I often get bug reports from users asking why can’t I use `docker` as a non root user, by default?

Docker has the ability to change the group ownership of the /run/docker.socket to have group permission of 660, with the group ownership the docker group. This would allow users added to the docker group to be able to run docker containers without having to execute sudo or su to become root. Sounds great…

ls -l /var/run/docker.sock 
srw-rw----. 1 root docker 0 Aug  3 13:02 /var/run/docker.sock

But on Red Hat Enterprise Linux (RHEL), Fedora, and CentOS we prefer to have the docker.socket set to:

ls -l /var/run/docker.sock 
srw-rw----. 1 root root 0 Aug  3 13:02 /var/run/docker.sock

Why is that? Simple: if a user can talk to the docker socket, they can execute the following command:

docker run -ti --privileged -v /:/host fedora chroot /host

Giving them full root access to the host system. This is similar to giving them the following in sudo.

grep dwalsh /etc/sudoers
dwalsh  ALL=(ALL)   NOPASSWD: ALL

Which would allow them to run sudo sh and get the same access. But there is one big flaw with this. Docker has no auditing or logging built in, while sudo does.

Docker currently records events but the events disappear when the docker daemon is restarted. Docker does not currently do any auditing.

From a security perspective, Red Hat has expressed concerns with enabling access to the docker daemon from non-root users, absent auditing and proper logging. We’ve implemented those controls in PR14446 though it depends on an authentication framework which is still being discussed. Until we can implement proper auditing and logging, we recommend implementing sudo rules to permit access to the docker daemon. That allows sudo to provide logging and audit.

Setting up sudo

If you want to give docker access to non-root users we recommend setting up sudo. Here is a short guide on how to do this.

Add an entry like the following to /etc/sudoers.

grep dwalsh /etc/sudoers
dwalsh        ALL=(ALL)       NOPASSWD: /usr/bin/docker

This will allow the specified user to run docker as root, without a password.

Note: I do not recommend using NOPASSWD, this would allow any process on your system to become root. If you require the password, the user needs to specify his password when running the docker command, making the system a bit more secure. If a password is required, sudo gives you a five minute grace period to run docker again without entering the password.

Now, set up an alias for running the docker command:

alias docker="sudo /usr/bin/docker"

Now when the user executes the docker command as non-root it will be allowed and get proper logging.

docker run -ti --privileged -v /:/host fedora chroot /host

Look at the journal or /var/log/messages.

journalctl -b | grep docker.*privileged
Aug 04 09:02:56 dhcp-10-19-62-196.boston.devel.redhat.com sudo[23422]:   dwalsh : TTY=pts/3 ; PWD=/home/dwalsh/docker/src/github.com/docker/docker ; USER=root ; COMMAND=/usr/bin/docker run -ti --privileged -v /:/host fedora chroot /host

Look at the audit log:

ausearch -m USER_ROLE_CHANGE -i
type=USER_ROLE_CHANGE msg=audit(08/04/2015 09:02:56.514:1460) : pid=23423 uid=root auid=dwalsh ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='newrole: old-context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
new-context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 exe=/usr/bin/sudo hostname=? addr=? terminal=/dev/pts/3 res=success'

Better Security

Better yet, if you wanted to only allow a user to access a particular container, you could write a simple script:

cat /usr/bin/docker-fedora
#!/bin/sh
docker run -ti --rm fedora /bin/sh

After writing the script, configure sudoers to run it:

grep dwalsh /etc/sudoers
dwalsh        ALL=(ALL)       NOPASSWD: /usr/bin/docker-fedora

This user would only be able to run the fedora container, without privileges.

Authentication

We have other patches that we are working on to make the docker daemon more secure, including authentication. We have an ongoing discussion in issue #13697 “Adding Kerberos support to Docker.

Authorization

We are also developing a proposal to add Authorization/RBAC (Roles Based Access Control) to docker, to allow administrators to specify which users are allowed to do which activity on which containers/images.

That proposal is on GitHub if you’d like to review it, add comments, or suggestions.

Conclusion

We believe the security of managing the docker daemon needs a lot of improvement, before we can think of opening up access to non-privileged users directly. Until these fixes are made sudo is the best option. We’re working on better options, but for the time being we strongly recommend using sudo.