I strongly recommend reading this article:
https://www.projectatomic.io/blog/2015/08/why-we-dont-let-non-root-users-...
And based on it, I would a) reconsider if using sudo is not a better
idea, b) recommend, if possible, to create the docker group locally and
add users explicitly on the specific machines.
I would fallback to a global docker group that basically gives root to
any user on any machine with docker installed they have access to only
as a least resort.
Simo.
On Wed, 2019-10-23 at 19:07 +0000, Jason Dunham via FreeIPA-users
wrote:
Hi I'm trying to figure out the best practice for groups on my
client servers.
I have several computation workstation hosts that have been added as freeipa clients, and
several engineers who want to run docker on them
Members of the 'docker' group (gid=999 on some machines, for example) can run
docker without needing sudo, which is what I want to roll out to all machines. Ideally
this would be managed from freeipa with LDAP groups, and so anyone in the
'engineers' group should also be a member of the 'docker' group.
When I create a 'docker' group on freeIPA it will have some other gid and the
client sees that.
Should I just delete the original docker group from my hosts and let it get it from ldap,
or should I go into /etc/group and change the gid to the one that matches the right ldap
gid, or preferably something easier than that?
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
--
Simo Sorce
RHEL Crypto Team
Red Hat, Inc