- #ACCESS DOCKER DAEMON LOGS HOW TO#
- #ACCESS DOCKER DAEMON LOGS FULL#
- #ACCESS DOCKER DAEMON LOGS PASSWORD#
We have an ongoing discussion in issue #13697 “Adding Kerberos support to Docker. We have other patches that we are working on to make the docker daemon more secure, including authentication. This user would only be able to run the fedora container, without privileges. New-context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 exe=/usr/bin/sudo hostname=? addr=? terminal=/dev/pts/3 res=success'īetter yet, if you wanted to only allow a user to access a particular container, you could write a simple script: cat /usr/bin/docker-fedoraĪfter writing the script, configure sudoers to run it: grep dwalsh /etc/sudoersĭwalsh ALL=(ALL) NOPASSWD: /usr/bin/docker-fedora Look at the audit log: ausearch -m USER_ROLE_CHANGE -i journalctl -b | grep docker.*privilegedĪug 04 09:02:56 .com sudo: dwalsh : TTY=pts/3 PWD=/home/dwalsh/docker/src//docker/docker USER=root COMMAND=/usr/bin/docker run -ti -privileged -v /:/host fedora chroot /host Look at the journal or /var/log/messages. docker run -ti -privileged -v /:/host fedora chroot /host Now when the user executes the docker command as non-root it will be allowed and get proper logging. Now, set up an alias for running the docker command: alias docker="sudo /usr/bin/docker"
#ACCESS DOCKER DAEMON LOGS PASSWORD#
If a password is required, sudo gives you a five minute grace period to run docker again without entering the password. If you require the password, the user needs to specify his password when running the docker command, making the system a bit more secure. Note: I do not recommend using NOPASSWD, this would allow any process on your system to become root. This will allow the specified user to run docker as root, without a password. grep dwalsh /etc/sudoersĭwalsh ALL=(ALL) NOPASSWD: /usr/bin/docker
#ACCESS DOCKER DAEMON LOGS HOW TO#
Here is a short guide on how to do this.Īdd an entry like the following to /etc/sudoers. If you want to give docker access to non-root users we recommend setting up sudo. That allows sudo to provide logging and audit. Until we can implement proper auditing and logging, we recommend implementing sudo rules to permit access to the docker daemon. We’ve implemented those controls in PR14446 though it depends on an authentication framework which is still being discussed. Docker does not currently do any auditing.įrom a security perspective, Red Hat has expressed concerns with enabling access to the docker daemon from non-root users, absent auditing and proper logging. Docker has no auditing or logging built in, while sudo does.ĭocker currently records events but the events disappear when the docker daemon is restarted.
Which would allow them to run sudo sh and get the same access. This is similar to giving them the following in sudo.
#ACCESS DOCKER DAEMON LOGS FULL#
Giving them full root access to the host system. Why is that? Simple: if a user can talk to the docker socket, they can execute the following command: docker run -ti -privileged -v /:/host fedora chroot /host 1 root root 0 Aug 3 13:02 /var/run/docker.sock 1 root docker 0 Aug 3 13:02 /var/run/docker.sockīut on Red Hat Enterprise Linux (RHEL), Fedora, and CentOS we prefer to have the docker.socket set to: ls -l /var/run/docker.sock This would allow users added to the docker group to be able to run docker containers without having to execute sudo or su to become root. I often get bug reports from users asking why can’t I use `docker` as a non root user, by default?ĭocker has the ability to change the group ownership of the /run/docker.socket to have group permission of 660, with the group ownership the docker group.
Why we don't let non-root users run Docker in CentOS, Fedora, or RHEL
0 kommentar(er)
