/var/run/docker.sock在centos 7上运行的容器中无法访问

Question

I'm launching a container which runs a bash script that does a docker build internally using docker 1.3.2 on Centos 7.0.1406 . The files/commands are at https://gist.github.com/wrabbit-revisited/1d70d0f1805be1848c08 .

The docker build needs access to the docker socket so i use a common trick, as per http://nathanleclaire.com/blog/2014/07/12/10-docker-tips-and-tricks-that-will-make-you-sing-a-whale-song-of-joy/ :

-v /var/run/docker.sock:/var/run/docker.sock

Prior to the build i run a check in the script:

if [ -e "/var/run/docker.sock" ];
then
  echo "docker.sock found"
else
  echo "docker.sock not found"
fi

and the "echo" shows that docker.sock is not found. It is found if the check is done outside the container using sudo.

I tried adding "--permissive=true" to the "docker run" command line, but no apparent change.

There is some reference to a similar problem here: https://github.com/dpw/selinux-dockersock . It targets Fedora/RHEL, but doesn't resolve this issue, either. If i use "setenforce Permissive" and sestatus to ensure selinux is in permissive mode the issue remains unresolved.

I've also tried adding "--security-opt=label:type:docker_t" to the docker command line, as per https://github.com/jwilder/nginx-proxy/issues/40 . No apparent effect.

The selinux policy for Docker is described here: http://www.unix.com/man-page/centos/8/docker_selinux/ .

Lots of information, but i'm not sure if selinux is contributing to the problem. If i edit /etc/selinux/config to disable selinux then reboot and run sestatus it says selinux is disabled, but the issue remains.

Looking about, it may be related to this: https://github.com/docker/compose/issues/983 . Using this trick to run docker inside a container is quite common but perhaps there is a better way to do this or a good workaround. I considered dind, but that's work and this is a widely-used, simple (on the surface), approach to running a docker build inside a container. There is probably a simple solution.

Any help would be appreciated! thanks

Answer 1

I think your problem might be due to a misunderstanding of the -v option to docker run . You say you did

-v /var/run/docker:/var/run/docker

This creates a bind mount in the container for the file or directory /var/run/docker . But in your case, there is no such file or directory. You want the file /var/run/docker.sock . So you need to do

-v /var/run/docker.sock:/var/run/docker.sock

to bind mount that file into the container.

As /var/run/docker didn't exist, you might wonder why docker didn't tell you about the error. But the -v option has the surprising behaviour that if the path does not exist on the host, docker will create it as a directory. So you end up with a useless empty /var/run/docker directory on the host and container.

In principle, you could also do -v /var/run:/var/run to bind mount the containing directory. But it's probably a bad idea to give a container access to the host's /var/run directory tree.

And as you are on CentOS, you will also need to use https://github.com/dpw/selinux-dockersock for access to /var/run/docker.sock to work with SELinux in enforcing mode.

Answer 2

Confirmed installing https://github.com/dpw/selinux-dockersock is enough and good in the long run.

A quick alternative fix is to pass --privileged argument, when starting a container.