I’m creating a dev environment using Docker for Mac. I need to do a lot of command line argument processing BEFORE I even begin to call Docker. I’m writing a smaller logical layer above my docker options. I was wondering, with Docker for Mac, is the docker daemon exposed? I see how on OSX the docker tool works, but without strace I’m not sure how I can find the ‘connect’ system call to see where it’s actually reading and writing to.
Is pointing a go-library to the local docker daemon possible at this time ?
Yes, the usual libraries should work against it with normal setup. Searching the forum should find you some Python attempts and the physical location of the Docker socket, but you won’t usually need to know this; the libraries should do the right thing if $DOCKER_HOST is unset.
I tried to search for Python examples but I’m having a little trouble. Where is the socket hosted on the host (OS X) that the docker daemon connects too, and how is it directed too without env variables being set?
I’m also curious if it’s possible to point Terraform to this unix socket also, right now I cannot use Terraform locally because it’s looking for an IP and port to connect to.
I was able to actually bind mount /var/run/docker.sock into an nginx container, and do a proxy_pass to /var/run/docker.sock on the nginx container. I bound the nginx container to port 8081 on my host machine. Terraform can now connect to docker via localhost:8081
Remember that anyone who can reach that port has unrestricted root access on your system. I would never ever make the Docker socket available on a TCP port.
Also I never use the Terraform Docker provider. It’s hard to set up (in large part because of issues like this – I much prefer an authenticated and encrypted control channel, like ssh) and it feels less powerful than other available tools out there. Since there’s not a lot you can do from Terraform to directly set up a system’s software anyways, I’m usually running Ansible from a provisioner block, and then Ansible can start my containers for me.
Also also I’ve found that the Docker providers tend to have good defaults; this issue and its associated PR suggest that simply declaring provider "docker" {} will cause it to use the local socket (even though the docs say a host is required).
Finally, if you’re willing to accept that your system is network-rootable, the docker run -H option is probably an easier way to make the Docker socket network-visible; but don’t do that, really.