Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

docs: add "rootless mode" to exceptions of "Privileged user requirement" #5359

Closed
wants to merge 2 commits into from
Closed

docs: add "rootless mode" to exceptions of "Privileged user requirement" #5359

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
186e562
Add "rootless mode" to exceptions of "Privileged user requirement"
Javiery3889 Aug 19, 2024
0fe3366
Resolve merge conflict
Javiery3889 Sep 10, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 8 additions & 0 deletions docs/reference/commandline/login.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -47,6 +47,14 @@ to your Docker account without entering your password. For Docker Hub, the
`--username` flag is specified. The device code flow is a secure way to sign
in. See [Authenticate to Docker Hub using device code](#authenticate-to-docker-hub-using-device-code).

### Privileged user requirement

`docker login` requires you to use `sudo` or be `root`, except when:

- Connecting to a remote daemon, such as a `docker-machine` provisioned `docker engine`.
- The user is added to the `docker` group. This will impact the security of your system; the `docker` group is `root` equivalent. See [Docker Daemon Attack Surface](https://docs.docker.com/engine/security/#docker-daemon-attack-surface) for details.
- The Docker daemon is running as a non-root user, i.e. [rootless mode](https://docs.docker.com/engine/security/rootless/).

Comment on lines +50 to +57
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I removed this section in 2f206ff (hence the need for a rebase) because this is not specific to the login command; the sudo restriction applies to all commands.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks! I'd noticed that and meant to comment.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @dvdksn, understood and thank you for the clarification!

@laurazard Would that mean that this PR will not be needed? Since “Rootless mode” applies to all commands as well.

Or perhaps it would be to rename this section as “Privileged user exceptions” and add the point below which is specific for docker login:

Connecting to a remote daemon, such as a docker-machine provisioned docker engine.

Copy link
Contributor

@laurazard laurazard Sep 11, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would that mean that this PR will not be needed?

That might be the case, apologies 😓

Or perhaps it would be to rename this section as “Privileged user exceptions” and add the point below which is specific for docker login:

Connecting to a remote daemon, such as a docker-machine provisioned docker engine.

Not sure about that – docker login is a bit of a misnomer – it's not doing anything with the engine*, it's merely authenticating/saving credentials for the local user's CLI for a given registry. If you run docker login and then try to pull an image from a private repo you have credentials for, it doesn't matter whether you use a local engine or a remote daemon, since the CLI will grab the credentials and send them on a per-pull basis to whatever daemon you're using. In effect, the daemon has no concept of "logged in" or "not logged in". That depends entirely on the client calling the engine including credentials for that operation in the call.

*It does call the engine, but only after the user has already typed in credentials/logged in, to verify that the credentials work.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@laurazard Understood and thank you for the clarification! I will be closing this PR.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Apologies for not mentioning this earlier.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No worries! @laurazard

### Credential stores

The Docker Engine can keep user credentials in an external credential store,
Expand Down
Loading