I’m currently running Docker Desktop 4.34.2 on Windows 11 with the containerd image store enabled. I’m running WSL v2 with Ubuntu 24.04 LTS and working with Trivy v0.55.0 doing image scans in Ubuntu. When I switched to the containerd image store, I kind of expected Trivy to not be able to see the images but there is a way to set a Trivy environment variable in Ubuntu that points it to the containerd socket so it can communicate with it. I just can’t find where that is … it’s not in the typical location at:
/run/containerd/containerd.sock
where Trivy is looking for it. I was wondering if anyone who’s running the containerd image store might have some experience with how Docker Desktop implements this in WSL? I do see:
So the Dcoker daemon and containerd is running in a container created by runc. Runc is also the default container runtime of containerd, but the whole docker daemon is isolated and the containerd socket is in the mount namespace of the containerd process.
Docker DEsktop extensions are running as containers so it Trivy should see the socket.
From the docker-desktop wsl distro:
nsenter -m -t $PID
Replace $PID with the actual process id of the runc process
Just to be clear: I’m using Trivy to run the scans not in the docker-desktop WSL VM, but rather in the Ubuntu-24.04 WSL VM that Docker Desktop is integrated with. It’s in the Ubuntu WSL VM that I need to set the Trivy environment variable to point it to the containerd socket so it can find the local containerd image store images to scan, rather than having it scan an image TAR file.
WSL integration just means you have the Docker client in the chosen WSL distribution. It is a kind of remote connection. There are some shared sockets in /mnt/wsl/docker-desktop/shared-sockets for Docker and WSL, but nothing needs containerd, only Docker in your WSL distribution. At least not for the WSL integration to work.
You will not see processes runing in another WSL distribution either.
