[英]How to give docker container based on scratch access to /var/run/docker.sock
I would like to use the Docker socket on the host from Go code running inside a container based on scratch. 我想从头开始在容器内运行的Go代码中使用主机上的Docker套接字。
The Dockerfile looks something like this: Dockerfile看起来像这样:
FROM golang:1.12.4-alpine3.9 as builder
RUN mkdir /user && \
echo 'nobody:x:65534:65534:nobody:/:' > /user/passwd && \
echo 'nobody:x:65534:' > /user/group
RUN apk add --no-cache ca-certificates git
WORKDIR /src
COPY go.mod ./
RUN go mod download
COPY . .
RUN CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o app .
FROM scratch as final
COPY --from=builder /user/group /user/passwd /etc/
COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
COPY --from=builder /src/app /app
COPY --chown=nobody:nobody data /.local
USER nobody:nobody
ENTRYPOINT ["/app"]
The docker service itself includes a mount for the /var/run/docker.sock
泊坞窗服务本身包含
/var/run/docker.sock
的安装
Output from docker service inspect
: docker service inspect
输出:
"Mounts": [
{
"Type": "bind",
"Source": "/var/run/docker.sock",
"Target": "/var/run/docker.sock"
}
],
Things I've tried: 我尝试过的事情:
touch /var/run/docker.sock
on the builder and COPY --chown=nobody:nobody --from=builder /var/run /var/run
in final 在构建器上
touch /var/run/docker.sock
并在最终 COPY --chown=nobody:nobody --from=builder /var/run /var/run
Different user (I refuse to run as root. It's bad practice). 不同的用户(我拒绝以root用户身份运行。这是错误的做法)。
Adding nobody in final to the docker group. 最后没有人添加到docker组。
EDIT: 编辑:
Under this configuration I get the following error as nobody as a user does not have permission to access /var/run/docker.socket 在这种配置下,我收到以下错误,因为没有人作为用户没有访问/var/run/docker.socket的权限
Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get http://%2Fvar%2Frun%2Fdocker.sock/v1.25/services : dial unix /var/run/docker.sock: connect: permission denied
尝试在unix:///var/run/docker.sock上连接到Docker守护程序套接字时获得的权限被拒绝:获取http://%2Fvar%2Frun%2Fdocker.sock/v1.25/services :拨打unix / var /run/docker.sock:连接:权限被拒绝
To communicate with the docker daemon you either need to run the command as root (or sudo), or your user must be a member of the docker group. 要与docker守护程序通信,您需要以root(或sudo)身份运行命令,或者您的用户必须是docker组的成员。
In order to use it from a non-root user and without sudo, you will need to create the docker group inside the container and add your user to that group. 为了从非root用户且不使用sudo的情况下使用它,您将需要在容器内创建docker组并将您的用户添加到该组中。 NOTE: the docker group inside the container must have the same GID as the actual docker group on the host.
注意:容器内的docker组必须具有与主机上实际 docker组相同的GID。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.