If you use the usual path of mounting the daemon’s UNIX socket in your container (using -v /var/run/docker.sock:/var/run/docker.sock) when user namespaces are enabled on the daemon, your container’s root uid (or any other container uid/gid) will have no access at all to the UNIX socket. On your host, adding a user to the docker group allows you to have read/write access to the socket for API communication with the daemon. So, the UNIX socket created by the daemon, located by default at /var/run/docker.sock, is owned by host root, with docker group ownership. Given sharing the Docker daemon’s UNIX socket is the recommended and preferred method for allowing in-container tools to interact with the Docker daemon, it’s an important question to try and answer. Note: Please read my follow-up blog post on this topic based on the comments regarding open access to all Docker APIs via the methods discussed below.Ī recent question I received asked for ideas on sharing the Docker UNIX socket when you have user namespaces enabled in the Docker daemon.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |