According to Docker official website: https://docs.docker.com/engine/security/rootless/ it's possible to run Docker Daemon rootless-ly (without root access, no --privileged flag).
However I'm convinced this would not work when running from inside a Docker container. There is no way of getting modprobe inside a Docker container without root access (--privileged). So it's not possible to install the Docker rootless script.
Supposedly there is an official image in Docker hub: docker:dind-rootless image here So I pulled the image and SSH'd into the container, however I'm getting the following error when running dockerd
INFO[2020-07-17T20:50:32.355617100Z] Starting up dockerd needs to be started with root. To see how to run dockerd in rootless mode with unprivileged user, see the documentation
Any suggestions on how to run Docker daemon rootlessly inside another Docker container? I know this is possible with root, but is there a way to do without? I can't get root access as I'm deploying to AWS fargate, which doesn't support privileged access at the container level.
It's been 2 years. There's an image for it now.
https://docs.docker.com/engine/security/rootless/#rootless-docker-in-docker
Related
I am trying to run docker daemon inside a docker container. But I need to run docker daemon in privilege mode. Only then I can run the daemon inside container. Is there any other way to run a docker daemon without privilege mode? Because privilege mode gives access to all the resources of the outside container and the machine on which that container is running. I don't want to do that.
Create a docker group, as described here. You do need to be superuser to add yourself.
I'm running a gitlab/gitlab-ce container on docker. Then , inside it, i want to run a gitlab-runner service, by providing docker as runner. And every single command that i run (e.g docker ps, docker container ..), i get this error:
Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is
the docker daemon running
P.s: i've tried service docker restart, reinstal docker and gitlab-runner.
By default it is not possible to run docker-in-docker (as a security measure).
You can run your Gitlab container in privileged mode, mount the socket (-v /var/run/docker.sock://var/run/docker.sock) and try again.
Also, there is a docker-in-docker image that has been modified for docker-in-docker usage. You can read up on it here and create your own custom gitlab/gitlab-ce image.
In both cases, the end result will be the same as docker-in-docker isn't really docker-in-docker but lets your manage the hosts docker-engine from within a docker container. So just running the Gitlab-ci-runner docker image on the same host has the same result and is a lot easier.
By default the docker container running gitlab does not have access to your docker daemon on your host. The docker client uses a socket connection to communicate to the docker daemon. This socket is not available in your container.
You can use a docker volume to make the socket of your host available in the container:
docker run -v /var/run/docker.sock:/var/run/docker.sock gitlab/gitlab-ce
Afterwards you will be able to use the docker client in your container to communicate with the docker daemon on the host.
I'm trying to run a Java application in a docker container. The application also communicates with docker. So I used docker:latest image and installed the openjdk. Now when I am running the container in interactive mode (privileged) I get the error Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running? when I input any docker command on the command line.
I run the container with docker run --privileged -ti con_name
Have you gone through this link? In there it's mentioned that /var/lib/docker needs to be a volume. In your docker run command, you are not mentioning any volumes. You might give this page a read and make sure everything is correct.
the scenario: I have a host that has a running docker daemon and a working docker client and socket. I have 1 docker container that was started from the host and has a docker socket mounted within it. It also has a mounted docker client from the host. So I'm able to issue docker commands at will from whithin this docker container using the aforementioned mechanism.
the need: I want to start another docker container from within this docker container; in other words, I want to start a sibling docker container from another sibling docker container.
the problem: A problem arises when I want to mount files that live inside the host filesystem to the sibling container that I want to spin up from the other docker sibling container. It is a problem because when issuing docker run, the docker daemon mounted inside the docker container is really watching the host filesystem. So I need access to the host file system from within the docker container which is trying to start another sibling.
In other words, I need something along the lines of:
# running from within another docker container:
docker run --name another_sibling \
-v {DockerGetHostPath: path_to_host_file}:path_inside_the_sibling \
bash -c 'some_exciting_command'
Is there a way to achieve that? Thanks in advance.
Paths are always on the host, it doesn't matter that you are running the client remotely (or in a container).
Remember: the docker client is just a REST client, the "-v" is always about the daemon's file system.
There are multiple ways to achieve this.
You can always make sure that each container mounts the correct host directory
You can use --volumes-from ie :
docker run -it --volumes-from=keen_sanderson --entrypoint=/bin/bash debian
--volumes-from Mount volumes from the specified container(s)
You can use volumes
I´ve installed CoreOs on BareMetal (dedicated 16GB, 4cores Atom). Docker is running and despite the fact that simple bash instructions run properly, when launching dockerui images downloaded form the hub I get the /var/run/docker.sock not found.
The sock file is present and docker daemon is running. When launching docker daemon in interactive shell I get no error from the daemon; but the error is coming from the client requesting running the image.
I bet the container you downloaded expects the docker socket to be mounted in as a volume, so that I can control it or issue docker commands.
Check that the docs you are following don't have docker run -v flag in them.