[go: up one dir, main page]

DEV Community

Cover image for Persistent multi-user Docker on macOS
Thomas Strömberg
Thomas Strömberg

Posted on • Edited on

Persistent multi-user Docker on macOS

First, be aware that docker is not designed to be securely shared among multiple users. Please assume that anyone who has access to docker is effectively equivalent to `root'.

This assumes that users will be interacting with docker via the command-line, rather than graphically. It also assumes that the environment is such that allows a single user to be automatically logged into via the GUI, but this is mostly out of laziness rather than an underlying technical restriction.

  1. Choose an account that Docker Desktop will run as. I recommend creating a docker user, but it could be any account. This account does not need admin access.

  2. Open Settings -> Users & Groups -> Login Options, and ensure that this user is automatically logged into.

  3. Created a shared containers directory:

sudo mkdir -p /Users/Shared/Library/Containers
sudo chown docker:staff /Users/Shared/Library/Containers
sudo chmod -R 770 /Users/Shared/Library/Containers/

  1. Login graphically with the account that will run Docker and start /Applications/Docker.app, answer any questions it might have.
  2. Open Settings -> Users & Groups -> Login Items, and drag the Docker app to it.
  3. Quit Docker Desktop via the menu item
  4. Open Terminal and move your Docker data to a shared location that can be written to by other users:

mv ~/Library/Containers/com.docker.docker /Users/Shared/Library/Containers
chmod -R 770 /Users/Shared/Library/Containers/com.docker.docker
chmod -R +a "group:staff allow list,add_file,search,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,file_inherit,directory_inherit" /Users/Shared/Library/Containers/com.docker.docker
chmod -R g+rw /Users/Shared/Library/Containers/com.docker.docker/Data

Then link your local Docker data to this shared source, and make sure that others can traverse into this folder to resolve the socket symlink:

ln -s /Users/Shared/Library/Containers/com.docker.docker ~/Library/Containers/com.docker.docker
chmod g+x ~/Library ~/Library/Containers

  1. Restart /Applications/Docker.app to test
  2. SSH into the host as another username, and run docker run mariadb to test.
  3. Reboot host and reconnect via ssh to test (it may take a moment for Docker to start up)

This is the configuration we use for the #kernelcafe. Please add your improvements to the comments!

Top comments (3)

Collapse
 
udance4ever profile image
udance4ever • Edited

thank you for these instructions. Have permissions changed in macOS Sonoma (14.6.1)?

I get an error while trying to move the Container directory:
docker@Embrace Containers % mv ~/Library/Containers/com.docker.docker /Users/Shared/Library/Containers
mv: rename /Users/docker/Library/Containers/com.docker.docker to /Users/Shared/Library/Containers/com.docker.docker: Operation not permitted

I had no problems moving all files in the directory manually but then I get stuck on the last step moving the offending directory out of the way to create a symlink even as root!
root@Embrace:/Users/docker/Library/Containers# mv com.docker.docker/ foo
mv: rename com.docker.docker/ to foo: Operation not permitted

Collapse
 
zomars profile image
Omar López

Thanks for this guide! I have a question, does this work when running docker-compose? I'm getting writing errors

Collapse
 
tstromberg profile image
Thomas Strömberg

I don't see why it shouldn't work - what errors are you seeing? I could have easily missed a step.