how to run a virtual server style docker container with access to host docker

Sat, 13 Aug 2016 16:44:20 +0000

(nettip�iv�kirja 10.08.2016) I decided to document the solution to a problem I tackled today, since I couldn't find any solution by googling. The problem manifests itself when you're running a full systemd within a container (at least with Centos 7) '''and''' you want to access the host Docker from the systemd-container.

The problem is that upon bootup/initialisation, systemd seems to mess up /var/run so that docker volume mount -v /var/run/docker.sock:/var/run/docker.sock gets purged. So here's what you have to do if you want to run a virtualhost-like full systemd environment within a container and access the host's dockerd from within that container:

!!! Create a systemd-enabled version of some standard image

For Centos 7, you get this by this Dockerfile: {{{ FROM centos:7 # systemd-enabled Centos7 image, as per: # https://hub.docker.com/_/centos/ section "Systemd integration" ENV container=docker RUN (cd /lib/systemd/system/sysinit.target.wants/; \ for i in *; do [ $i == systemd-tmpfiles-setup.service ] || rm -f $i; done); \ rm -f /lib/systemd/system/multi-user.target.wants/*;\ rm -f /etc/systemd/system/*.wants/*;\ rm -f /lib/systemd/system/local-fs.target.wants/*; \ rm -f /lib/systemd/system/sockets.target.wants/*udev*; \ rm -f /lib/systemd/system/sockets.target.wants/*initctl*; \ rm -f /lib/systemd/system/basic.target.wants/*;\ rm -f /lib/systemd/system/anaconda.target.wants/*; VOLUME [ "/sys/fs/cgroup" ] CMD ["/usr/sbin/init"] }}}

If you also want to run sshd in the container so that you can connect to the container, run {{{ ssh-keygen -N '' -f id_rsa }}}

and append the following lines to your Dockerfile: {{{ # https://github.com/CentOS/CentOS-Dockerfiles/blob/master/ssh/centos7/Doc kerfile RUN yum -y install openssh-server && yum clean all RUN mkdir /var/run/sshd && ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key -N '' COPY id_rsa.pub /root/.ssh/authorized_keys RUN chmod -R go= /root/.ssh }}}

Build your image by running (in the directory where you have the Dockerfile and id_rsa.pub): {{{ docker build -t local/my-systemd-image . }}}

!!! Run the container in privileged mode and with docker socket mounted

Start the container in background mode, since its pid 1 is a real init (which doesn't do anything useful interactively): {{{ docker run -d --privileged=true -v /var/run/docker.sock:/var/tmp/docker.sock \ -p 22222:22 --name=mycont local/my-systemd-image }}}

The important thing here is to '''not''' mount docker.sock under /var/run. And to run the container in privileged mode, since otherwise systemd won't start up properly.

You can access the container with docker: {{{ docker exec -it mycont bash }}}

... or, if you enabled sshd in the container, by ssh: {{{ ssh -o StrictHostKeyChecking=no -i id_rsa -p 22222 root@localhost }}}

!!! Use the non-standard docker.sock location

Directly, from command line within the container: {{{ docker -H unix:///var/tmp/docker.sock ps # shows e.g. the container itself }}}

Set up the environment so that docker from all shells will contact the right socket: create /etc/profile.d/docker.sh containing {{{ export DOCKER_HOST=unix:///var/tmp/docker.sock }}}

* [merkint�: 2016-08] * [atehwa] * [kategoria: p�iv�kirjamerkint�]