tfenster / dockeraccesshelper

PS module that allows access to the Docker engine for any user
https://www.axians-infoma.com/techblog/allow-access-to-the-docker-engine-without-admin-rights-on-windows/
MIT License
77 stars 12 forks source link

Persist across reboots #3

Open andyofengland opened 5 years ago

andyofengland commented 5 years ago

Hi,

Thanks for the great bit of code, it's making my DevOps build agents more useful.

There does seem to be an issue with the fix however - the permission is not persisting across reboots. Whenever one of the servers is rebooted, the DevOps agents fail to connect and I have to re-execute the PS1 script.

Is there any way of either changing the code to persist or, is this something that would be best performed in Windows Startup or something? (Assuming the script can be run as an administrator).

Cheers

tfenster commented 5 years ago

@andyofengland A better solution for that would be to configure a group in the standard daemon config as described here https://docs.microsoft.com/en-us/virtualization/windowscontainers/manage-docker/configure-docker-daemon#set-docker-security-group. Does that work for you?

andyofengland commented 5 years ago

Hi, That does sound like a good approach - perhaps it's something to add into the script as an option? Cheers

tfenster commented 5 years ago

@andyofengland not sure if I understand you: Do you mean to create that entry in to config file?

andyofengland commented 5 years ago

Hi, You could do either - Inform the user about the config option so as to educate them or, provide a switch to make the setting persist by creating the file for them.

Get Outlook for iOShttps://aka.ms/o0ukef


From: Tobias Fenster notifications@github.com Sent: Tuesday, October 8, 2019 10:26:30 AM To: tfenster/dockeraccesshelper dockeraccesshelper@noreply.github.com Cc: andyofengland andy@tw-tech.co.uk; Mention mention@noreply.github.com Subject: Re: [tfenster/dockeraccesshelper] Persist across reboots (#3)

Reopened #3https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Ftfenster%2Fdockeraccesshelper%2Fissues%2F3&data=02%7C01%7C%7C3ac8710132324a3192cd08d74bd19c3e%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637061235943194744&sdata=PvPa9nzAqJa6kVCfP6pHVY%2F0%2BQVI72NsNol4%2Fo41QtM%3D&reserved=0.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Ftfenster%2Fdockeraccesshelper%2Fissues%2F3%3Femail_source%3Dnotifications%26email_token%3DAFY3TGSLFQQQIOLGRGDPR5DQNRG4NA5CNFSM4I6ORRWKYY3PNVWWK3TUL52HS4DFWZEXG43VMVCXMZLOORHG65DJMZUWGYLUNFXW5KTDN5WW2ZLOORPWSZGOUCPF6CI%23event-2694733577&data=02%7C01%7C%7C3ac8710132324a3192cd08d74bd19c3e%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637061235943204761&sdata=3z5%2BDbEd6FsDZyuFr33AAw%2BgRn90E6aZze0zB%2F6Ys7w%3D&reserved=0, or mute the threadhttps://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAFY3TGRQYJF4BSJUALDJAM3QNRG4NANCNFSM4I6ORRWA&data=02%7C01%7C%7C3ac8710132324a3192cd08d74bd19c3e%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637061235943224765&sdata=WFgefhKKR3YfGCcS0iGCWv0KONhoWkT832h6Pn9sksM%3D&reserved=0.

farhan-ejaz commented 2 years ago

@andyofengland A better solution for that would be to configure a group in the standard daemon config as described here https://docs.microsoft.com/en-us/virtualization/windowscontainers/manage-docker/configure-docker-daemon#set-docker-security-group. Does that work for you?

It did not work for me :-(

What I did New-LocalGroup -Name 'docker-users' -Description 'docker Users Group' Add-LocalGroupMember -Group 'Administrators' -Member ('docker-users') –Verbose Add-LocalGroupMember -Group 'docker-users' -Member ('XXX\XXXX','Administrators') –Verbose

& Then configure daemon.json {"group":"docker-users"} & restart service.

No change still needs to run the add-on manually. Am I doing something wrong here?

tfenster commented 2 years ago

looks good to me. If that doesn't work, I would say it's a bug in docker itself, so you would need to open an issue there

andrisarkameru commented 2 years ago

Hey! Thanks for this thread. I had the same issue as well with pipe access resetting after server reboot. Here's what I did:

Powershell:

New-LocalGroup -Name 'docker-users' -Description 'docker Users Group'
Add-LocalGroupMember -Group 'docker-users' -Member ('xx\xxx$','Administrators') –Verbose

where xx\xxx$ was the user (GMSA user in this case) that runs the build agent

I then edited the daemon.json and andded "group" : "docker-users"

At first I thought that the method does not work because Restart-Service "Docker Engine" did not solve the rights issue. But after rebooting the server again, all was working. So the key part is restarting the server afterwards.

tcsabina commented 1 year ago

Hi! Where should this 'daemon.json' file be located?

I am facing the same issue with Docker Engine on Windows (10/11). I came across this script, which finally solves my problem... ...til the system is rebooted. I have a 'docker-user' group, so I guess the last thing is to add this entry in the daemon.json file. But where is it?

Again, this is Docker Engine on windows, so no installation. Following this: https://docs.docker.com/engine/install/binaries/

andyofengland commented 1 year ago

To configure the Docker daemon using a JSON file, create a file at /etc/docker/daemon.json on Linux systems, or C:\ProgramData\docker\config\daemon.json on Windows. On MacOS go to the whale in the taskbar > Preferences > Daemon > Advanced.

harendt commented 1 year ago

@andyofengland not sure if I understand you: Do you mean to create that entry in to config file?

I suggest to instead mention the alternative approach (setting the group in daemon.json) in the README.md and to refer to the Docker documentation (https://learn.microsoft.com/en-us/virtualization/windowscontainers/manage-docker/configure-docker-daemon#set-docker-security-group).

When I was looking for a solution to run Docker without admin rights, I only found this repository here (and the corresponding blog entry: https://www.axians-infoma.com/techblog/allow-access-to-the-docker-engine-without-admin-rights-on-windows/). So I thought, this was the only solution. But using a user group seems much more convenient, at least for me.