Can anyone explain docker.sock

Docker

Docker Problem Overview

I am trying to understand the actual reason for mounting docker.sock in docker-compose.yml file. Is it for auto-discovery?

volumes:
  - /var/run/docker.sock:/var/run/docker.sock

Docker Solutions

Solution 1 - Docker

docker.sock is the UNIX socket that Docker daemon is listening to. It's the main entry point for Docker API. It also can be TCP socket but by default for security reasons Docker defaults to use UNIX socket.

Docker cli client uses this socket to execute docker commands by default. You can override these settings as well.

There might be different reasons why you may need to mount Docker socket inside a container. Like launching new containers from within another container. Or for auto service discovery and Logging purposes. This increases attack surface so you should be careful if you mount docker socket inside a container there are trusted codes running inside that container otherwise you can simply compromise your host that is running docker daemon, since Docker by default launches all containers as root.

Docker socket has a docker group in most installation so users within that group can run docker commands against docker socket without root permission but actual docker containers still get root permission since docker daemon runs as root effectively (it needs root permission to access namespace and cgroups).

I hope it answers your question.

More info: https://docs.docker.com/engine/reference/commandline/dockerd/#examples

Solution 2 - Docker

I know it bit late but I hope my answer will give so many insights

> Let me first talk about Unix Sockets

The term Sockets commonly refers to IP Sockets. These are the ones that are bound to a port (and address), we send TCP requests to, and get responses from.

Another type of Socket is a Unix Socket, these sockets are used for IPC (Interprocess Communication). They’re also called Unix Domain Sockets (UDS). Unix Sockets use the local filesystem for communication, while IP Sockets use the network.

The Docker daemon can listen for Docker Engine API requests via three different types of Socket: unix, tcp, and fd.

By default, a unix domain socket (or IPC socket) is created at /var/run/docker.sock

Let us see some live examples:

Docker Server uses this socket to listen to the REST API, and the clients use the socket to send API requests to the server.

> curl can talk to a Unix Socket via the --unix-socket flag. Since Docker Server API is exposed as REST, we’d need to send commands over > HTTP. Also, as this server is local (remember, the file system), we > can pass any hostname in the URL (or stick to the localhost, that will > work fine too!). The server does not care about the hostname, just the > path.

curl --unix-socket /var/run/docker.sock http://localhost/images/json | jq

 [
  {
    "Containers": -1,
    "Created": 1525888860,
    "Id": "sha256:24a77bfbb9ee3aeef9e24766ad6e9fa57f85c67596f154e8916e4f314067e149",
    "Labels": null,
    "ParentId": "",
    "RepoDigests": [
      "postgres@sha256:b06cdddba62f1550a1c674270814e72eaa8734d95912019b4ddc288b650ad67d"
    ],
    "RepoTags": null,
    "SharedSize": -1,
    "Size": 39507096,
    "VirtualSize": 39507096
  }
]

Some commands:

> You can do a lot of stuff with docker.sock

check out this beautiful article

Solution 3 - Docker

it basically exposes the host docker daemon to the container. so you can invoke docker api/client from your container, to start/stop/build images/containers like directly calling those commands on the host.

Solution 4 - Docker

When you install docker in a machine. Two diffrent programs come in:

  • Docker Client
  • Docker Server

Docker Server recives commands over a socket (either over a network or through a "file")

Docker Client communicates over a network and sends message to the Docker server to say make a container, start a container, stop a container etc.

When the client and server are running on the same computer, they can connect through a special file called a socket. And since they can communicate through a file and Docker can efficiently share files between hosts and containers, it means you can run the client inside Docker itself.

Here is a sample:

docker run --rm -it -v /var/run/docker.sock:/var/run/docker.sock docker sh

This command creates a container that docker client installed within. And check the volume part: -v /var/run/docker.sock:/var/run/docker.sock

With -v flag it shares host docker.sock file so you can manipulate the containers within the host via a container.

/ # docker run --rm -it ubuntu bash --> Creates a new container via container

Run docker ps on host terminal.

CONTAINER ID   IMAGE     COMMAND                  CREATED          STATUS          PORTS     NAMES
0f9e333b59fe   ubuntu    "bash"                   5 seconds ago    Up 4 seconds              zealous_wilson
b4a8af31416b   docker    "docker-entrypoint.s…"   16 minutes ago   Up 16 minutes             epic_elion
Categories
Recommended Docker Solutions

Previous Solution:

In Kotlin, what is the idiomatic way to deal with nullable values, referencing or converting them

NullableKotlinNon Nullable

Next Solution:

How to make Bootstrap 4 cards the same height in card-columns?

HtmlCssTwitter BootstrapBootstrap 4Bootstrap Cards

Attributions

All content for this solution is sourced from the original question on Stackoverflow.

The content on this page is licensed under the Attribution-ShareAlike 4.0 International (CC BY-SA 4.0) license.

Content TypeOriginal AuthorOriginal Content on Stackoverflow
QuestionuzubairView Question on Stackoverflow
Solution 1 - DockerBoynuxView Answer on Stackoverflow
Solution 2 - DockerNarendranath ReddyView Answer on Stackoverflow
Solution 3 - DockerengineerView Answer on Stackoverflow
Solution 4 - DockerMuhammed OzdoganView Answer on Stackoverflow