Persist across reboots

[andyofengland]

Hi,

Thanks for the great bit of code, it's making my DevOps build agents more useful.

There does seem to be an issue with the fix however - the permission is not persisting across reboots. Whenever one of the servers is rebooted, the DevOps agents fail to connect and I have to re-execute the PS1 script.

Is there any way of either changing the code to persist or, is this something that would be best performed in Windows Startup or something? (Assuming the script can be run as an administrator).

Cheers

[tfenster]

@andyofengland A better solution for that would be to configure a group in the standard daemon config as described here https://docs.microsoft.com/en-us/virtualization/windowscontainers/manage-docker/configure-docker-daemon#set-docker-security-group. Does that work for you?

[andyofengland]

Hi, That does sound like a good approach - perhaps it's something to add into the script as an option? Cheers

[tfenster]

@andyofengland not sure if I understand you: Do you mean to create that entry in to config file?

[andyofengland]

Hi, You could do either - Inform the user about the config option so as to educate them or, provide a switch to make the setting persist by creating the file for them.

Get Outlook for iOShttps://aka.ms/o0ukef

---

From: Tobias Fenster notifications@github.com Sent: Tuesday, October 8, 2019 10:26:30 AM To: tfenster/dockeraccesshelper dockeraccesshelper@noreply.github.com Cc: andyofengland andy@tw-tech.co.uk; Mention mention@noreply.github.com Subject: Re: [tfenster/dockeraccesshelper] Persist across reboots (#3)

Reopened #3https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Ftfenster%2Fdockeraccesshelper%2Fissues%2F3&data=02%7C01%7C%7C3ac8710132324a3192cd08d74bd19c3e%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637061235943194744&sdata=PvPa9nzAqJa6kVCfP6pHVY%2F0%2BQVI72NsNol4%2Fo41QtM%3D&reserved=0.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Ftfenster%2Fdockeraccesshelper%2Fissues%2F3%3Femail_source%3Dnotifications%26email_token%3DAFY3TGSLFQQQIOLGRGDPR5DQNRG4NA5CNFSM4I6ORRWKYY3PNVWWK3TUL52HS4DFWZEXG43VMVCXMZLOORHG65DJMZUWGYLUNFXW5KTDN5WW2ZLOORPWSZGOUCPF6CI%23event-2694733577&data=02%7C01%7C%7C3ac8710132324a3192cd08d74bd19c3e%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637061235943204761&sdata=3z5%2BDbEd6FsDZyuFr33AAw%2BgRn90E6aZze0zB%2F6Ys7w%3D&reserved=0, or mute the threadhttps://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAFY3TGRQYJF4BSJUALDJAM3QNRG4NANCNFSM4I6ORRWA&data=02%7C01%7C%7C3ac8710132324a3192cd08d74bd19c3e%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637061235943224765&sdata=WFgefhKKR3YfGCcS0iGCWv0KONhoWkT832h6Pn9sksM%3D&reserved=0.

[farhan-ejaz]

@andyofengland A better solution for that would be to configure a group in the standard daemon config as described here https://docs.microsoft.com/en-us/virtualization/windowscontainers/manage-docker/configure-docker-daemon#set-docker-security-group. Does that work for you?

It did not work for me :-(

What I did New-LocalGroup -Name 'docker-users' -Description 'docker Users Group' Add-LocalGroupMember -Group 'Administrators' -Member ('docker-users') –Verbose Add-LocalGroupMember -Group 'docker-users' -Member ('XXX\XXXX','Administrators') –Verbose

& Then configure daemon.json {"group":"docker-users"} & restart service.

No change still needs to run the add-on manually. Am I doing something wrong here?

[tfenster]

looks good to me. If that doesn't work, I would say it's a bug in docker itself, so you would need to open an issue there

[andrisarkameru]

Hey! Thanks for this thread. I had the same issue as well with pipe access resetting after server reboot. Here's what I did:

Powershell:

New-LocalGroup -Name 'docker-users' -Description 'docker Users Group'
Add-LocalGroupMember -Group 'docker-users' -Member ('xx\xxx$','Administrators') –Verbose

where xx\xxx$ was the user (GMSA user in this case) that runs the build agent

I then edited the daemon.json and andded "group" : "docker-users"

At first I thought that the method does not work because Restart-Service "Docker Engine" did not solve the rights issue. But after rebooting the server again, all was working. So the key part is restarting the server afterwards.

[tcsabina]

Hi! Where should this 'daemon.json' file be located?

I am facing the same issue with Docker Engine on Windows (10/11). I came across this script, which finally solves my problem... ...til the system is rebooted. I have a 'docker-user' group, so I guess the last thing is to add this entry in the daemon.json file. But where is it?

Again, this is Docker Engine on windows, so no installation. Following this: https://docs.docker.com/engine/install/binaries/

[andyofengland]

To configure the Docker daemon using a JSON file, create a file at /etc/docker/daemon.json on Linux systems, or C:\ProgramData\docker\config\daemon.json on Windows. On MacOS go to the whale in the taskbar > Preferences > Daemon > Advanced.

[harendt]

@andyofengland not sure if I understand you: Do you mean to create that entry in to config file?

I suggest to instead mention the alternative approach (setting the group in daemon.json) in the README.md and to refer to the Docker documentation (https://learn.microsoft.com/en-us/virtualization/windowscontainers/manage-docker/configure-docker-daemon#set-docker-security-group).

When I was looking for a solution to run Docker without admin rights, I only found this repository here (and the corresponding blog entry: https://www.axians-infoma.com/techblog/allow-access-to-the-docker-engine-without-admin-rights-on-windows/). So I thought, this was the only solution. But using a user group seems much more convenient, at least for me.