Advice for Docker Host Permissions

I need some general advice for how to set up permissions on a Docker host. I’m not yet using swarm, orchestration, or external personal registries: I’m SSHing into the server and checking out docker-compose projects from source control:

├ project_a
└ project_b

Then I just docker-compose run --build -d inside those directories (which tend to have Dockerfiles and configs that get built at up time).

However, I’ve got a couple of other people on my team to whom I want to give the keys to be able to update code and rerun docker-compose up, etc.

So those project directories (and/or group and/or sudoers configurations) need to have permissions such that:

  • Certain other users (joe, jane, bob) and I (jamie) can manipulate the files and run docker-compose commands against them.
  • Other users cannot.

I was thinking of doing something like:

  • creating a deployer user, adding that to the docker group, and having the users switch to that to do deployments
  • giving /var/docker files deployer:docker ownership and XX0 (no “other”) access



I’d just use root for this, since the ability to run Docker commands is one very small step away from having unrestricted access on the host anyways.

I don’t have any easy suggestions here; the good answers range from “separate development and production on to separate hardware” up through heavy-weight solutions like “deploy Kubernetes”. Is your overall environment something where it’s straightforward to have more smaller machines rather than one big machine? That would help the separation of concerns.