Hi Kashif,
Is this for a one off batch style job or a long running service? For a batch style one off thing we've had some success with users developing using docker on their local machine and then running the actual payload using singularity. You can also run barebones runc (https://github.com/opencontainers/runc) as a rootless container (i.e. not as root) but it's a lot more effort... I've never done it but I think you can couple this with systemd to run actual services.
Thanks,
Gareth
-----Original Message-----
From: Testbed Support for GridPP member institutes <[log in to unmask]> On Behalf Of John Hill
Sent: 24 September 2018 14:48
To: [log in to unmask]
Subject: Re: Docker on shared interactive machine
Hi Kashif,
I had a similar request recently. I came across this post:
https://www.projectatomic.io/blog/2015/08/why-we-dont-let-non-root-users-run-docker-in-centos-fedora-or-rhel/
which suggests that sudo is the preferred route. Of course the post is 3 years old and there may be a better solution now.
I did allow the user to run docker via this mechanism on a (shared
interactive) Linux desktop. I'm not sure I'd permit it on a server.
Cheers,
John
On 24/09/2018 14:36, Kashif Mohammad wrote:
> Hi
>
> One of our local user wants to run docker on shared interactive server.
> Docker can be run by normal user but user has to be added to
> dockerroot group which has higher privilege. I am tempted to refuse
> this request as interactive machine has many mounted file system etc.
>
> But before refusing I thought that I should take second opinion. Is
> anyone allowing users to run docker on shared machines or is there way
> to run docker in more secure manner?
>
> Cheers
>
> Kashif
>
>
> ----------------------------------------------------------------------
> --
>
> To unsubscribe from the TB-SUPPORT list, click the following link:
> https://www.jiscmail.ac.uk/cgi-bin/webadmin?SUBED1=TB-SUPPORT&A=1
>
########################################################################
To unsubscribe from the TB-SUPPORT list, click the following link:
https://www.jiscmail.ac.uk/cgi-bin/webadmin?SUBED1=TB-SUPPORT&A=1
########################################################################
To unsubscribe from the TB-SUPPORT list, click the following link:
https://www.jiscmail.ac.uk/cgi-bin/webadmin?SUBED1=TB-SUPPORT&A=1
|