atomicapp icon indicating copy to clipboard operation
atomicapp copied to clipboard
verified publisher icon projectatomic

`sudo` required to run atomicapp commands?

Open concaf opened this issue 9 years ago • 3 comments

Hi,

atomicapp ____ commands fail if not run as root/sudo, this becomes a problem if the end user does not have root/sudo access, and also the files/directories created by atomicapp require an additional step of becoming root/sudo before accessing those.

A similar concern was raised by @jberkus on the container-tools mailing list here.

I understand that this is required because accessing the docker unix socket requires so, please correct me if I'm wrong.

Can this be solved by any of the following:

  1. Using TCP socket to talk to the docker daemon on localhost?
  2. Prompting user for sudo access only when it's required, something like what happens in a vagrant up? So, if a user has access to docker, then good, but if not, prompt for sudo/root password only for that part while the remaining code runs as a user.
  3. Setting permissions of the files and directories which are atomicapp specific such that the user gets access to those.

As for the auditing and logging concerns raised here, we can run only docker as sudo, and not atomicapp!

Thoughts? @dustymabe @cdrage @tuxdna @surajssd

concaf avatar Mar 14 '16 16:03 concaf

Additionally, sudo is required to create the locks under /run/lock as well. Just thought I would add that here.

dustymabe avatar Mar 21 '16 13:03 dustymabe

Why do we require the locks to be under /var/run?

jberkus avatar Mar 21 '16 15:03 jberkus

Hi all,

So locking has been removed so no more having to deal with /run/lock.

In regards to the files Atomic App extracts to, I do agree, it sucks we can't use it without sudo.

Although if you do do atomicapp fetch and then atomicapp run in the same directory you don't need sudo.

cdrage avatar Apr 22 '16 13:04 cdrage