permission to use Docker

Fedora 19 and 20 come with Docker 0.11. The package has been updated to version 1.0 in Fedora 20. If you are still using version 0.11, you will need to grant permissions to Docker users.

The docker command line tool contacts the docker daemon through the socket file / var/run/docker.sock owned by the user group docker. A user must be a member of that user group to contact the docker-d process.

Fortunately, the documentation is a bit wrong, and you still need to add users to the docker user group to allow them to use docker through non-root accounts. I hope all distributions have this policy.

On Fedora and RHEL, we have the following permissions on docker.sock:

# ls-l / run/docker.sock

Srw-rw----. 1 root docker 0 Sep 19 12:54

/ run/docker.sock

This means that only root users or users in the docker user group can talk to the socket. In addition, because docker runs asdocker_t,SELinux to prevent all restricted domains from connecting to the docker.sock.

Docker has no authorization control mechanism.

Docker currently does not have any authorization control mechanism. If you can talk to docker sockets, or if docker listens on a network port, you can talk to it and execute all docker commands.

For example, if I add "dwalsh" to the docker user group on my computer, I can execute:

> docker run-ti-- rm-- privileged-- net=host-v /: / host fedora / bin/sh

# chroot / host

At this point, you or any user with these permissions have complete control of your system.

Adding users to the docker user group should be considered the same as adding USERNAME ALL= (ALL) NOPASSWD: ALL to the / etc/sudoers file. Any application that users run on their computers can become root, even without the user's knowledge. I think a more secure solution is to write scripts that allow the users you want to access to have access.

Cat / usr/bin/dockersearch

#! / bin/sh

Docker search $@

Then use the following command to create the sudo:

USERNAME ALL= (ALL) NOPASSWD: / usr/bin/dockersearch

I hope to eventually add some kind of authorization database to docker so that administrators can configure which commands you allow users to execute and which containers you allow users to open / stop.

The correct step would be to eliminate the function of executing docker run-privileged or docker run-cap-remove first.

The above is all the contents of this article entitled "how to grant users permission to use Docker in Fedora". Thank you for reading! I believe we all have a certain understanding, hope to share the content to help you, if you want to learn more knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.