for-mac icon indicating copy to clipboard operation
for-mac copied to clipboard
verified publisher icon docker

Docker-outside-of-Docker (DooD) can't connect to socket / docker outside

Open jjmaestro opened this issue 1 year ago • 4 comments

Description

I was trying to run DooD in MacOS running Docker Desktop and running a countainer where I mount the docker socket but I can't get it to work.

Reproduce

Run DooD with the docker image:

$ docker run \
        --rm \
        --volume /Users/jjmaestro/.docker/run/docker.sock:/var/run/docker.sock \
        docker version
Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running?
Client:
 Version:           27.1.1
 API version:       1.46
 Go version:        go1.21.12
 Git commit:        6312585
 Built:             Tue Jul 23 19:55:52 2024
 OS/Arch:           linux/arm64
 Context:           default

Just in case, I've also tried with other custom images where I change permissions to the socket (chmod 777), change ownership (chown root:docker), making sure there's no DOCKER_HOST environment variable set, and that the context is the default one, and running --privileged. Nothing works.

Expected behavior

I shouldn't get a Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running? error, it should be able to connect to the outside docker.

docker version

% docker version
Client:
 Version:           27.1.1
 API version:       1.46
 Go version:        go1.21.12
 Git commit:        6312585
 Built:             Tue Jul 23 19:54:12 2024
 OS/Arch:           darwin/arm64
 Context:           desktop-linux

Server: Docker Desktop 4.33.0 (160616)
 Engine:
  Version:          27.1.1
  API version:      1.46 (minimum version 1.24)
  Go version:       go1.21.12
  Git commit:       cc13f95
  Built:            Tue Jul 23 19:57:14 2024
  OS/Arch:          linux/arm64
  Experimental:     false
 containerd:
  Version:          1.7.19
  GitCommit:        2bf793ef6dc9a18e00cb12efb64355c2c9d5eb41
 runc:
  Version:          1.7.19
  GitCommit:        v1.1.13-0-g58aa920
 docker-init:
  Version:          0.19.0
  GitCommit:        de40ad0

docker info

% docker info
Client:
 Version:    27.1.1
 Context:    desktop-linux
 Debug Mode: false
 Plugins:
  buildx: Docker Buildx (Docker Inc.)
    Version:  v0.16.1-desktop.1
    Path:     /Users/jjmaestro/.docker/cli-plugins/docker-buildx
  compose: Docker Compose (Docker Inc.)
    Version:  v2.29.1-desktop.1
    Path:     /Users/jjmaestro/.docker/cli-plugins/docker-compose
  debug: Get a shell into any image or container (Docker Inc.)
    Version:  0.0.34
    Path:     /Users/jjmaestro/.docker/cli-plugins/docker-debug
  desktop: Docker Desktop commands (Alpha) (Docker Inc.)
    Version:  v0.0.14
    Path:     /Users/jjmaestro/.docker/cli-plugins/docker-desktop
  dev: Docker Dev Environments (Docker Inc.)
    Version:  v0.1.2
    Path:     /Users/jjmaestro/.docker/cli-plugins/docker-dev
  extension: Manages Docker extensions (Docker Inc.)
    Version:  v0.2.25
    Path:     /Users/jjmaestro/.docker/cli-plugins/docker-extension
  feedback: Provide feedback, right in your terminal! (Docker Inc.)
    Version:  v1.0.5
    Path:     /Users/jjmaestro/.docker/cli-plugins/docker-feedback
  init: Creates Docker-related starter files for your project (Docker Inc.)
    Version:  v1.3.0
    Path:     /Users/jjmaestro/.docker/cli-plugins/docker-init
  sbom: View the packaged-based Software Bill Of Materials (SBOM) for an image (Anchore Inc.)
    Version:  0.6.0
    Path:     /Users/jjmaestro/.docker/cli-plugins/docker-sbom
  scout: Docker Scout (Docker Inc.)
    Version:  v1.11.0
    Path:     /Users/jjmaestro/.docker/cli-plugins/docker-scout

