sudo access to socket about docker-fabric HOT 3 CLOSED

Thank you for sharing the article. Unfortunately docker-fabric would not work with this, since just like the docker command line client it requires access to the socket. Therefore docker-fabric would have to generate command line strings rather than communicating with the API directly. I am currently refactoring parts of the underlying library Docker-Map which would technically also make this easier, but it would require some more work in order to get all options transformed correctly.

In docker-fabric, socat handles the redirection of the client to the socket. Therefore, if it is just about knowing when Docker is run, socat (or an alias thereof) could be prefixed with sudo. That would be easy to implement). However, that would not expose to the system logs which containers are being run and in which configuration. So in the sense of the article, it is not sufficient.

If the idea is to restrict management to a set of managed containers, I would suggest implementing a script based on Docker-Map that either cannot be modified or simply disallows setting the privileged flag by checking configuration and keyword arguments before creating a container. That script and its configuration would have to be installed directly on the server, but could be invoked via Fabric.

from docker-fabric.

The goal is the audit logs... not restricting container access.

I also realized that I closed this issue too soon since a full solution requires a change to the way commands are piped to the client... which is all handled in this project.

If you like my suggested strategy in docker-map, we'd still need a way to get those commands to run on the remote machine. I'm thinking we could write the docker CLI module with a "call" method that basically shadows subprocess.call. docker-fabric need only overload that method with an appropriate fabric command (e.g. run or sudo).

from docker-fabric.

Implemented in release 0.4.0.

from docker-fabric.