Control docker without root

[thomas-mc-work]

Regarding: https://docs.olivetin.app/install/docker_compose.html

I saw your recommendation to let the olivetin container run with root permission ion order to control the docker daemon. There is another way to achieve the same without becoming root and thus breaking some security principles: It's possible to add the group id of the docker group to the container user.

1. Get the group id: getent group docker

2. Add this to the docker-compose.yml:

    group_add:
      - "995" # docker
   

And that's it! WDYT? The impact from a security perspective is a lot less than working with a root user.

[jamesread]

Hey @thomas-mc-work , thanks for taking the time to raise this issue - I like that solution a lot better than running the container as root! I would be happy to change the docs to use that technique.

However, I just checked on my local workstation, and it seems like I don't have a docker usergroup - where does GID 995 come from - is this perhaps a Debian thing?

[thomas-mc-work]

is this perhaps a Debian thing?

Oh, might be. There is a group with the name docker. All members are allowed to use the Docker daemon. I thought this is commmon for Docker. Which OS are you on?

[thomas-mc-work]

Just spotted this in the Docker docs:

If you don't want to preface the docker command with sudo, create a Unix group called docker and add users to it. When the Docker daemon starts, it creates a Unix socket accessible by members of the docker group. On some Linux distributions, the system automatically creates this group when installing Docker Engine using a package manager. In that case, there is no need for you to manually create the group.

If the only thing it requires is creating a group named docker then I think it would be reasonable to communicate that in the OliveTin docs. Maybe you could try that on your machine?