default user not added to docker group, have to do su $USER? - linux

I have Ubuntu 18.04. and after installing docker i added my user to docker group with the command
sudo usermod -aG docker ${USER}
and logged in
su - ${USER}
and if I check id, my user is added to docker group.
But when I reopen the terminal i cant do docker commands without sudo unless i explicitly do su ${USER}
also, I can't find docker group with the default user.
What am I missing here?

#larsks already replied to the main question in a comment, however I would like to elaborate on the implications of that change (adding your default user to the docker group).
Basically, the Docker daemon socket is owned by root:docker, so in order to use the Docker CLI commands, you need either to be in the docker group, or to prepend all docker commands by sudo.
As indicated in the documentation of Docker, it is risky to follow the first solution on your personal workstation, because this just amounts to providing the default user with root permissions without sudo-like password prompt protection. Indeed, users in the docker group are de facto root on the host. See for example this article and that one.
Instead, you may want to follow the second solution, which can be somewhat simplified by adding to your ~/.bashrc file an alias such as:
alias docker="sudo /usr/bin/docker"
Thus, docker run --rm -it debian will be automatically expanded to sudo /usr/bin/docker run --rm -it debian, thereby preserving sudo’s protection for your default user.

Related

How to access Azure Container Instance as root user?

I have an Azure Container Instance that has a non root user as default. For debugging and experimentation, I'd like to exec into the container like you would with a normal docker container: docker exec -u root ..., so that I have sudo permissions in the container. As detailed in Interacting with a container in Azure Container Instances, you can run exec commands through az container exec ..., but as was mentioned in Christian's answer, https://stackoverflow.com/a/50334426/17129046, there doesn't seem to be a way to add extra parameters, not just for the program being run, but there also doesn't seem to be support for any of the additional options you'd have with docker exec, including the -u option to change the user that logs in to the container when running docker exec -u root ... '/bin/bash'.
I have tried using su in the container, but it prompts for a password, and I don't know what that password would be, since the dockerfile that created the image this ACI uses doesn't set a password as far as I know (The image is created via bentoml). The default user is called bentoml. Result from running id:
uid=1034(bentoml) gid=1034(bentoml) groups=1034(bentoml)
Is there a workaround for this? Maybe a way to ssh into the container as root?
I tried to reproduce the issue and got the below output
I have pulled the docker image from the docker hub using below command
docker pull <image_name>
While pulling the image from docker we need to give the credentials if it ask
I have run the image using below command
docker run -it <image_id> /bin/bash
Here the container is running and I am not able to use root user commands
For accessing container as root use the below command
docker run -u 0 -it image_id /bin/bash
Here I can able to install all root packages now
You can use this docker file for setting the no password then it won't ask any password
RUN apt-get update \
&& apt-get install -y sudo
RUN adduser --disabled-password --gecos '' docker
RUN adduser docker sudo
RUN echo '%sudo ALL=(ALL) NOPASSWD:ALL' >> /etc/sudoers
USER docker

Can't run docker as a normal user

I can't run docker commands as my own user. But I know that the service is running because I can run commands as sudo:
$ docker ps
Cannot connect to the Docker daemon at unix:///run/user/1000/docker.sock. Is the docker daemon running?
$ sudo docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
(snip) (snip) (snip) 13 days ago Up 2 hours (healthy) 9000/tcp (snip)
I am successfully running a few containers, and they each work, but I have another not listed in 👆 that I need to run as my own user.
I am part of the docker group:
$ groups
docker www-data video tim
I'm not sure what else to check. I do have this:
$ echo $DOCKER_HOST
unix:///run/user/1000/docker.sock
Also:
$ uname -r
5.4.0-65-generic
$ docker --version
Docker version 19.03.6, build 369ce74a3c
This is on Ubuntu 18.04.5 LTS
As you followed all the post installation steps correctlly, as far as I can tell, my best guess is that has to do with the DOCKER_HOST environment variable.
Does it help if you unset DOCKER_HOST? (Perhaps you need to log out, so it has an effect.)
On my system, docker ps works with sudo, but once I set DOCKER_HOST=unix:///run/user/1000/docker.sock, I get the same error as you.
For some background, here is a question about the DOCKER_HOST variable. In essence, that variable should normally not be set.
Return to the default sock path (unix:///var/run/docker.sock), by unsetting DOCKER_HOST and removing an errant config files:
unset DOCKER_HOST
rm -r ~/.docker
The Docker Daemon must be restarted after creating the “docker” group:
sudo services docker restart
Then, ensure you add your current user to the group:
sudo usermod -a -G docker $USER
This will ensure your user has access to the socket file.
UPDATE: 12/2022
Recently had to do this on Ubuntu 22.04 LTS and ran into the login shell persisting the previous group.
Since the UI manages the login shell, a restart is either required, or you need to replace the process with exec. You can work around this issue, until you restart, by replacing your current shell process: (use $0 instead, if $SHELL doesn't match your preferred shell)
exec sudo -u $USER -E $SHELL

