Why don't Red Hat Enterprise Linux, Fedora, Centos want docker to be run directly by non root users?
I often get bug reports asking:
Why can't I use docker as a non root user, by default.
Docker has the ability to change the group ownership of the /run/docker.socket to have group permission of 660, with the group
ownership the docker group. This would allow users added to the docker group to be able to run docker containers without having to execute sudo or su to become root. Sounds great...
ls -l /var/run/docker.sock
srw-rw----. 1 root docker 0 Aug 3 13:02 /var/run/docker.sock
BUT
On RHEL, Fedora and Centos we prefer to have the docker.socket set like:
ls -l /var/run/docker.sock
srw-rw----. 1 root root 0 Aug 3 13:02 /var/run/docker.sock
If a user can talk to the docker socket, they can execute the following command:
docker run -ti --privileged -v /:/host fedora chroot /host
Giving them full root access to the host system.
It is similar to giving them the following in sudo.
grep dwalsh /etc/sudoers
dwalsh ALL=(ALL) NOPASSWD: ALL
Which would allow them to run sudo sh
and get the same access. But there is one big flaw with this.
Docker has no auditing or logging built in, while sudo does.
Docker currently records events but the events disappear when the docker daemon is restarted. Docker does not currently do any auditing.
From a security perspective, Red Hat has expressed concerns with enabling access to the docker daemon from non-root users, absent auditing and proper logging. We've implemented those controls in PR14446 and are awaiting merge. Short term, it is recommended to implement sudo rules to permit access to the docker daemon. Sudo will then provide logging and audit.
moby/moby#14446
This patch provides much needed system logging for docker's API functions. With this patch, when an API request is made, an entry will be added to the syslog.
Important events will contain the action requested, the container's ID, the dwalsh and login UID of the user issuing the request, the process ID, and any initialized configuration settings. In an effort to reduce the size of the log message, uninitialized configuration parameters are not logged.
We have a another patch for auditing that we are working, but the patch is based on the logging patch. Once the logging patch gets accepted, we will submit the audit patch.
Setting up sudo
If you want to give docker access to non root users we recommend setting up sudo. Here is a short guide on how to do this.
Add an entry like the following to /etc/sudoers.
grep dwalsh /etc/sudoers
dwalsh ALL=(ALL) NOPASSWD: /usr/bin/docker
This will allow the specified user to run docker as root, without a password.
(NOTE: I do not recommend using NOPASSWD, this would allow any process on your system to become root. If you require the password, the user needs to specify his password when running the docker command, making the system a bit more secure. Sudo gives you a 5 minute grace period to run docker again without password)
Setup an alias for running the docker command
alias docker="sudo /usr/bin/docker"
Now when the user executes the docker command as non root it will be allowed and get proper logging.
docker run -ti --privileged -v /:/host fedora chroot /host
Look at the journal or /var/log/messages.
journalctl -b | grep docker.*privileged
Aug 04 09:02:56 dhcp-10-19-62-196.boston.devel.redhat.com sudo[23422]: dwalsh : TTY=pts/3 ; PWD=/home/dwalsh/docker/src/github.com/docker/docker ; USER=root ; COMMAND=/usr/bin/docker run -ti --privileged -v /:/host fedora chroot /host
Look at audit log
ausearch -m USER_ROLE_CHANGE -i
type=USER_ROLE_CHANGE msg=audit(08/04/2015 09:02:56.514:1460) : pid=23423 uid=root auid=dwalsh ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='newrole: old-context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
new-context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 exe=/usr/bin/sudo hostname=? addr=? terminal=/dev/pts/3 res=success'
Better Security
Better yet if you wanted to only allow a user to access a particular container, you could write a simple script:
cat /usr/bin/docker-fedora
#!/bin/sh
docker run -ti --rm fedora /bin/sh
Then configure sudoers to run it:
grep dwalsh /etc/sudoers
dwalsh ALL=(ALL) NOPASSWD: /usr/bin/docker-fedora
This user would only be able to run the fedora container, without privileges.
Authentication
We have other patches that we are working on to make the docker daemon more secure including authentication. Here is an issue where this is an ongoing discussion on it.
moby/moby#13697
Authorization
And we are developing a proposal to add Authorization/RBAC (Roles Based Access Control) to docker, to allow administrators to specify which users are allowed to do which activity on which containers/images.
https://github.com/rhatdan/docker-rbac
Conclusion
We believe the security of managing the docker daemon needs a lot of improvement, before we can think of opening up access to non privileged users directly. Until these fixes are made sudo
is the best option.