Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add dockerExecCommand setting #910

Merged
merged 1 commit into from
Nov 13, 2016
Merged

Add dockerExecCommand setting #910

merged 1 commit into from
Nov 13, 2016

Conversation

rbellamy
Copy link

@rbellamy rbellamy commented Nov 13, 2016
edited
Loading

Per discussion in #903

When building docker images on CentOS, Fedora or RHEL, the permissions on /var/run/docker.socket have restricted access, preventing Docker build and push commands as a normal user from executing without severely compromising the system.

See http://www.projectatomic.io/blog/2015/08/why-we-dont-let-non-root-users-run-docker-in-centos-fedora-or-rhel/

Therefore, I've added a new setting which supports replacing the default docker shell exec command so that I can instead use sudo docker (which is the recommended method for executing Docker on CentOS, Fedora and RHEL), or completely replace the docker command with a path to a shell script.

With this new setting and the regular dockerBuildCommand and dockerBuildOptions, you get the following basics:

dockerBuildCommand := dockerExecCommand.value ++ Seq("build") ++ dockerBuildOptions.value ++ Seq(".")
// default
dockerExecCommand := Seq("docker")
// custom
dockerExecCommand := Seq("sudo", "docker")

What I don't want to do is run SBT as root - this will cause the working directory, and the ivy cache to become polluted with artifacts that are owned by root. It's best to limit the use of escalated privileges to just those commands that require them to avoid this pollution.

So, to avoid:

sudo sbt docker:publishLocal
sbt clean <=== will fail because "target" is now owned by root

When building docker images on CentOS, Fedora or RHEL, the permission…
9ef9569 
…s on /var/run/docker.socket have restricted access, preventing Docker build and push commands from executing without severely compromising the system.

See http://www.projectatomic.io/blog/2015/08/why-we-dont-let-non-root-users-run-docker-in-centos-fedora-or-rhel/

Therefore, I've added a new setting which supports replacing the default docker shell exec command so that I can instead use `sudo docker`, which is the recommended method for executing Docker on CentOS, Fedora and RHEL.

What I don't want to do is run SBT as root - this will cause the working directory, and the ivy cache to become polluted with artifacts that are owned by root. It's best to limit the use of escalated privileges to just those commands that require them to avoid this pollution.

So, to avoid:

sudo sbt docker:publishLocal
sbt clean <=== will fail because "target" is now owned by root
muuki88
muuki88 approved these changes Nov 13, 2016
View reviewed changes
Copy link
Contributor

@muuki88 muuki88 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks. Looks perfect.

@muuki88 muuki88 merged commit d366a6c into sbt:master Nov 13, 2016
@rbellamy rbellamy mentioned this pull request Nov 14, 2016
Merged
@muuki88 muuki88 added the docker label Nov 18, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@muuki88 muuki88 muuki88 approved these changes

Assignees
No one assigned
Labels
docker
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@rbellamy @muuki88