Radoslaw Smigielski

10 September 2018

Chage docker daemon group

by Radosław Śmigielski

Why?

On some linux distros Docker daemon runs as root:root which is not always what you want on your dev machine.

  1. you need to use root account to work with docker
  2. let’s do this in the right way not a hacky way using systemd, so no upgrade will break it
  3. if you compile projects like Kuberenetes you need running Docker and you really do not want to compile staff from under root account

Why not?

On real production system you probably want to leave docker running under root acount because docker group grants privileges almost equivalent to the root user. More on that topic Docker Daemon Attack Surface

How?

Below you can find how to run docker under different than root group and let you add normal users to docker group and not to use root account to work with docker.

  1. Create the docker group and add your user to that new group 
    sudo groupadd docker
sudo usermod -aG docker $USER
  2. Logoff and login $USER in order to $USER becomes docker group member.
  3. Take distro docker service systemd file usually from /usr/lib/systemd/system/docker.service and copy it to /etc/systemd/system/docker.service. This file will overwrite existsing docker systemd config file and let you customize it and make sure it will be persistent over next docker daemon upgrade. 
    cp /usr/lib/systemd/system/docker.service /etc/systemd/system/docker.service
  4. Use –group option which: 
    -G, --group=""
    Group to assign the unix socket specified by -H when running in daemon mode.
    use '' (the empty string) to disable setting of a group. Default is docker.

    Edit your custom docker service file /etc/systemd/system/docker.service and in section ExecStart add –group option

    ExecStart=/usr/bin/dockerd-current \
       ... 
       --group docker \
       ...
  5. Reload systemd config files 
    systemctl daemon-reload
  6. Verify your new docker service file is picked up by docker daemon 
    systemd-delta --type=overridden
  7. Restart docker.service 
    systemctl restart docker.service
  8. Validate your $USER can suncesfully execute docker commands and docker unix socket had a desired group. 
    $ ls -al /var/run/docker.sock
srw-rw----. 1 root docker 0 Sep 10 04:59 /var/run/docker.sock
tags: docker - fedora - systemd