1

We are having a requirement to run the docker commands without the sudo user or without adding the users to a docker group.

I tried to explore on the rootless docker but it is not getting installed on our centos 7 machine.

ref: https://docs.docker.com/engine/security/rootless/

And we are using NIS for all the other users so, we want to do something due to which all the developers which we have can make use of docker without actually providing them sudo access.

Also, we don't want to add these many users to the docker group.

Our machine configs:

# cat /etc/os-release
NAME="CentOS Linux"
VERSION="7 (Core)"
ID="centos"
ID_LIKE="rhel fedora"
VERSION_ID="7"
PRETTY_NAME="CentOS Linux 7 (Core)"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:centos:centos:7"
HOME_URL="https://www.centos.org/"
BUG_REPORT_URL="https://bugs.centos.org/"

CENTOS_MANTISBT_PROJECT="CentOS-7"
CENTOS_MANTISBT_PROJECT_VERSION="7"
REDHAT_SUPPORT_PRODUCT="centos"
REDHAT_SUPPORT_PRODUCT_VERSION="7"
Improve this question
2
  • 2
    When users can start docker containers, they pretty much have root access on the host machine. docs.docker.com/engine/security/#docker-daemon-attack-surface Commented Sep 19, 2021 at 8:29
  • Oh! but actually we have everything containerized and this is so much required for the developers in our organization to make use of Docker commands. :( Commented Sep 19, 2021 at 8:43

1 Answer 1

Reset to default
1

If this is about locking down access to remote servers, then instead of permitting access to docker via SSH you could enable the :2376 socket for mtls encrypted comms. Now the problem becomes one of certificate distribution which is arguably worse.

As mentioned in the comments, whatever user the dockerd runs as is the effective user that people with access to the docker api are running as, as docker has no attempt at RBAC. If you want that, as much as I like docker and docker swarm, this is one of those points where your requirements really indicate you should be using Kubernetes.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.