Docker.sock bind mount not preserving host ownership

rimelek · April 11, 2024, 1:39pm

You could try socat which can redirect a TCP socket to a unix socket or the other way around. I don’t think I ever tried, but I guess it could redriect a unix socket to another unix socket. One with the “right” owner and one with root, but I’m not sure it would solve the problem.

Here is another example for socat

Or this one which I used in a CI/CD pipeline

github.com

rimelek/httpd24-docker-image/blob/75eaf38f396b1e5928f36ea84e52a14b7faccf5f/ci/local-builder.yml#L6


      
          version: "3.7"
          
          services:
            socat:
              image: alpine/socat
              command: tcp-listen:2375,fork,reuseaddr unix-connect:/var/run/docker.sock
              user: root
              volumes:
                - type: bind
                  source: /var/run/docker.sock
                  target: /var/run/docker.sock
              network_mode: host
          
            ci:
              depends_on:
                - socat

This way the CI container could use the Docker socket without actually mounting the file. If I remember correctly, I needed it because the user in the ci container was not root. If the two container shares the network namespace or both are using the host network, the TCP socket can listen on localhost so it is not accessible by remote users.