Hi Dan,

I don't necessarily agree with adding the galaxy users to the docker group as a 
"safer" alternative to sudo.  Note that the sudoers configuration files can 
limit the commands that get executed and you don't have to give "all sudo 
privileges", which is the easiest thing to do.  Sudoers supports command 
matching/globing to permit more specific permissions such as giving the ability 
to add docker images but not removing them.

See http://ubuntuforums.org/showthread.php?t=1132821 for extensive information 
on how you would limit sudo.

Iyad Kandalaft
Agriculture and Agri-Food Canada



-----Original Message-----
From: galaxy-dev [mailto:galaxy-dev-boun...@lists.galaxyproject.org] On Behalf 
Of Dan Tenenbaum
Sent: Monday, November 24, 2014 10:55 AM
To: galaxy-dev@lists.galaxyproject.org
Subject: [galaxy-dev] more control over the "docker" command

Hi,

Thanks for supporting the running of docker containers in Galaxy.

I have two requests for more control over the docker command that is run.

According to https://github.com/apetkau/galaxy-hackathon-2014 , the docker 
command that is run when a docker-enabled tool is run might look something like 
this:

command is: sudo docker run -e "GALAXY_SLOTS=$GALAXY_SLOTS" -v 
/home/aaron/Projects/galaxy-central:/home/aaron/Proje
cts/galaxy-central:ro -v 
/home/aaron/Projects/galaxy-central/tools/docker:/home/aaron/Projects/galaxy-central/tools/docker:ro
 -v /home/aaron/Projects/galaxy-central/datab
ase/job_working_directory/000/6:/home/aaron/Projects/galaxy-central/database/job_working_directory/000/6:rw
 -v /home/aaron/Projects/galaxy-central/database/files:/home/aa
ron/Projects/galaxy-central/database/files:rw -w 
/home/aaron/Projects/galaxy-central/database/job_working_directory/000/6 --net 
none busybox:ubuntu-14.04 
/home/aaron/Projects/galaxy-central/database/job_working_directory/000/6/container.sh;
 return_code=$?; if [ -f 
/home/aaron/Projects/galaxy-central/database/job_working_directory/000/6/wo
rking_file ] ; then cp 
/home/aaron/Projects/galaxy-central/database/job_working_directory/000/6/working_file
 /home/aaron/Projects/galaxy-central/database/files/000/dataset_10.dat ; fi; sh 
-c "exit $return_code"

I'd like to be able to specify extra flags to be included in the command. In my 
case I'd like to include "--link server:server" because I want to link this 
container with another container that contains a long-running server process (I 
can describe my use case in greater detail if desired).
Can there be a way to do this in my tool wrapper?

Secondly, rather than giving my galaxy user passwordless sudo, I'd like to add 
it to the docker group, then I can run docker commands without prepending sudo. 
This seems a lot safer. Could this be exposed, maybe by a sudo="false" 
attribute in the tool wrapper?

Thanks,
Dan

___________________________________________________________
Please keep all replies on the list by using "reply all"
in your mail client.  To manage your subscriptions to this and other Galaxy 
lists, please use the interface at:
  https://lists.galaxyproject.org/

To search Galaxy mailing lists use the unified search at:
  http://galaxyproject.org/search/mailinglists/
___________________________________________________________
Please keep all replies on the list by using "reply all"
in your mail client.  To manage your subscriptions to this
and other Galaxy lists, please use the interface at:
  https://lists.galaxyproject.org/

To search Galaxy mailing lists use the unified search at:
  http://galaxyproject.org/search/mailinglists/

Reply via email to