We help IT Professionals succeed at work.

How to properly give programmers admin privleges to be able to use programs such as docker?

rivkamak
rivkamak asked
on
I recently took away users local admin privileges from all the end users computers.  The people who seem to be affected by this the most are the programmers. They have issues with running docker which needs to be run with elevated privileges (Just one example so far ).  I would be interested in hearing what other sys admins are doing with the more technical end users to let them work properly?

Thank you.
Comment
Watch Question

David FavorFractional CTO
Distinguished Expert 2019

Commented:
Simple solution, use LXD containers instead of Docker containers.

Or provide an LXD container for each project or programmer, where the programmer has root + can run Docker apps with root privileges.

Tip: Trying to run any apps in Docker with low privileges is very difficult, because most servers require root to start running + logging, like Apache + PHP + MariaDB/MySQL.

Running root level code in LXD containers is trivial.

Working around this using non-root Docker containers becomes very complex.
Aaron TomoskyDirector, SD-WAN Solutions

Commented:
depending on what they are doing, you can also move compile/build tasks to centralized servers. For example, they developers commit their code release, and it automatically builds and pushes to a dev environment. "Go" or "Ansible" can automate this, or AWS and other platforms have this built in as well.
you could  give users ssh access with a private key to the root account

in /root/.ssh/authorized_keys you can add lines, that allow only to run certain commands, but not others.

For some other commands sudo might be sufficient

Or you create a suid executable, that just allows certain commands. (I'ts kind of implementing your own sudo)

You might set up a tiny web server running as a user who has full sudo access to docker and create a web interface parsing, validating and starting potential valid commands.
Distinguished Expert 2019

Commented:
With developers and programmers, you will always have a hard time without admin permissions.
So either you give them VMs that allow nested virtualization (VM within a VM) to do their testing, or you will need to work out concepts that are fairly secure, like this: https://www.experts-exchange.com/articles/24599/Free-yourself-of-your-administrative-account.html
Shaun VermaakSenior Consultant
Awarded 2017
Distinguished Expert 2019

Commented:
You will need to exempt them if you want to keep them productive. Solution in first comment is just as dangerous as having users run as local admin on Windows

Create AD groups, add group to local admin of devices and add users to these groups using time-based memberships
David FavorFractional CTO
Distinguished Expert 2019

Commented:
Note: About LXD...

What you're talking about is a common problem.

Here's a general flow of how I manage projects.

1) Dev/Staging phase.

Provide an LXD container to a developer for some project. Might be a new project or might be a container clone of an existing project, for changes to be made.

At this point the developer(s) have root ssh access to container.

They can do anything they like, so development runs at light speed.

2) After development is complete.

The current production container is shutdown.

Then the production container's IP is associated with the dev container + all root ssh access (ssh keys) are destroyed.

3) Once #2 is accomplished, the dev/staging project becomes the live project, then the entire process restarts again.

This provides a way a highly agile development environment, where developers never have to wait for any procedure/committee to provide them access to some resource required for them to continue.

Author

Commented:
Thank you everyone.

McKnife, according to your article, the user who is granted "admin" access is able to install any application and change any windows configuration? I dont want the developers to have unrestricted control on their computers, just on the few programs that need it.
Distinguished Expert 2019

Commented:
You cannot delegate control selectively. Windows doesn't allow that. Look at the 3rd party tool Powerbroker by beyondtrust. It will allow granular delegation.
Director, SD-WAN Solutions
Commented:
the key thing to remember is that developers need unrestricted control of their development environment, at least in the early stages. As long as their development environment IS their workstation that you want to restrict, you will have issues. All of the suggestions will generally lead toward the separation of these two environments.

I used to enforce build servers because I had multiple developers working on parts of the same project and ran into issues with them building on their own machines and then not being able to build on others (usually because they added a library or something and forgot to mention it). give them full control to something that can be wiped and easily reset at any time, like a VM.

Author

Commented:
Thank you all for your sharing your time and advice.  I have a picture now of where to go from here.