How to run docker in docker in Container-optimized OS on Compute Engine VM on Google Cloud?

Question

I have a master container instance (Node.js) that runs some tasks in a temporary worker docker container.

The base image used is node:8-alpine and the entrypoint command executes with user node (non-root user).

I tried running my container with the following command:

docker run \
-v /tmp/box:/tmp/box \
-v /var/run/docker.sock:/var/run/docker.sock \
ifaisalalam/ide-taskmaster

But when the nodejs app tries running a docker container, permission denied error is thrown - the app can't read /var/run/docker.sock file.

Accessing this container through sh and running ls -lha /var/run/docker.sh, I see that the file is owned by root:412. That's why my node user can't run docker container.

The /var/run/docker.sh file on host machine is owned by root:docker, so I guess the 412 inside the container is the docker group ID of the host machine.

---

I'd be glad if someone could provide me an workaround to run docker from docker container in Container-optimized OS on GCE.

---

The source Git repository link of the image I'm trying to run is - https://github.com/ifaisalalam/ide-taskmaster

Answer 1

Adding the following command into my start-up script of the host machine solves the problem:

sudo chmod 666 /var/run/docker.sock

I am just not sure if this would be a secure workaround for an app running in production.

EDIT:

This answer suggests another approach that might also work - https://stackoverflow.com/a/47272481/11826776

Also, you may read this article - https://denibertovic.com/posts/handling-permissions-with-docker-volumes/