Hacker News new | past | comments | ask | show | jobs | submit login

This is what sudo is for. Give each user access to run their containers (and only their containers) as a member of the docker group in sudoers.



This doesn't work when users may need to run arbitrary (or user-defined) containers. You can only sudo so much... But, perhaps you could restrict it to "sudo docker run". I'll have to give that a try. But that would make it extraordinarily more difficult for a user to stop / rm / kill a container. Plus, it's not like docker has the concept of an "owner" for a container - does it?

Nonetheless, you shouldn't need to run anything as root in order to start a container that doesn't require extra privileges .


Please clarify what you mean by "access to run ... only their containers". How is that possible?


sudo arguably is another vector of attack




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: