minikube with docker driver run as root not allowed but requires root anyway #8257
Comments
|
Hi @FlorianLudwig ! Hmm, the current situation is a bit confusing and the above seems to be as well: Your step 1) is about "none" driver and step 2) is about "docker" driver ? Maybe this happened because of some misguided suggestions on minikube's part:
Currently running minikube requires root, this is (or should be) documented: #7963 And yes this also has security implications - which should be clearly documented - like so: https://docs.docker.com/engine/install/linux-postinstall/#manage-docker-as-a-non-root-user
The podman driver is a bit more straight-forward, in that it still uses sudo rather than a root group. Using a VM also requires admin privileges to set up*, but then root is inside the VM. * the The current check against not running as root (with sudo), is mostly for the config files. Only the "none" driver currently runs as root, since it is not intended for users but for CI The "docker" driver is somewhere half-way, so it runs minikube as the user but docker as root. You can check out the "Usernetes" project, if that is what you are after here ? Ultimately we probably want to run also the none driver as non-root: #3760 Currently there are bunch of hacks and workarounds to move the config files afterwards. So it is more straight-forward to do everything as the user, and then call "sudo" as needed. https://help.ubuntu.com/community/RootSudo
|
afbjorklund
added
kind/security
|
But we should try to avoid misleading statements like these:
They seem to imply that running docker does not require root ? I'm also not sure that the "docker" driver was ever intended as a substitute for "none" driver ? Then it spread to other platforms, in case you were already running a Docker Desktop VM... |
|
Hi @afbjorklund Thank you very much for your long explanation! First of all, I indeed messed up my bug report - I meant the docker driver, not Some background: I am looking for a development environment without compromising (too much) on security nor usability - always a hard thing to do. Options:
Actually, this is what I ended up using. Without the libvirt group though, setup asked me for my password like 100 times but using But back to my original question: Why isn't it allowed to use the docker driver as root? |
Exactly! This is what I mean with misleading :)
I didn't know about KIND, might be interesting to look at, thanks!
Actually, I don't run a VM normally. I try to stick to podman as much as I can as it plays a lot more nice with permissions etc. |
There is no particular technical reason why the root user wouldn't be allowed to run minikube. But since it is regarded as a bad practice (logging in as root), we try to "encourage" avoiding it. The practical issue was that people run i.e. you would have files created by root, under ~/.minikube So the next command would be unable to read e.g. config Ending up with the ugly situation of having to sudo everything, even dashboard and kubectl
KIC (the "docker" driver) is our adapation of KIND, it uses the same docker image etc. The main difference is that KIC is for developers, while KIND is for testing kubernetes. Both are from Kubernetetes SIGs... And both use
But podman is only available for linux, so there are no "other platforms" to talk about Same problem though, so we expose podman-env to not have to use podman-machine Once there is a Podman Desktop product, that could be considered as an option as well. |
Isn't that still better than adding the user to the docker or kvm groups? So maybe:
|
|
I think the sudo setup varies a little between the distributions, as well. Some use the same $HOME for both the user and the sudo user (root), while others change to put the sudo files under Others (looking at you, CentOS) even have different $PATH for sudo and root so it won't find things. Basically it is a hassle to support it, and most users seem fine without running minikube as root ? Security could be better documented... It's not really one of the strong points. |
|
What is the reasoning not allowing to run minikube as root? At least behind a flag |
|
This is disappointing. Finally, I just did |
|
@jaybirdshain : if you are running as root, then you don't need to chmod. And if you are not (root), then using a |
This is probably because (when using the docker driver) they are running it as root, because as the OP mentions, the current recommended setup of adding the user to the docker group effectively grants that user root privileges. So the correct phrasing there would be "most users seem fine (or unaware) running minikube (and any other process they run as their logged-in user) as effectively-root". Minikube is encouraging users to make their systems less secure while actively disabling (for a fairly silly reason, in my opinion) the most obvious option a more security-conscious user might try to work around it. |
|
We don't yet have a good way of running some commands (like stop and start) as root, and some commands (like dashboard or service) as the regular user. The previous setup with It would be nice if it could reach the state of "make && sudo make install", so that you could mix. (Then again that just might be a bad example, some Makefiles are poorly written and don't build everything the first time which means some stuff in the local dir ends up being owned by root.) There is also no good auth mechanism, asking for password every time isn't improving things (it makes it unusable). The recommendations for docker and podman (and libvirt) are pretty much based on upstream. But it does required escalated privileges (basically root-access) for the user running minikube... This needs to be clear from the documentation, even if it is not something that minikube is doing. Currently we don't have a driver that works without it (maybe VirtualBox*?), at least not on Linux. * VirtualBox does require privileges to install, but I'm not sure it exposes them when running ? |
|
I agree @afbjorklund that allowing user to run as root causes a lot of headaches such as folders and files that are created and will make profile management more difficult, and I don't think it will be in scope of minikube to run as root user. since we minikube's focus is local kubernetes developement. |
medyagh
added
long-term-support
|
kind is going to support rootless Docker |
|
I had the same issue, a quick |
This is worked for me too.Thanks a lot. |
|
Issues go stale after 90d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-contributor-experience at kubernetes/community. |
k8s-ci-robot
added
the
lifecycle/stale
Due to this I am closing this issue, feel free to respond/reopen if desired. |
|
minikube start --force --driver=docker |
|
First sudo usermod -aG docker $USER && newgrp dockerand then minikube start |
This works fine with me. 😄 |
|
|
|
Follow this command sudo -E minikube start --driver=nonesudo minikube config set driver noneminikube start |
|
You don't need to run minikube with sudo. |
Give permission to the docker socket, and minikube should work as expected |
Just log in as root. Would be more honest as setting mod 666 on the docker socket gives root privileges to all users and applications on your system. |
Thanks. |
Steps to reproduce the issue:
Users will end up reading comments like here: #7903 (comment) and setup access to the docker socket without realizing they are granting root access to those users. By doing so minikube encourages less secure systems in practise.
The text was updated successfully, but these errors were encountered: