创建docker组
- Docker不是使用的TCP端口,而是使用的Unix Socket来监听请求
- 默认情况下Docker Socket的拥有者是root
- Docker的进程一般也是以root的身份运行
- 用户如果想调用得使用sudo
为了避免只能使用sudo来调用Docker,在软件安装过程中自动创建了docker组,并且在docker进程启动时赋权给了这个组的用户以docker socket的读写权限,所以只用将管理用户加入到docker组,就可以对docker进行使用了
Note: 使用docker group的方式解决了不用sudo的问题,但仍然有很大的安全隐患,因为它的操作依然相当于root,对运行在容器中的其它镜像实例有破坏潜力,相关详情可以参考 Docker Daemon Attack Surface
普通用户没有docker操作权限
代码语言:javascript复制[root@h103 ~]# id cc
uid=1000(cc) gid=1000(cc) groups=1000(cc)
[root@h103 ~]# su - cc
Last login: Tue Jan 19 23:00:16 CST 2016 on pts/1
[cc@h103 ~]$ docker run hello-world
Cannot connect to the Docker daemon. Is the docker daemon running on this host?
[cc@h103 ~]$ 将普通用户添加到docker组
代码语言:javascript复制[root@h103 ~]# usermod -aG docker cc
[root@h103 ~]# id cc
uid=1000(cc) gid=1000(cc) groups=1000(cc),993(docker)
[root@h103 ~]#再次尝试使用普通用户的身份执行docker命令
代码语言:javascript复制[root@h103 ~]# su - cc
Last login: Tue Jan 19 23:23:04 CST 2016 on pts/1
[cc@h103 ~]$ docker run hello-world
Hello from Docker.
This message shows that your installation appears to be working correctly.
To generate this message, Docker took the following steps:
1. The Docker client contacted the Docker daemon.
2. The Docker daemon pulled the "hello-world" image from the Docker Hub.
3. The Docker daemon created a new container from that image which runs the
executable that produces the output you are currently reading.
4. The Docker daemon streamed that output to the Docker client, which sent it
to your terminal.
To try something more ambitious, you can run an Ubuntu container with:
$ docker run -it ubuntu bash
Share images, automate workflows, and more with a free Docker Hub account:
https://hub.docker.com
For more examples and ideas, visit:
https://docs.docker.com/userguide/
[cc@h103 ~]$ 
