dockerd doesn't do a proper getgrent lookup for setting group ownership on /var/run/docker.sock, thus failing with non-local group databases #186
Description
- This is a bug report
- This is a feature request
- I searched existing issues before opening this one
Expected behavior
using "--group docker" should set group permissions on /var/run/docker.sock correctly when using non-file user and group dbs on linux (like LDAP)
Actual behavior
when having a docker group in LDAP (and not in local /etc/group), dockerd does not set the socket group permission to "docker" but to "root"
Steps to reproduce the behavior
- central group db like e.g. LDAP with a docker group configured:
"getent group docker" produces "docker:*:1515:[REDACTED]" - install docker-ce rpm. rpm scriptlet correctly checks for existing docker group and does not create local group entry
- run docker with "dockerd --group docker" results in:
WARN[2017-12-18T10:45:26.803102016+01:00] could not change group /var/run/docker.sock to docker: group docker not found
and
ls -l /var/run/docker.sock
srw-rw----. 1 root root 0 Dec 18 10:46 /var/run/docker.sock
Output of docker version:
Client:
Version: 17.09.1-ce
API version: 1.32
Go version: go1.8.3
Git commit: 19e2cf6
Built: Thu Dec 7 22:23:40 2017
OS/Arch: linux/amd64
Server:
Version: 17.09.1-ce
API version: 1.32 (minimum version 1.12)
Go version: go1.8.3
Git commit: 19e2cf6
Built: Thu Dec 7 22:25:03 2017
OS/Arch: linux/amd64
Experimental: false
Output of docker info:
Containers: 1
Running: 0
Paused: 0
Stopped: 1
Images: 1
Server Version: 17.09.1-ce
Storage Driver: overlay
Backing Filesystem: xfs
Supports d_type: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
Volume: local
Network: bridge host macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file logentries splunk syslog
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 06b9cb35161009dcb7123345749fef02f7cea8e0
runc version: 3f2f8b84a77f73d38244dd690525642a72156c64
init version: 949e6fa
Security Options:
seccomp
Profile: default
Kernel Version: 3.10.0-514.16.1.el7.x86_64
Operating System: CentOS Linux 7 (Core)
OSType: linux
Architecture: x86_64
CPUs: 1
Total Memory: 1.797GiB
Name: agent01.local
ID: DKLQ:TEP2:4FXL:7I2E:CI75:X4E6:DCVM:KIVN:AT5W:J7SP:DCZM:UJDP
Docker Root Dir: /web/data/docker
Debug Mode (client): false
Debug Mode (server): false
Registry: https://index.docker.io/v1/
Experimental: false
Insecure Registries:
127.0.0.0/8
Live Restore Enabled: false
WARNING: bridge-nf-call-iptables is disabled
WARNING: bridge-nf-call-ip6tables is disabled
Additional environment details (AWS, VirtualBox, physical, etc.)
centos7 in vagrant with virtualbox
The problem is in https://github.com/docker/docker-ce/blob/7f2221039ec497be56f63d85bae24327b2df99a6/components/engine/daemon/listeners/listeners_unix.go#L36
lookupGid() is a function in the "listeners" package that seems to parse /etc/group directly instead of using getent calls like one usually would do (https://github.com/docker/docker-ce/blob/1ebf5edb0d6211a8bd0a326f56405c8e7eb70e5b/components/engine/daemon/listeners/group_unix.go#L15)
There is actually a function idtools.LookupGid that seems to do both, first parsing /etc/group, then calling getent group. (Weirdly enough, it seems does that by execcmd() the system's getent command. I am not familiar with "go", doesn't it have an interface to libc's getgrent(3)??)