Option to run docker commands using sudo
ambsw-technology opened this issue · 2 comments
ambsw-technology commented
The discussion started on docker-fabric. TL;DR
- This article argues that
sudo docker
(with a very restrictivesudoers
line and an alias todocker
) is a better security practice than adding users to thedocker
group. - This approach also makes it easy to manage docker execution privileges from LDAP since
sudoers
supports LDAP groups. - @merll indicated that the key constraint is the way
docker-map
interacts with docker -- using thedocker-py
API client throughsocat
.docker-map
would need to issue shell commands instead.
Since these commands would need to be issued by docker-map
, I'm moving the ticket here.
ambsw-technology commented
Imagine we had a "docker CLI" wrapper that supported the exact same interface as the docker-py
's client. I believe:
- That package could be injected into
DockerClientWrapper
without making any other changes to this project. - It would work as a drop-in replacement (for
docker-py
in any project currently using the docker API.
Obviously, this isn't a complete solution to the fabric
issue, but it would isolate the API vs. CLI issue to a reusable project with a well-defined interface that would have no interdependencies with docker-map
.
ambsw-technology commented
Closing. The new CLI option is working great (thanks!).