Page MenuHomeDevCentral
Create Task
Maniphest T415

Allowed ops@ and dereckson@ to sudo docker or lxc-* commands on Dwellers
Closed, ResolvedPublic
Actions

Description

Two use cases:

  • During mailserver deployment, @Sandlayth and me had to su from ops@ account, to start the lxc container
  • I would like to $SSH $LXC_SERVER $LXC_EXEC $CONTAINER_NAME $LXC_COMMAND from my server, and lxc-attach requires root.

This is mainly for lxc, as docker allows unprivileged users in docker group to contact the API, but we can still add /bin/docker to the list.

Event Timeline

dereckson closed this task as Resolved.Jun 1 2015, 17:57
dereckson claimed this task.
dereckson triaged this task as Normal priority.
dereckson added a project: Servers.
dereckson added a subscriber: dereckson.
dereckson added a project: security.Jun 1 2015, 17:58

Container related commands alias for sudo

Cmnd_Alias CONTAINERS = /bin/docker, /bin/lxc-attach, /bin/lxc-autostart, /bin/lxc-cgroup, /bin/lxc-checkconfig, /bin/lxc-clone, /bin/lxc-config, /bin/lxc-console, /bin/lxc-create, /bin/lxc-destroy, /bin/lxc-execute, /bin/lxc-freeze, /bin/lxc-info, /bin/lxc-ls, /bin/lxc-monitor, /bin/lxc-snapshot, /bin/lxc-start, /bin/lxc-stop, /bin/lxc-top, /bin/lxc-unfreeze, /bin/lxc-unshare, /bin/lxc-usernsexec, /bin/lxc-wait

User privilege specification

ops ALL=(ALL) NOPASSWD: CONTAINERS
dereckson ALL=(ALL) NOPASSWD: CONTAINERS
dereckson updated the task description. (Show Details)Jun 1 2015, 18:03
dereckson added a subscriber: Sandlayth.
dereckson added a project: Accounts.Jan 18 2016, 18:48
dereckson updated the task description. (Show Details)Mar 28 2016, 22:40
Nasqueron DevCentral · If it had been much bigger the moon would have had a core of ice. · Powered by Phabricator