docker group configuration

[chrisweeksnz]

Issue

The Fedora CoreOS tech preview has a docker group added, but configured so that users can't be added to it. The group appears to exist in /etc/gshadow, but not in /etc/group. This may be intentional as a method to discourage users from using the docker group (considering it's security risk profile), but likewise it could be a bug.

Workaround

echo "$(getent group docker)" >> /etc/group

This restores normal function to the docker group. (eg. usermod -aG docker myusername will grant access to the docker daemon).

rpm-ostree status

$ sudo rpm-ostree status
State: idle
AutomaticUpdates: disabled
Deployments:
* ostree://fedora:fedora/x86_64/coreos/testing
                   Version: 30.20190801.0 (2019-08-01T13:54:21Z)
                    Commit: a9c8d66d3628d1b9b4c4690777e8b730d08329b4359410cb410a2003296af1ca
              GPGSignature: Valid signature by F1D8EC98F241AAF20DF69420EF3C111FCFC659B9

[lucab]

Thanks for the report. I do believe this is just a plain bug, but I'm not sure if it is due to the moby package or to the group handling logic in rpm-ostree.

[lucab]

The current moby-engine specfile has the following:

%pre
getent group %{service_name} >/dev/null || groupadd -r %{service_name} || :

I fear the last ||: may be swallowing some interesting errors in this case.

[lucab]

Forwarded to https://bugzilla.redhat.com/show_bug.cgi?id=1745936.

[dustymabe]

this looks more like coreos/rpm-ostree#1318 which is a dup of coreos/rpm-ostree#49

[dustymabe]

This acute issue should be fixed by coreos/fedora-coreos-config#175