How to Find The User Who Stopped Docker Container

I want to know what is the user who stopped a docker container.
There are several user accounts on my server. I suspect that one of them sometimes stops the container.
How can I find the user that performed this operation?
You can use su -c history username to check command history of a user, I don't know how many users you have but you could loop through them and grep for commands taking docker containers down.
You can install GNU Accounting Utilities, to be able to see commands executed by users:
#centos
yum install psacct
# ubuntu:
apt-get install acct
#Also make sure that the cooresponding service is enabled:
/etc/init.d/psacct status
Then, after you realize that the container is stopped execute:
lastcomm --command docker
# or
lastcomm --command kill
to see which executed the above command(s).
You can use the above in combination with:
docker container logs <name-of-the-container>
to see what is the exact time on which the container was stopped. (E.g. you may see a message on the logs: "stopping service..") and match it with lastcomm output.
Other useful commands that come with the above package:sa, ac

How the Unix user level is affecting my visibility to docker images?

I am very new to Unix/docker,
I have the following two outputs on the console,
admin#ansible:~/nachiket/workspace/docker-nachi-sample-app$ docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
admin#ansible:~/nachiket/workspace/docker-nachi-sample-app$ sudo docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
nachiketjoshi/python-log-generator latest ca675b7439ab About an hour ago 908MB
python 2.7 4ee4ea2f0113 3 weeks ago 908MB
can someone explain how the Unix user level is affecting my visibility to docker images...
It is because
The Docker daemon binds to a Unix socket instead of a TCP port. By default that Unix socket is owned by the user root and other users can only access it using sudo. The Docker daemon always runs as the root user.
So, after installing docker to have the same access level on another user instead of root you need to perform:
sudo groupadd docker
sudo usermod -aG docker $USER
Then verify if it worked on docker uses:
docker run hello-world
If everything goes right try to execute docker images and see if it has the same access level, I've tested on CentOS and it worked
Reference: https://docs.docker.com/install/linux/linux-postinstall/#manage-docker-as-a-non-root-user

Docker "permission denied" in container

I am trying to run a docker image by
docker run -it -v $PWD/examples:/home/user/examples image
which should make $PWD/examples in the host accessible in the container. However when I ls in the container, it keeps giving me
ls: cannot access 'examples': Permission denied
I have tried the answers for similar questions, the z/Z option and chcon -Rt svirt_sandbox_file_t /host/path/ and run --privileged, but neither of them have any effect in my case.
In fact, the z option appears to work for the first time ls, but when I issue ls the second time it is denied again.
In the comments it turned out that there is probably a USER instruction in the Dockerfile of the image. This user is not allowed to access examples due to file access permissions of examples.
It is possible to supersede USER with docker run option --user.
A quick and dirty solution is to run with --user=root to allow arbitrary access.
Be aware that files written as root in container to folder examples will be owned by root.
A better solution is to look for owner of examples, call him foo. Specify its user id and group id to have exactly the same user in container:
docker run --user $(id -u foo):$(id -g foo) imagename
Another possible solution is to allow arbitray access with chmod 666 examples or chmod 644 examples, but most probably you don't want that.
The best way would be to look at the Dockerfile and check the purpose of USER instruction.
If it only serves the purpose of avoiding root in container, the best way is to use --user=foo or more precisely --user=$(id -u foo):$(id -g foo).
If something in Dockerfile/image relies on specific USER, it may be the best to change access permissions of examples.
If you have access to the Dockerfile, you may adjust it to fit your host user/the owner of examples.
Try running the container as privileged:
sudo docker run --privileged=true -itd -v /***/***:/*** ubuntu bash
for example: sudo docker run --privileged=true -itd -v
/home/willie:/wille ubuntu bash

Resources