问题描述
在Docker的文档页面上,所有示例命令都显示为不包含sudo,如下所示:
docker ps
在Ubuntu上,二进制文件被称为docker.io。如果没有sudo,它也不起作用:
sudo docker.io ps
我如何配置Docker,以便我不需要为每个Docker命令添加sudo前缀?
最佳解决办法
docker manual有这样的说法:
Giving non-root access
The docker daemon always runs as the root user, and since Docker version 0.5.2, the docker daemon binds to a Unix socket instead of a TCP port. By default that Unix socket is owned by the user root, and so, by default, you can access it with sudo.
Starting in version 0.5.3, if you (or your Docker installer) create a Unix group called docker and add users to it, then the docker daemon will make the ownership of the Unix socket read/writable by the docker group when the daemon starts. The docker daemon must always run as the root user, but if you run the docker client as a user in the docker group then you don’t need to add sudo to all the client commands. As of 0.9.0, you can specify that a group other than docker should own the Unix socket with the -G option.
Warning: The docker group (or the group specified with -G) is root-equivalent; see Docker Daemon Attack Surface details and this blogpost on Why we don’t let non-root users run Docker in CentOS, Fedora, or RHEL (thanks michael-n).
重要阅读:post-installation steps for Linux(它也链接到Docker Daemon Attack Surface details)。
Manage Docker as a non-root user
The docker daemon binds to a Unix socket instead of a TCP port. By default that Unix socket is owned by the user root and other users can only access it using sudo. The docker daemon always runs as the root user.
If you don’t want to use sudo when you use the docker command, create a Unix group called docker and add users to it. When the docker daemon starts, it makes the ownership of the Unix socket read/writable by the docker group.
-
如果它尚不存在,请添加docker组:
sudo groupadd docker -
将连接的用户”$USER”添加到docker组。如果您不想使用当前用户,请更改用户名以匹配您的首选用户:
sudo gpasswd -a $USER docker -
执行
newgrp docker或注销/进入以激活对组的更改。 -
您可以使用
docker run hello-world检查是否可以不使用sudo运行docker。
次佳解决办法
要运行没有sudo的docker命令,您需要将您的用户(拥有root权限的用户)添加到docker组。为此运行以下命令:
sudo usermod -aG docker $USER
现在,让用户注销然后再次登录。这个解决方案在正确的安装过程中已经很好地解释了here。
第三种解决办法
将用户添加到组docker授予运行docker权限的机制是通过/var/run/docker.sock访问docker的套接字。如果包含/var/run的文件系统已启用ACL,则也可以通过ACL来实现。
sudo setfacl -m user:username:rw /var/run/docker.sock
我只是包括这个完整性。
一般来说,我建议在每个基于组的好的备选方案时避免使用ACL:最好通过仅查看组成员身份来理解系统中的权限。为了理解系统权限而必须扫描文件系统的ACL条目是安全审计的另一个负担。