Running Docker Apps in Docker Containers – docker in docker permissions

created March 17, 2017, last updated March 17, 2017.

.

If you are looking at containerising PHP applications you might want to run another containerised application from within your container – run a docker application or command in a docker container. Your native app might be encoding media on the fly via ajax requests using ffpmeg and you do not want to compile or install ffmpeg in your containerised app. It would be useful to run a containerised ffmpeg version within the container.

This is kind of a quasi docker in docker because we are not trying to create dockerised containers within a container, rather run a docker app from the docker host within a docker container.

Still with me? Good!

We give our container access to the host docker socket by sharing a volume (in this case docker.sock) with the container

  volumes:    
      - /var/run/docker.sock:/var/run/docker.sock

If we install the docker binaries within the container we can now run docker commands on the host i.e.:

root@53f93be9ebbf:/# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAME S
53f93be9ebbf trusty_ubuntu "/bin/bash" 18 seconds ago Up 17 seconds...

We are running docker ps as root, the problems start when you try and run docker as another user, for example www-data.

root@53f93be9ebbf:/# sudo -u www-data docker ps
Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get http://%2Fvar%2Frun%2Fdocker.sock/v1.26/containers/json: dial unix /var/run/docker.sock: connect: permission denied

We get a dial unix /var/run/docker.sock: connect: permission denied error.

Even if you add www-data to the docker group the permission problem persists.

If you take a look at /var/run/docker.sock in the container you will see the problem:

root@53f93be9ebbf:/# ls -al /var/run/docker.sock
srw-rw---- 1 root 999 0 Jan 26 08:55 /var/run/docker.sock

The container shows the group permissions for docker.sock (from the host) set to a group with an id of 999, and this group id does not exist in the container. We need to make sure the group id of the docker group in the container matches the group id of the docker group on the host

addgroup --gid 999 docker
usermod -aG docker www-data

The docker group now has the id of 999 and www-data is a member, the permissions in the container for docker.sock now look like this

root@53f93be9ebbf:/# ls -al /var/run/docker.sock
srw-rw---- 1 root docker 0 Jan 26 08:55 /var/run/docker.sock

And we can now execute docker ps as www-data

root@53f93be9ebbf:/# sudo -u www-data docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
53f93be9ebbf trusty_ubuntu "/bin/bash" 11 minutes ago Up 11 minutes ...

Or run a containerised version of ffmpeg

sudo -u www-data docker run jrottenberg/ffmpeg -stats \
 -i http://archive.org/download/thethreeagesbusterkeaton/Buster.Keaton.The.Three.Ages.ogv \
 -loop 0 \
 -final_delay 500 -c:v gif -f gif -ss 00:49:42 -t 5 - > trow_ball.gif

I can now exec docker run within the php code of the container app and run other docker container apps via ajax requests. You can add the group changes and install the docker binaries in the container using the following in your Dockerfile.

# >>> DOCKER IN DOCKER
RUN set -x \
    && cd /tmp \
    && curl -L -o docker-latest.tgz  https://get.docker.com/builds/Linux/x86_64/docker-latest.tgz \
    && gzip -d docker-latest.tgz \
    && tar -xvf docker-latest.tar \
    && mv /tmp/docker/docker /usr/local/bin \
    && rm -rf /tmp/docker docker-latest.tar \
    && addgroup --gid 999 docker \
    && usermod -aG docker www-data

Comments