English
« Back to projectatomic.io
Ask Your Question
0

How do I expose /var/run/docker.sock to a container?

asked 2015-11-12 00:00:08 +0000

tjdett gravatar image

updated 2015-11-12 00:01:14 +0000

Injecting /var/run/docker.sock into a container is a practice recommended by Jérôme Petazzoni for controlling Docker daemons.

What is the recommended method for doing this with Project Atomic, such that SELinux allows access?

With Fedora Atomic, I've tried:

$ docker version -f "{{ .Server.Version }}"
1.8.2-fc23
# Normal volume access
$ docker run -ti --rm -v /run/docker.sock:/var/run/docker.sock docker:1.8.2 docker info
Get http:///var/run/docker.sock/v1.20/info: dial unix /var/run/docker.sock: permission denied.
* Are you trying to connect to a TLS-enabled daemon without TLS?
* Is your docker daemon up and running?
# Volume access with a specific MCS label
$ docker run -ti --rm -v /run/docker.sock:/var/run/docker.sock:Z docker:1.8.2 docker info                                                   
Get http:///var/run/docker.sock/v1.20/info: dial unix /var/run/docker.sock: permission denied.
* Are you trying to connect to a TLS-enabled daemon without TLS?
* Is your docker daemon up and running?
# Volume access unrestricted by container
$ docker run -ti --rm -v /run/docker.sock:/var/run/docker.sock:z docker:1.8.2 docker info                                                   
Get http:///var/run/docker.sock/v1.20/info: dial unix /var/run/docker.sock: permission denied.
* Are you trying to connect to a TLS-enabled daemon without TLS?
* Is your docker daemon up and running?
# Privileged container volume access
$ docker run -ti --rm --privileged -v /run/docker.sock:/var/run/docker.sock docker:1.8.2 docker info                                        
Get http:///var/run/docker.sock/v1.20/info: EOF.
* Are you trying to connect to a TLS-enabled daemon without TLS?
* Is your docker daemon up and running?

That last try generates this error message in the system logs:

docker[959]: 2015/11/11 07:39:19 http: panic serving @: runtime error: invalid memory address or nil pointer dereference
docker[959]: goroutine 1381 [running]:
docker[959]: net/http.(*conn).serve.func1(0xc820b2cbb0, 0x7f0fb2314900, 0xc8209d5c70)
docker[959]: /usr/lib/golang/src/net/http/server.go:1287 +0xb5 fp=0xc82008d4c8 sp=0xc82008d3f8
docker[959]: runtime.call32(0x0, 0x1287be8, 0xc820ab7bb0, 0x1800000018)
docker[959]: /usr/lib/golang/src/runtime/asm_amd64.s:437 +0x3e fp=0xc82008d4f0 sp=0xc82008d4c8
docker[959]: runtime.gopanic(0xf0f880, 0xc82000e070)
docker[959]: /usr/lib/golang/src/runtime/panic.go:423 +0x4e9 fp=0xc82008d570 sp=0xc82008d4f0
docker[959]: runtime.panicmem()
docker[959]: /usr/lib/golang/src/runtime/panic.go:42 +0x49 fp=0xc82008d598 sp=0xc82008d570
docker[959]: runtime.sigpanic()
docker[959]: /usr/lib/golang/src/runtime/sigpanic_unix.go:24 +0x2ba fp=0xc82008d5e8 sp=0xc82008d598
docker[959]: github.com/docker/docker/api/server.getpwuid(0xffffffff, 0x0, 0x0, 0x0, 0x0)
docker[959]: /builddir/build/BUILD/docker-28c300fafb58c380d78381e08e1be35dfed5d4f9/_build/src/github.com/docker/docker/api/server/credentials_linux.go:75 +0x1f6 fp=0xc82008d678 sp=0xc82008d5e8
docker[959]: github.com/docker/docker/api/server.(*Server).LogAction(0xc820210100, 0x7f0fb2322d18, 0xc820b2cc60, 0xc820aa08c0, 0x0, 0x0)
docker[959]: /builddir/build/BUILD/docker-28c300fafb58c380d78381e08e1be35dfed5d4f9/_build/src/github.com/docker/docker/api/server/credentials_linux.go:172 +0xaac fp=0xc82008d850 sp=0xc82008d678
docker[959]: github.com/docker/docker ...
(more)
edit retag flag offensive close merge delete

1 answer

Sort by » oldest newest most voted
0

answered 2015-11-12 00:23:44 +0000

tjdett gravatar image

Jason Brooks recommended on #atomic this solution, which unrestricts /var/run/docker.sock for all Docker containers: https://github.com/dpw/selinux-dockersock

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

[hide preview]

Stats

Asked: 2015-11-12 00:00:08 +0000

Seen: 2,012 times

Last updated: Nov 12 '15