I am attempting to create a container that can access the host docker remote API via the docker socket file (host machine - /var/run/docker.sock).
The answer here suggests proxying requests to the socket. How would I go about doing this?
Asked
Active
Viewed 3.4k times
3 Answers
37
If one intends to use Docker from within a container, they should clearly understand security implications.
Accessing Docker from within the container is simple:
- Use the
dockerofficial image or install Docker inside the container. Or you may download archive with docker client binary as described here - Expose Docker unix socket from host to container
That's why
docker run -v /var/run/docker.sock:/var/run/docker.sock \
-ti docker
should do the trick.
Alternatively, you may expose into container and use Docker REST API
UPD: Former version of this answer (based on previous version of jpetazzo post ) advised to bind-mount the docker binary from the host to the container. This is not reliable anymore, because the Docker Engine is no longer distributed as (almost) static libraries.
Considerations:
- All host containers will be accessible to container, so it can stop them, delete, run any commands as any user inside top-level Docker containers.
- All created containers are created in a top-level Docker.
- Of course, you should understand that if container has access to host's Docker daemon, it has a privileged access to entire host system. Depending on container and system (AppArmor) configuration, it may be less or more dangerous
- Other warnings here dont-expose-the-docker-socket
Other approaches like exposing /var/lib/docker to container are likely to cause data corruption. See do-not-use-docker-in-docker-for-ci for more details.
Note for users of official Jenkins CI container
In this container (and probably in many other) jenkins process runs as a non-root user. That's why it has no permission to interact with docker socket. So quick & dirty solution is running
docker exec -u root ${NAME} /bin/chmod -v a+s $(which docker)
after starting container. That allows all users in container to run docker binary with root permissions. Better approach would be to allow running docker binary via passwordless sudo, but official Jenkins CI image seems to lack the sudo subsystem.
Community
- 1
- 1
Dmitriusan
- 11,525
- 3
- 38
- 38
-
2Also, there is a great advanced article: http://jpetazzo.github.io/2016/04/03/one-container-to-rule-them-all/ – Dmitriusan Apr 29 '16 at 14:38
-
Mounting the docker binary is [discouraged](https://jpetazzo.github.io/2015/09/03/do-not-use-docker-in-docker-for-ci/#the-solution): `Former versions of this post advised to bind-mount the docker binary from the host to the container. This is not reliable anymore, because the Docker Engine is no longer distributed as (almost) static libraries.` – Murmel Feb 01 '18 at 11:57
-
Thanks for the chmod, that certainly helped! – johncorner06 Sep 22 '22 at 22:26
31
I figured it out. You can simply pass the the socket file through the volume argument
docker run -v /var/run/docker.sock:/container/path/docker.sock
As @zarathustra points out, this may not be the greatest idea however. See: https://www.lvh.io/posts/dont-expose-the-docker-socket-not-even-to-a-container/
kdauria
- 6,300
- 4
- 34
- 53
Desmond Morris
- 1,056
- 1
- 9
- 13
-
2You should never do this, see https://www.lvh.io/posts/dont-expose-the-docker-socket-not-even-to-a-container.html – Zarathustra Aug 15 '16 at 11:53
-
1@Zarathustra agreed and thanks. The question however, was not whether or not it should be done. I will update the answer here with warning. – Desmond Morris Aug 15 '16 at 20:54
-
3
-
2
-
1@DesmondMorris it seems that the link is dead. Do you have an updated version? – Lucas Oct 18 '21 at 13:28
-
1@Lucas https://www.lvh.io/posts/dont-expose-the-docker-socket-not-even-to-a-container/ – ᴠɪɴᴄᴇɴᴛ Jan 04 '22 at 17:56
10
I stumbled across this page while trying to make docker socket calls work from a container that is running as the nobody user.
In my case I was getting access denied errors when my-service would try to make calls to the docker socket to list available containers.
I ended up using docker-socket-proxy to proxy the docker socket to my-service. This is a different approach to accessing the docker socket within a container so I though I would share it.
I made my-service able to receive the docker host it should talk to, docker-socker-proxy in this case, via the DOCKER_HOST environment variable.
Note that docker-socket-proxy will need to run as the root user to be able to proxy the docker socket to my-service.
Example docker-compose.yml:
version: "3.1"
services:
my-service:
image: my-service
environment:
- DOCKER_HOST=tcp://docker-socket-proxy:2375
networks:
- my-service_my-network
docker-socket-proxy:
image: tecnativa/docker-socket-proxy
environment:
- SERVICES=1
- TASKS=1
- NETWORKS=1
- NODES=1
volumes:
- /var/run/docker.sock:/var/run/docker.sock
networks:
- my-service_my-network
deploy:
placement:
constraints: [node.role == manager]
networks:
my-network:
driver: overlay
Note that the above compose file is swarm ready (docker stack deploy my-service) but it should work in compose mode as well (docker-compose up -d). The nice thing about this approach is that my-service does not need to run on a swarm manager anymore.
Etienne Dufresne
- 401
- 5
- 11
-
2Would you mind explaining why your network is called `my-network` but your services refer to it as `my-service_my-network`? – Geoff Jan 10 '19 at 21:07