Server:
 Containers: 21
  Running: 0
  Paused: 0
  Stopped: 21
 Images: 3
 Server Version: 27.1.1
 Storage Driver: overlayfs
  driver-type: io.containerd.snapshotter.v1
 Logging Driver: json-file
 Cgroup Driver: cgroupfs
 Cgroup Version: 2
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local splunk syslog
 Swarm: inactive
 Runtimes: io.containerd.runc.v2 runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: 2bf793ef6dc9a18e00cb12efb64355c2c9d5eb41
 runc version: v1.1.13-0-g58aa920
 init version: de40ad0
 Security Options:
  seccomp
   Profile: unconfined
  cgroupns
 Kernel Version: 6.10.0-linuxkit
 Operating System: Docker Desktop
 OSType: linux
 Architecture: aarch64
 CPUs: 10
 Total Memory: 7.655GiB
 Name: docker-desktop
 ID: c325dcca-aa54-4f90-9f8e-f43f6ca069e3
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 HTTP Proxy: http.docker.internal:3128
 HTTPS Proxy: http.docker.internal:3128
 No Proxy: hubproxy.docker.internal
 Labels:
  com.docker.desktop.address=unix:///Users/jjmaestro/Library/Containers/com.docker.docker/Data/docker-cli.sock
 Experimental: false
 Insecure Registries:
  hubproxy.docker.internal:5555
  127.0.0.0/8
 Live Restore Enabled: false

WARNING: daemon is not using the default seccomp profile

Diagnostics ID

7B54016F-97E6-428E-92C4-F7D32BCF51F6/20240810001351

Additional Info


% docker context list
NAME              DESCRIPTION                               DOCKER ENDPOINT                                         ERROR
default           Current DOCKER_HOST based configuration   unix:///var/run/docker.sock                             
desktop-linux *   Docker Desktop                            unix:///Users/jjmaestro/.docker/run/docker.sock

% ls -l /Users/jjmaestro/.docker/run/docker.sock
srwxrwxrwx@ 1 jjmaestro  staff  0 Aug  1 13:02 /Users/jjmaestro/.docker/run/docker.sock

jjmaestro avatar Aug 10 '24 00:08 jjmaestro

Huh, I just tried the following and it works!

$ docker run \
        --rm \
        --volume /var/run/docker.sock:/var/run/docker.sock \
        docker version

Client:
 Version:           27.1.1
 API version:       1.46
 Go version:        go1.21.12
 Git commit:        6312585
 Built:             Tue Jul 23 19:55:52 2024
 OS/Arch:           linux/arm64
 Context:           default

Server: Docker Desktop 4.33.0 (160616)
 Engine:
  Version:          27.1.1
  API version:      1.46 (minimum version 1.24)
  Go version:       go1.21.12
  Git commit:       cc13f95
  Built:            Tue Jul 23 19:57:14 2024
  OS/Arch:          linux/arm64
  Experimental:     false
 containerd:
  Version:          1.7.19
  GitCommit:        2bf793ef6dc9a18e00cb12efb64355c2c9d5eb41
 runc:
  Version:          1.7.19
  GitCommit:        v1.1.13-0-g58aa920
 docker-init:
  Version:          0.19.0
  GitCommit:        de40ad0

Then, I checked the Docker on Mac VM and sure enough, that's the docker socket inside the Linux VM.

jjmaestro avatar Aug 10 '24 13:08 jjmaestro

Yes, I think this is the expected behavior; bind mounts happen from the host where the daemon runs (on desktop, that's inside the VM); the socket on the host is a proxy for that socket, and also handles various conversions (host paths to vm paths etc), so to access the daemon socket, using the standard (/var/run/docker.sock) path should be the way to go

thaJeztah avatar Aug 10 '24 14:08 thaJeztah

@thaJeztah Sure, but then, how come I can bind mount e.g. a folder in my home directory? or any other path in Mac, for that matter? It's because / is mounted in /host_mnt/ inside the VM, correct? If so, that's why I would expect mounting the "outside socket" to work. Is there something else that's failing here?

jjmaestro avatar Aug 10 '24 14:08 jjmaestro

@thaJeztah is there a way to "run docker context list in the Docker VM"? For example, if I want to script getting the path to the socket in the VM, I can do this in e.g. Lima:

DOCKER_CONTEXT_VM="$(limactl shell "$VM_NAME" docker context show)"
DOCKER_HOST_VM="$(limactl shell "$VM_NAME" \
  docker context inspect --format "{{.Endpoints.docker.Host}}" "$DOCKER_CONTEXT_VM"
)"

Can I do something like that in the Docker VM? All I've found so far is "Getting a Shell in the Docker Desktop Mac VM" but I can't run docker context (or any docker command) in that shell.

Thanks!

jjmaestro avatar Aug 14 '24 14:08 jjmaestro