(toiminnot)

hwechtla-tl: How to run a virtual server style docker container with access to host docker

Kierre.png

Mikä on WikiWiki?
nettipäiväkirja
koko wiki (etsi)
viime muutokset


(nettipäiväkirja 10.08.2016) I decided to document the solution to a problem I tackled today, since I couldn't find any solution by googling. The problem manifests itself when you're running a full systemd within a container (at least with Centos 7) and you want to access the host Docker from the systemd-container.

The problem is that upon bootup/initialisation, systemd seems to mess up /var/run so that docker volume mount -v /var/run/docker.sock:/var/run/docker.sock gets purged. So here's what you have to do if you want to run a virtualhost-like full systemd environment within a container and access the host's dockerd from within that container:

Create a systemd-enabled version of some standard image

For Centos 7, you get this by this Dockerfile:

FROM centos:7
# systemd-enabled Centos7 image, as per:
# https://hub.docker.com/_/centos/ section "Systemd integration"
ENV container=docker
RUN (cd /lib/systemd/system/sysinit.target.wants/; \
  for i in *; do [ $i == systemd-tmpfiles-setup.service ] || rm -f $i; done); \
  rm -f /lib/systemd/system/multi-user.target.wants/*;\
  rm -f /etc/systemd/system/*.wants/*;\
  rm -f /lib/systemd/system/local-fs.target.wants/*; \
  rm -f /lib/systemd/system/sockets.target.wants/*udev*; \
  rm -f /lib/systemd/system/sockets.target.wants/*initctl*; \
  rm -f /lib/systemd/system/basic.target.wants/*;\
  rm -f /lib/systemd/system/anaconda.target.wants/*;
VOLUME [ "/sys/fs/cgroup" ]
CMD ["/usr/sbin/init"]

If you also want to run sshd in the container so that you can connect to the container, run

ssh-keygen -N '' -f id_rsa

and append the following lines to your Dockerfile:

# https://github.com/CentOS/CentOS-Dockerfiles/blob/master/ssh/centos7/Dockerfile
RUN yum -y install openssh-server && yum clean all
RUN mkdir /var/run/sshd && ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key -N '' 
COPY id_rsa.pub /root/.ssh/authorized_keys
RUN chmod -R go= /root/.ssh

Build your image by running (in the directory where you have the Dockerfile and id_rsa.pub):

docker build -t local/my-systemd-image .

Run the container in privileged mode and with docker socket mounted

Start the container in background mode, since its pid 1 is a real init (which doesn't do anything useful interactively):

docker run -d --privileged=true -v /var/run/docker.sock:/var/tmp/docker.sock \
  -p 22222:22 --name=mycont local/my-systemd-image

The important thing here is to not mount docker.sock under /var/run. And to run the container in privileged mode, since otherwise systemd won't start up properly.

You can access the container with docker:

docker exec -it mycont bash

... or, if you enabled sshd in the container, by ssh:

ssh -o StrictHostKeyChecking=no -i id_rsa -p 22222 root@localhost

Use the non-standard docker.sock location

Directly, from command line within the container:

docker -H unix:///var/tmp/docker.sock ps   # shows e.g. the container itself

Set up the environment so that docker from all shells will contact the right socket: create /etc/profile.d/docker.sh containing

export DOCKER_HOST=unix:///var/tmp/docker.sock


Pikalinkit:


kommentoi (viimeksi muutettu 13.08.2016 19:44)