Vagrant: Docker provider does not prompt for sudo password

Created on 12 Dec 2016 · 6Comments · Source: hashicorp/vagrant

Vagrant version

Vagrant 1.8.1 and 1.9.1 tested

Host operating system

Ubuntu 16.04.1 LTS

Guest operating system

docker 1.12.3 native (other providers libvirt and lxc also working)

Vagrantfile

# Copy-paste your Vagrantfile here

Debug output

N/A issue is obvious, vagrant is not promoting or using sudo when running docker commands (as provider, not provisioner)

vagrant up
A Docker command executed by Vagrant didn't complete successfully!
The command run along with the output from the command is shown
below.

Command: ["docker", "ps", "-a", "-q", "--no-trunc", {:notify=>[:stdout, :stderr]}]

Stderr: Cannot connect to the Docker daemon. Is the docker daemon running on this host?


Stdout:

Expected behavior

Vagrant prompts for sudo password. I note other plugins like landrush and lxc do so.

Actual behavior

Vagrant didn't use sudo or prompt for password when it lacked permission on docker socket
The workaround is to simply run sudo vagrant up --provider docker, but this runs more code with root privileges than is desirable?

The workaround is not great. .vagrant or files within it end up getting owned by root.

enhancement providedocker

Source

JPvRiel

Most helpful comment

Hi, same here.
Adding yourself to the docker group is a serious security issue ( details are there https://docs.docker.com/engine/security/security/#docker-daemon-attack-surface although I find that https://www.projectatomic.io/blog/2015/08/why-we-dont-let-non-root-users-run-docker-in-centos-fedora-or-rhel/ sums it up quite nicely ).

On the other hand, using sudo to run vagrant commands themselves, does kind of work but makes a mess of files ownership/permissions.

I currently use a wrapper script (see https://github.com/codeenigma/ce-vm/blob/4.x/scripts/vagrant-docker-sudo.sh) that adds my user to the docker group, run my vagrant command, and then removes me from the docker group again.

However, this is far from ideal, and I'd rather get rid of this ugly workaround and have a switch in Vagrant itself.

pm98zz-c on 12 Feb 2018

👍5

All 6 comments

Hi there. sudo isn't required for docker. Just add the docker group to your user: sudo usermod -aG docker $USER. You'll need to log back in afterwards so you're groups are updated. Cheers!

chrisroberts on 5 May 2017

I would love to see Vagrant supporting docker with sudo. Being part of the docker group is equivalent to running as root all the time. Docker is a priviledge daemon, and is able to mount and write every files of your system, thus being part of the docker group is pretty dangerous...

Mayeu on 23 Dec 2017

👍2

On the other hand, using sudo to run vagrant commands themselves, does kind of work but makes a mess of files ownership/permissions.

However, this is far from ideal, and I'd rather get rid of this ugly workaround and have a switch in Vagrant itself.

pm98zz-c on 12 Feb 2018

👍5

I’m with the guys above on this. Having the docker group is a security hole that shouldn’t be forced on Vagrant users.

gergelypolonkai on 10 Apr 2018

👍1

I had to hack around this by adding alias for ~/.bash_aliases for day to day use.

shopt -s expand_aliases
alias docker='sudo docker'
alias docker-compose='sudo docker-compose'

Prime it with sudo whoami, so sudo doesn't prompt again (given an sudo timeout) and then run vagrant up so sudo prompts aren't an issue.

JPvRiel on 17 May 2018

👍1

I'm going to lock this issue because it has been closed for _30 days_ ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.