Openstreetmap-carto: unexpectedly required sudo for running docker
very similar to #2710, subtask of #2291, about https://github.com/gravitystorm/openstreetmap-carto/blob/master/DOCKER.md
docker-compose up import was failing on my system for a long time with
ERROR: Couldn't connect to Docker daemon at http+docker://localunixsocket - is it running?
If it's at a non-standard location, specify the URL with the DOCKER_HOST environment variable.
It turned out that sudo docker-compose up import was necessary (guessed after reinstalling everything as advised on https://docs.docker.com/engine/installation/linux/docker-ce/ubuntu/#install-using-the-repository and noticing that sudo docker run hello-world required sudo.
Is it possible that on normal Linux system sudo will be required? What is required on Windows?
Maybe mention possible sudo requirement to reduce confusion?
matkoniecz
All 10 comments
The note about testing Docker containers was included in #2712, but this fix was rejected.
It's probably better to add current user to a group docker instead of constantly using sudo:
sudo usermod $(whoami) -G docker -a
kocio-pl
on 21 Aug 2017
It's probably better to add current user to a group docker instead of constantly using sudo:
AFAIK this effectively makes current user a superuser what is not desirable. See for example https://askubuntu.com/questions/477551/how-can-i-use-docker-without-sudo/477554#477554
Warning: The docker group (or the group specified with -G) is root-equivalent; see Docker Daemon Attack Surface details and this blogpost on Why we don't let non-root users run Docker in CentOS, Fedora, or RHEL (thanks michael-n).
matkoniecz
on 21 Aug 2017
We could also advise something like:
echo $(whoami) "ALL=(ALL) NOPASSWD: /usr/bin/docker" >> /etc/sudoers.d/docker
and all the complicated stuff from https://www.projectatomic.io/blog/2015/08/why-we-dont-let-non-root-users-run-docker-in-centos-fedora-or-rhel/, but it gets hairy here (lots of distro specific things to check, some security decisions to be made) and the reason for rejection was that "it's out of scope for what we should be documenting".
kocio-pl
on 21 Aug 2017
Hm, maybe add "setup docker" step with link to the official documentation?
matkoniecz
on 21 Aug 2017
I tend to not be a huge fan of the docker docs, but linking to them here makes sense.
pnorman
on 22 Aug 2017
not be a huge fan of the docker docs
Poor quality? At least hello world worked for me (but that is all that I tested)
matkoniecz
on 22 Aug 2017
It's probably better to add current user to a group docker instead of constantly using sudo
In fact, just to quickly hoping to help, after following the steps to install Docker, it is recommended to perform the post-installation steps.
Ircama
on 7 Sep 2017
What is our decision regarding this ticket? Do we want to add any hints about Docker in this repo or we consider it to be completely external problem?
kocio-pl
on 19 Sep 2017
What is our decision regarding this ticket? Do we want to add any hints about Docker in this repo or we consider it to be completely external problem?
docker install and setup is beyond our scope. We could link to the docs.
pnorman
on 19 Sep 2017
I prefer linking to both official Docker and unofficial @Ircama docs then. The first one is just official, but the second one is as close to our project as it gets, and it would be enough to warn users about its status.
kocio-pl
on 19 Sep 2017
Related issues
kocio-pl
路
4Comments
Tomasz-W
路
4Comments
meased
路
3Comments
dktue
路
4Comments
polarbearing
路
5Comments
Most helpful comment
AFAIK this effectively makes current user a superuser what is not desirable. See for example https://askubuntu.com/questions/477551/how-can-i-use-docker-without-sudo/477554#477554