This post was last updated 7 years 5 days ago, some of the information contained here may no longer be actual and any referenced software versions may have been updated!If you are looking at containerising PHP applications you might want to run another containerised application from within your container – run a docker application or command in a docker container. Your native app might be encoding media on the fly via ajax requests using ffpmeg and you do not want to compile or install ffmpeg in your containerised app. It would be useful to run a containerised ffmpeg version within the container.
This is kind of a quasi docker in docker because we are not trying to create dockerised containers within a container, rather run a docker app from the docker host within a docker container.
Still with me? Good!
We give our container access to the host docker socket by sharing a volume (in this case docker.sock) with the container
volumes:
- /var/run/docker.sock:/var/run/docker.sock
If we install the docker binaries within the container we can now run docker commands on the host i.e.:
root@53f93be9ebbf:/# docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAME S 53f93be9ebbf trusty_ubuntu "/bin/bash" 18 seconds ago Up 17 seconds...
We are running docker ps as root, the problems start when you try and run docker as another user, for example www-data.
root@53f93be9ebbf:/# sudo -u www-data docker ps Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get http://%2Fvar%2Frun%2Fdocker.sock/v1.26/containers/json: dial unix /var/run/docker.sock: connect: permission denied
We get a dial unix /var/run/docker.sock: connect: permission denied error.
Even if you add www-data to the docker group the permission problem persists.
If you take a look at /var/run/docker.sock in the container you will see the problem:
root@53f93be9ebbf:/# ls -al /var/run/docker.sock srw-rw---- 1 root 999 0 Jan 26 08:55 /var/run/docker.sock
The container shows the group permissions for docker.sock (from the host) set to a group with an id of 999, and this group id does not exist in the container. We need to make sure the group id of the docker group in the container matches the group id of the docker group on the host
addgroup --gid 999 docker usermod -aG docker www-data
The docker group now has the id of 999 and www-data is a member, the permissions in the container for docker.sock now look like this
root@53f93be9ebbf:/# ls -al /var/run/docker.sock srw-rw---- 1 root docker 0 Jan 26 08:55 /var/run/docker.sock
And we can now execute docker ps as www-data
root@53f93be9ebbf:/# sudo -u www-data docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 53f93be9ebbf trusty_ubuntu "/bin/bash" 11 minutes ago Up 11 minutes ...
Or run a containerised version of ffmpeg
sudo -u www-data docker run jrottenberg/ffmpeg -stats \ -i http://archive.org/download/thethreeagesbusterkeaton/Buster.Keaton.The.Three.Ages.ogv \ -loop 0 \ -final_delay 500 -c:v gif -f gif -ss 00:49:42 -t 5 - > trow_ball.gif
I can now exec docker run within the php code of the container app and run other docker container apps via ajax requests. You can add the group changes and install the docker binaries in the container using the following in your Dockerfile.
# >>> DOCKER IN DOCKER
RUN set -x \
&& cd /tmp \
&& curl -L -o docker-latest.tgz https://get.docker.com/builds/Linux/x86_64/docker-latest.tgz \
&& gzip -d docker-latest.tgz \
&& tar -xvf docker-latest.tar \
&& mv /tmp/docker/docker /usr/local/bin \
&& rm -rf /tmp/docker docker-latest.tar \
&& addgroup --gid 999 docker \
&& usermod -aG docker www-data
Comments