Typing sudo
with each and every docker
command gets tedious. Furthermore, several related docker tools or image build processes make bad assumptions that one can simply just run things like docker-compose
without sudo or other concerns like sudo and python virtual environments - an annoying example was the logstash-docker makefile.
In attempting to find a balance between usability and security, a few tips and tricks with bash seem to work for me:
- Alias the
docker
command withsudo docker
in bash - Use a shell wrapper script or function with
docker-compose
This strikes a good balance. Upon first execution, there will be the sudo password prompt and something like a malicious script can't abuse the Docker daemon for root privilege escalation without this password being entered. Also, sudo has a timeout of 5 minutes before it requires the password again, so a user issuing multiple docker commands within a terminal will not get nagged each time.
When using an alias for docker, the expand_aliases
shell option is needed if non-interactive shells will depend on it. E.g. in ~/.bash_aliases
:
shopt -s expand_aliases
alias docker="sudo -E docker"
alias dockviz="docker run -it --rm -v /var/run/docker.sock:/var/run/docker.sock nate/dockviz"
In Ubuntu 16.04 LTS, the packaged version of docker-compose is quite out of date. A way to install this into it's own virtualenv:
$ pip install --user virtualenv
$ mkdir -p ~/bin/python-venvs
$ cd ~/bin/python-venvs
$ virtualenv docker
$ source ~/bin/python-venvs/docker/bin/activate
$ pip install docker-compose
However, running this way via this virtualenv can be quite tedious, e.g:
$ source ~/bin/python-venvs/docker/bin/activate
$ sudo -E `which docker-compose` build
To avoid the encumbered way of executing docker-compose via the virtualenv, create a wrapper script in ~/bin/docker-compose
:
#!/usr/bin/env bash
if [ -z "$VIRTUAL_ENV" ] || [ "$VIRTUAL_ENV" -ne "/home/a211278l/bin/python-venvs/docker" ]; then
source ~/bin/python-venvs/docker/bin/activate
fi
sudo -E "$(which docker-compose)" $@
deactivate
Most user-friendly Linux distro's will include ~/bin
in $PATH
. Run echo $PATH | grep $USER
to double check.
The above allowed me to run make
with logstash-docker
from elastic.co's github repo.
Unlike LXC and KVM, docker hasn't yet provided a neat way for non-privileged local system users to manage containers.
The official documentation (as of Dec 2016), Manage Docker as a non-root user, and blog posts, such as digtalocean ubuntu docker install guide, or gists, all suggest adding your non-root account as a member of the docker group with write access to the Unix socket for the Docker daemon.
The official documentation at least adds a brief security warning, and Why we don't let non-root users run Docker in CentOS, Fedora, or RHEL explained why allowing direct user-level access to Docker's daemon via the socket is poor form (in terms of audit logging concerns).