CODEWITHSUNDEEP
dockergo
Justin Tamblyn
Justin Tamblyn

Reputation: 733

How to give docker container based on scratch access to /var/run/docker.sock

I would like to use the Docker socket on the host from Go code running inside a container based on scratch.

The Dockerfile looks something like this:


    FROM golang:1.12.4-alpine3.9 as builder

    RUN mkdir /user && \
        echo 'nobody:x:65534:65534:nobody:/:' > /user/passwd && \
        echo 'nobody:x:65534:' > /user/group

    RUN apk add --no-cache ca-certificates git

    WORKDIR /src

    COPY go.mod ./
    RUN go mod download

    COPY . .
    RUN CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o app .

    FROM scratch as final

    COPY --from=builder /user/group /user/passwd /etc/
    COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
    COPY --from=builder /src/app /app
    COPY --chown=nobody:nobody data /.local

    USER nobody:nobody

    ENTRYPOINT ["/app"]

The docker service itself includes a mount for the /var/run/docker.sock

Output from docker service inspect:


  "Mounts": [
        {
            "Type": "bind",
            "Source": "/var/run/docker.sock",
            "Target": "/var/run/docker.sock"
        }
    ],

Things I've tried:

  1. touch /var/run/docker.sock on the builder and COPY --chown=nobody:nobody --from=builder /var/run /var/run in final

  2. Different user (I refuse to run as root. It's bad practice).

  3. Adding nobody in final to the docker group.

EDIT:

Under this configuration I get the following error as nobody as a user does not have permission to access /var/run/docker.socket

Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get http://%2Fvar%2Frun%2Fdocker.sock/v1.25/services: dial unix /var/run/docker.sock: connect: permission denied

Upvotes: 0

Views: 1231

Answers (1)

Nick Rundle
Nick Rundle

Reputation: 639

To communicate with the docker daemon you either need to run the command as root (or sudo), or your user must be a member of the docker group.

In order to use it from a non-root user and without sudo, you will need to create the docker group inside the container and add your user to that group. NOTE: the docker group inside the container must have the same GID as the actual docker group on the host.

Upvotes: 3

Related Questions