Re: [atomic-devel] Proposal: no docker group by default

[Daniel J Walsh <dwalsh redhat com>]

I think we should say we are going to work on RBAC/Auditing and
policykit integration before we turn it on.

It is especially not ready for Enterprise Systems.

On 01/16/2015 10:35 AM, M. Edward (Ed) Borasky wrote:
> I'm actively using Docker as a member of the 'docker' group on my
> workstation, but it's no great hassle for me to stop. So I vote for
> removing the group and saying it was a bad idea.
>
> On Fri, Jan 16, 2015 at 7:23 AM, Lokesh Mandvekar
> <lsm5 fedoraproject org> wrote:
>> On Fri, Jan 16, 2015 at 10:09:50AM -0500, Colin Walters wrote:
>>> On Fri, Jan 16, 2015, at 09:41 AM, Stef Walter wrote:
>>>
>>>> It should not be routine to add users to this group. It should be
>>>> routine to sudo in order to use docker.
>>> Fully agree.
>>>
>>>> It would be important to make such a decision soon. Ideally this week,
>>>> since people will come to depend on this group being present by default.
>>> A major wrinkle here though is upgrades. Fedora 21 (and Atomic variant) have
>>> already shipped and included a docker package with this group.
>>>
>>> And in order to make it work, we have a docker.socket that references
>>> the group.
>> Changes to docker.socket would need to be upstreamed as well.
>> https://github.com/docker/docker/blob/master/contrib/init/systemd/docker.socket
>>
>>> My concern here is that if we ship an update that drops the %pre
>>> and changes docker.socket to be root:root, it will break anyone who
>>> is using the group now - the group will still be there on upgrades, but
>>> the socket defaults will change.
>>>
>>> I'd say we could certainly make this change in rawhide - it's reasonable
>>> to require some admin intervention after major updates.
>>>
>>> Or alternatively, we could just say it was a bad idea and ship a F21
>>> update that makes this change.
>>>
>> --
>> Lokesh
>> Freenode, OFTC: lsm5
>> GPG: 0xC7C3A0DD
>
>