← Back to context

Comment by amelius

3 hours ago

What I hate about docker and other such solutions is that I cannot install it as nonroot user, and that it keeps images between users in a database. I want to move things around using mv and cp, and not have another management layer that I need to be aware of and that can end up in an inconsistent state.

13 comments

amelius

Reply
bmitch3020  2 hours ago

> What I hate about docker and other such solutions is that I cannot install it as nonroot user

There's a rootless [0] option, but that does require some sysadmin setup on the host to make it possible. That's a Linux kernel limitation on all container tooling, not a limitation of Docker.

> and that it keeps images between users in a database.

Not a traditional database, but content addressable filesystem layers, commonly mounted as an overlay filesystem. Each of those layers are read-only and reusable between multiple images, allowing faster updates (when only a few layers change), and conserving disk space (when multiple images share a common base image).

> I want to move things around using mv and cp, and not have another management layer that I need to be aware of and that can end up in an inconsistent state.

You can mount volumes from the host into a container, though this is often an anti-pattern. What you don't want to do is modify the image layers directly, since they are shared between images. That introduces a lot of security issues.

[0]: https://docs.docker.com/engine/security/rootless/

esafak  3 hours ago

https://github.com/containers/podman/blob/main/docs/tutorial...

  • iberator  3 hours ago

    It's hilarious. Your 'solution' to use docker without root is to make some system changes as root and then use/build docker LOL.

    • embedding-shape  2 hours ago

      > is to make some system changes as root

      Yeah, I mean what do you expect or is the alternative? If you have a process that needs access to something only root typically can do, and the solution been to give that process root so it can do it's job, you usually need root to be able to give that process permission to do that thing without becoming root. Doesn't that make sense? What alternative are you suggesting?

    • IshKebab  3 hours ago

      Uhm no. Podman is a different product that is pretty much a drop-in replacement for Docker but lets you run as non-root.

      You have to be root to set it up, but after that you don't need any special privileges. With Docker the only option is to basically give everyone root access.

      It's true that it requires root for some setup though. Unclear if op was complaining about that.

      4 replies →

kccqzy  2 hours ago

> I cannot install it as nonroot user

Sure you cannot install docker or podman as a non-root user. But take your argument a bit further: what if the kernel is compiled without cgroups support? Then you will need root to replace the kernel and reboot. The root user can do arbitrarily many things to prevent you from installing any number of software. The root user can prevent you from using arbitrary already installed software. The root user can even prevent you from logging in.

It is astounding to me that someone would complain that a non-root user cannot install software. A much more reasonable complaint is that a non-root user can become root while using docker. This complaint has been resolved by podman.

  • oarsinsync  2 hours ago

    > It is astounding to me that someone would complain that a non-root user cannot install software.

    Depends on what you mean by "install software".

    If your definition is "put an executable in a directory that is in every other user's standard $PATH", then yes, this is an absurd complaint. Of course only root should be able to do this.

    If your definition is "make an executable available to run as my user", then no, this is not absurd. You absolutely should not need root to be able to run software that doesn't require root privileges. If the software requires root, it's either doing something privileged, or it's doing it wrong.

    • kccqzy  1 hour ago

      I don’t think you understood my comment.

      > You absolutely should not need root to be able to run software that doesn't require root privileges.

      But root can approve or disapprove you running that software. Have you heard of SELinux or AppArmor? The root user can easily and simply preventing you from running an executable even as your own user.

      A malware can run as your own user and exfiltrate files you have access to. The malware does not need root privileges. Should root have the capability to prevent the malware from being installed? Regardless of what your definition of “install” is, the answer is unequivocally yes.