Hi Dan, I don't necessarily agree with adding the galaxy users to the docker group as a "safer" alternative to sudo. Note that the sudoers configuration files can limit the commands that get executed and you don't have to give "all sudo privileges", which is the easiest thing to do. Sudoers supports command matching/globing to permit more specific permissions such as giving the ability to add docker images but not removing them. See http://ubuntuforums.org/showthread.php?t=1132821 for extensive information on how you would limit sudo. Iyad Kandalaft Agriculture and Agri-Food Canada -----Original Message----- From: galaxy-dev [mailto:galaxy-dev-bounces@lists.galaxyproject.org] On Behalf Of Dan Tenenbaum Sent: Monday, November 24, 2014 10:55 AM To: galaxy-dev@lists.galaxyproject.org Subject: [galaxy-dev] more control over the "docker" command Hi, Thanks for supporting the running of docker containers in Galaxy. I have two requests for more control over the docker command that is run. According to https://github.com/apetkau/galaxy-hackathon-2014 , the docker command that is run when a docker-enabled tool is run might look something like this: command is: sudo docker run -e "GALAXY_SLOTS=$GALAXY_SLOTS" -v /home/aaron/Projects/galaxy-central:/home/aaron/Proje cts/galaxy-central:ro -v /home/aaron/Projects/galaxy-central/tools/docker:/home/aaron/Projects/galaxy-central/tools/docker:ro -v /home/aaron/Projects/galaxy-central/datab ase/job_working_directory/000/6:/home/aaron/Projects/galaxy-central/database/job_working_directory/000/6:rw -v /home/aaron/Projects/galaxy-central/database/files:/home/aa ron/Projects/galaxy-central/database/files:rw -w /home/aaron/Projects/galaxy-central/database/job_working_directory/000/6 --net none busybox:ubuntu-14.04 /home/aaron/Projects/galaxy-central/database/job_working_directory/000/6/container.sh; return_code=$?; if [ -f /home/aaron/Projects/galaxy-central/database/job_working_directory/000/6/wo rking_file ] ; then cp /home/aaron/Projects/galaxy-central/database/job_working_directory/000/6/working_file /home/aaron/Projects/galaxy-central/database/files/000/dataset_10.dat ; fi; sh -c "exit $return_code" I'd like to be able to specify extra flags to be included in the command. In my case I'd like to include "--link server:server" because I want to link this container with another container that contains a long-running server process (I can describe my use case in greater detail if desired). Can there be a way to do this in my tool wrapper? Secondly, rather than giving my galaxy user passwordless sudo, I'd like to add it to the docker group, then I can run docker commands without prepending sudo. This seems a lot safer. Could this be exposed, maybe by a sudo="false" attribute in the tool wrapper? Thanks, Dan ___________________________________________________________ Please keep all replies on the list by using "reply all" in your mail client. To manage your subscriptions to this and other Galaxy lists, please use the interface at: https://lists.galaxyproject.org/ To search Galaxy mailing lists use the unified search at: http://galaxyproject.org/search/mailinglists/