Reputation: 211
how does kubernetes detect docker daemon
I'm using coreos tectonic sandbox. My deployment.yaml file contains the container which should detect the docker daemon running on host via kubernetes. The container uses docker daemon to identify docker events. For some reason docker daemon is not getting detected.
deployment.yaml
containers:
- name: idn-docker
image: sample/id-docker:latest
- name: docker-socket
mountpath: /var/run/docker.sock
can some please help me identify what the problem is.
Upvotes: 1
Views: 2868
Answers (2)
Reputation: 22244
Securing Docker Socket
As in Why we don't let non-root users run Docker in CentOS, Fedora, or RHEL, CoreOS by default does not have docker group and tries to prevent accesses to the docker socket by limiting accesses to root to be secure.
A Kuberneses pod which is a Docker container process will not run as root by default, and also SELinux labels will prevent the pods/containers from accessing the docker socket. Check with the pod process with ps -Z and the docker socket with ls -Z to verify the labels.
Allowing the access to Docker socket from a container is a security risk, but if it is mandatory to do so for some reason, one way is to run the pod as privileged using security context, and make the pod process run as root (with risks).
securityContext:
privileged: true
Not sure with tectonic but OpenShift by default prevents using hostPath mount and tectonic may have similar. Another stuff look into is the service account used for the pod and the role/bindings to the account.
Upvotes: 0
Reputation: 8983
For run Docker in a Docker, you have 2 options - DooD (Docker out of Docker) and DinD (Docker in Docker). I think you need a first because you need access to events on a host machine.
Here is a good article about both schemes.
Example of pod's configuration:
apiVersion: v1
kind: Pod
metadata:
name: idn-docker
spec:
containers:
- name: idn-docker
image: sample/id-docker:latest
volumeMounts:
- mountPath: /var/run
name: docker-sock
volumes:
- name: docker-sock
hostPath:
path: /var/run
You can use a containers section from an example in your deployment because of its structure in template section is the same Pod template as a separate pod configuration.
But, please keep in mind, that solution will have some limitations:
Pod Networking - Cannot access the container using Pod IP.
Pod Lifecycle - On Pod termination, this container will keep running especially if the container was started with -d flag.
Pod Cleanup - Graph storage will not be clean up after pod terminates.
Scheduling and Resource Utilization - Cpu and Memory requested by Pod, will only be for the Pod and not the container spawned from the Pod. Also, limits on CPU and memory settings for the Pod will not be inherited by the spawned container.
Upvotes: 1
Related Questions
- How do I tell if my container is running inside a Kubernetes cluster?
- how to differentiate docker container and kubernetes pods running in the same host
- Kubernetes Docker process inside pod
- How kubernetes daemonset works?
- How kubernetes identifies that docker is the container platform that is to be used
- Kubernetes - How does API Server / etcd know the status of each Pod?
- What does docker daemon do in kubernetes after container(s) is started?
- How kubelet - docker container communication happens?
- How does Kubernetes invoke a Docker image?
- How can I expose kubernetes services running within docker?