Closed thaJeztah closed 6 months ago
/cc @tianon @yosifkit - opening this for discussion, as I kept noticing that warning being printed, so wondered what the best option would be 😄
Hmm, yeah, I guess we should consider adding it.
We should probably give it a fixed GID, maybe 2375 to match Docker's port number while still being unlikely to overlap with anything users might be creating or using already?
Yeah, that's a good question. I also recall some images specifically using 1000
or 1001
, but those may have been for matching permissions on boot2docker?
Yeah, or just matching what they'd set it to historically (before they chose a specific number, so the relevant tool chose one for them).
Does the rootless
user in the rootless image also need to be added to the docker
group?
i.e., add it to the docker
group after creating the user here:
https://github.com/docker-library/docker/blob/d8b20e0d84b8bac8629e782e0fc779d537eab8d8/Dockerfile-dind-rootless.template#L13
Edit: we can still add the rootless
user to the group if necessary, but I didn't want to hold up the PR.
There's two older tickets related to this;
The docker daemon by default tries to set permissions of the unix-socket to be owned by the
docker
group. This group is used to allow accessing the socket as a non-root user, as described in the "Manage Docker as a non-root user" section in the documentation.Currently, the
docker
images do not contain adocker
group, which results in a warning being printed during startup of the daemon;This warning originates from the daemon, which attempts to use the default (
docker
) group as owner for the socket https://github.com/moby/moby/blob/93fffa299c2cb23055bb54c380a02d53c9a7d525/daemon/listeners/listeners_linux.go#L35-L49I went looking what we do in other situations, i.e., when installing from our
.deb
and.rpm
packages, and for those, we are creating thedocker
group as part of the installation; https://github.com/docker/docker-ce-packaging/blob/3479bfbc96ec430a808b8d22a503c12773463a66/deb/common/docker-ce.postinst#L5-L11And, at runtime, that group is used as owner for the socket, as well as log-files produced;
With systemd
https://github.com/moby/moby/blob/93fffa299c2cb23055bb54c380a02d53c9a7d525/contrib/init/systemd/docker.socket#L4-L10
With openrc
https://github.com/moby/moby/blob/93fffa299c2cb23055bb54c380a02d53c9a7d525/contrib/init/openrc/docker.initd#L24-L26
sysvinit
https://github.com/moby/moby/blob/93fffa299c2cb23055bb54c380a02d53c9a7d525/contrib/init/sysvinit-debian/docker#L59
Consider adding a
docker
groupWhile users should still "think twice" before granting access to the unix-socket (as it is equivalent of
root
), and consider rootless instead if their situation allows it, I think it would make sense to add adocker
group to the image, so that we're consistent with other ways the docker daemon is distributed / packaged.Perhaps there's reasons why we didn't choose to though, but if that's the case (and we decide not to), we can use this ticket to document those reasons (and possibly extend the documentation on Docker Hub).
Alternatively, we could update the entrypoint script to explicitly set
root
as group with the-G
/--group
flag; doing so should suppress the warning.