0

I was just getting started with docker, and I run this:

docker pull redis

and I get a permission denied error. It turns out, docker writes to /var/* directories, which requires permission to write. and so many other docker commands also require something like:

sudo docker ***

Now, I don't really like the notion of add root privileges to every docker command.(It might be because I just don't know docker much yet, but that's true with every program). Is this a requirement by docker?

If it is not required, then how do I configure it so that it is much like other programs, that only ask me privileges when they need to, all the pulling, running commands would just write to my normal directories or run from them, not from a system directory.

EDIT: my concern was, if docker was allowed access to system files, meaning, it has some embedded scipt that had a potential harm to the computer, and it executed when I ran the docker. Since, I give it root privileges, the script could do anything. Would adding it to the user group instead of sudo fix that?

juztcode
  • 1,196
  • 2
  • 21
  • 46
  • Docker doesn't have a robust access-control system on its own, so if you can run any `docker` command at all, you can `docker run -v /:/host busybox vi /host/etc/sudoers` and pretty trivially root the host. Even just with `docker pull` or `docker tag` you could contaminate the system, causing the local `ubuntu:20.04` image to actually be compromised in some way. Putting the host user in the `docker` group doesn't mitigate this risk at all. So on anything other than a single-developer-user system, `sudo` is probably appropriate. – David Maze Mar 19 '21 at 17:14
  • @DavidMaze , so, you mean running sudo or not doesn't matter at all. Docker itself makes it a bit risky in itself? So, what options do we have to make it really safe? In that any vulnerabilities in docker will not affec the host OS in any way? – juztcode Mar 19 '21 at 17:36

2 Answers2

1

By default Docker runs an always-on daemon on your system which requires root privileges (Experimental non-root Docker support exists though).

The common approach is to add your User to the docker group which allows you to run docker without having to sudo: https://docs.docker.com/engine/install/linux-postinstall/

sudo usermod -aG docker $USER
newgrp docker

If you are interested in non-root Docker the following might be interesting:

m90
  • 11,434
  • 13
  • 62
  • 112
  • my concern was, if docker was allowed access to system files, meaning, it has some embedded scipt that had a potential harm to the computer, and it executed when I ran the docker. Since, I give it root privileges, the script could do anything. Would adding it to the user group instead of `sudo` fix that? – juztcode Mar 19 '21 at 15:27
  • No, in that case you would need to run rootless Docker or use alternatives like Podman. – m90 Mar 19 '21 at 15:30
  • is it worth considering this potential harm? If it is, which one is better? rootless Docker or Podman? – juztcode Mar 19 '21 at 15:36
  • It's hard to give generalized advice here as each security setup is unique. I would probably decide this depending on how much trust you can put into the images you run using Docker (code in the container can escape it in certain setups https://blog.trailofbits.com/2019/07/19/understanding-docker-container-escapes/) as this is a more real world attack vector than Docker itself getting compromised. Which tool to pick is something defined by other requirements of yours. – m90 Mar 19 '21 at 15:51
  • what do you usually do in production environments? – juztcode Mar 19 '21 at 15:53
  • ,can we configure docker to place images and run from , from our /home directory instead? Is this a good idea? – juztcode Mar 19 '21 at 16:01
  • The location of the images does not matter much. What you describe is running Docker as a non-root, confined user. If this sounds appealing to you, I think you should give it a try. – m90 Mar 19 '21 at 16:18
  • you mean running `sudo docker` or running the non-root docker version of docker? i.e. rootless mode? – juztcode Mar 19 '21 at 16:45
  • Running the rootless docker. – m90 Mar 19 '21 at 17:08
1

You are not probably part of docker group as user. You could try post-installations steps mentioned on here.

Create group docker:

 sudo groupadd docker

Add user to the group

sudo usermod -aG docker $USER

Reload changes:

 newgrp docker
Niklas
  • 1,480
  • 4
  • 10
  • my concern was, if docker was allowed access to system files, meaning, it has some embedded scipt that had a potential harm to the computer, and it executed when I ran the docker. Since, I give it root privileges, the script could do anything. Would adding it to the user group instead of sudo fix that? – juztcode Mar 19 '21 at 15:28
  • By default everything is executed inside container, when you are using docker. As long as containers have non-root user, they are very isolated from the host system, and rarely can do any harm on your host system. User group is much better, than using sudo, since not all code is requiring root privileged to be functional. – Niklas Mar 19 '21 at 15:32
  • but, running `sudo docker ***` ... is such command running also inside container? I mean, it looks like this command is being executed inside host? – juztcode Mar 19 '21 at 15:35
  • That command is executed on host, yes. The part of the Docker application code is requiring root privileges to be functional e.g. adding kernel capabilities for underlying containers or accessing Unix socket to use daemon. But anything external code, what docker is using, is executed isolated on containers. So if you are afraid that Docker as application itself is harmful, then you need rootles Docker, but the applications what you are using with Docker, are isolated as long as they have non-root user and you are careful with commands when running them. – Niklas Mar 19 '21 at 15:38
  • below m90 says rootless docker is experimental, how stable is it? Is it worth going for? or we'll face lots of problems down the road? – juztcode Mar 19 '21 at 15:40
  • Depends on how are you going to use it. You will have limited/stripped capabilities on what you can do. – Niklas Mar 19 '21 at 15:42
  • can we configure docker to place images and run from , from our /home directory instead? Is this a good idea? – juztcode Mar 19 '21 at 16:01
  • to install docker in rootless mode, do we have to uninstall the non-rootless version of docker first? – juztcode Mar 19 '21 at 16:56