1

I have a compute server with users that authenticate over AD.

I want these users to be able to use Docker without making them sudoers.

The official advice is to add users to the docker group, as "[w]hen the docker daemon starts, it makes the ownership of the Unix socket read/writable by the docker group." So users belonging to the group docker won't need to run commands with sudo.

I can't add an AD user to a local group though.

How can I let them use Docker CE as non-root without creating local accounts?

Louis Waweru
  • 755
  • 1
  • 9
  • 29
  • You do know that you can give (groups of) users very limited privileges in `sudo` ; you don't have to grant them unlimited access to run any command as root or any other user. - Is setting up `/etc/sudoers` to only allow those users to run the `docker` command not sufficient? – HBruijn Jun 05 '18 at 05:39
  • @HBruijn yes, in my ingorance that is exactly my thinking. And I did not know that. Can you point me at how to get started with looking at a granular sudo setup? – Louis Waweru Jun 05 '18 at 05:40
  • 1
    In most distributions both the `/etc/sudoers` configuration file and its manual page `man sudoers` will already contain quite a few examples on how to group commands and set up permissions for specific users or for groups of users to run only those commands. But in the most simple form: add a line `louis ALL = (root) /usr/bin/docker` to allow your user to only run (as root) docker with `sudo` – HBruijn Jun 05 '18 at 05:47

2 Answers2

1

add your user to docker group explicitly in /etc/group and specify the group in /etc/docker/daemon.json

/etc/group

docker:x:groupID:user

/etc/docker/daemon.json

{
  "live-restore": true,
  "group": "docker"
}

restart docker daemon

njha
  • 103
  • 3
Sasha Volov
  • 34
  • 2
  • 1
    This requires to manually edit this file for every new user. This is rather tedious in a company where people come and go. – Harald Thomson Dec 01 '20 at 06:03
1

Hi There to complement what Louis said on Ubuntu I ran: visudo and added the

Dockeruser ALL = NOPASSWD: /usr/bin/docker

This way the user Dockeruser can run docker with sudo without even having to reenter the password:

Dockeruser@dockerserver:~# sudo docker ps

Egberto Zanon
  • 11
  • 1