Call and execute host docker operations in docker container

First of all, this post is dedicated to Docker novices. Of course, if you are a veteran, the operation method after the dividing line in the article is also an idea.

First, let’s talk about how to execute the docker operation of the host machine in docker, which we call docker in docker.

As for why you need to operate the host machine's Docker in Docker, the advantages are self-evident. You can deploy your specific needs in containers without having to install it directly on the host machine (assuming that we have no way to operate the host machine's Docker in Docker, then we can only install such software programs directly on the host machine, which is obviously not conducive to management and maintenance).

To achieve this requirement, it is actually very simple. You only need to mount the docker file and docker.sock file of the docker host into the container. Specifically:

-v /var/run/docker.sock:/var/run/docker.sock

-v /usr/bin/docker:/usr/bin/docker

You must first find the location of docker and docker.sock on your host machine. Don't mount them incorrectly. Standard Linux normally uses the location above.

When you start the Docker container, after mounting the above two files normally, you can execute commands such as docker images in Docker.

If there is a problem with permission denied

Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock

…………………………………………………………

dial unix /var/run/docker.sock: connect: permission denied

Workaround

On the host where the container is located, directly give docker.sock 777 permissions, command chmod 777 docker.sock

Gorgeous dividing line

The following is for the Qunhui system. You don't need to care too much about what this system is. In short, this system has some unique problems in Docker, which makes it difficult to do as you please. So I adopted a workaround to deal with it (a way of thinking, just to start a discussion). Let me first describe the current situation:

The system provides a UI management tool for docker. We can perform regular mounting operations on this tool, but if we want to mount the docker and docker.sock files above, it will not work. Let's take a look at the screenshot first:

Let’s talk about the limitations of the UI operations in the picture!

Qunhui has officially restricted the files you can choose. It is impossible to select system-level files such as /usr/<yyyy-mm-sock>/va/<yyyy-mm-sock>, which means we cannot directly mount docker and docker.sock files.

Is it possible to do ln -s soft link?

After trying, I first created two soft connections in the jenkins folder through the ssh command line (softly connecting docker and docker.sock), and then returned to the Qunhui UI interface, but still could not select it (because Qunhui directly blocked the soft connection file, you can't see it)

So how to solve it?

My method is (soft link method is modified):

1. Create two files docker and docker.sock in the jenkins directory (name them correctly)

2. Then click the "Add File" button in docker, select these two files normally, and mount them. You can mount them normally and complete other configurations. After the configuration is completed, do not start the docker container for the time being.

3. Log in to Qunhui through ssh, delete the two files just created in the jenkins directory, and then create soft links for the docker and docker.sock source files to jenkins.

root@test:cd /volume1/docker/jenkins/
root@test:rm -rf docker docker.sock
root@test:ln -s /run/docker.sock /volume1/docker/jenkins/docker.sock
root@test:ln -s /usr/local/bin/docker /volume1/docker/jenkins/docker
root@test:/volume1/docker/jenkins#ll
total 8
drwxrwxrwx+ 1 Nuggets users 96 Jun 6 11:22 .
drwxr-xr-x+ 1 root root 188 May 30 19:29 ..
lrwxrwxrwx 1 root root 21 Jun 6 11:22 docker -> /usr/local/bin/docker
lrwxrwxrwx 1 root root 16 Jun 6 11:21 docker.sock -> /run/docker.sock
drwxrwxrwx+ 1 shanhongyu users 24 Jun 1 11:07 java_home
drwxrwxrwx+ 1 Nuggets users 4476 Jun 6 11:00 jenkins_home
drwxrwxrwx+ 1 shanhongyu users 82 Jun 1 11:12 maven_home

4. Then go back to Qunhui UI and start the container, and it will be perfect.

(Qunhui does not allow you to select soft links, but Linux and Docker can essentially mount soft links directly)

Additional knowledge: Use Docker to run host programs in images

The docker run command is used to run commands in a new container. The docker run command first creates a writable container layer on the specified image and then starts it using the specified command.

In other words, docker run is equivalent to the API /containers/create and /containers/(id)/start.

A stopped container can be restarted with all its previous changes intact using docker start. See docker ps -a to see a list of all containers.

usage

docker run [OPTIONS] IMAGE [COMMAND] [ARG...]

Shell

example

Assign a name and allocate a pseudo-TTY (-name, -it)

$ docker run --name test -it debian
 
root@d6c0fe130dba:/# exit 13
$ echo $?
13
$ docker ps -a | grep test
d6c0fe130dba debian:7 "/bin/bash" 26 seconds ago Exited (13) 17 seconds ago test

Shell

This example runs a container named test using the debian:latest image. -it instructs Docker to allocate a pseudo-TTY connected to the container's stdin; this creates an interactive bash shell in the container. In this example, the bash shell is exited by typing exit 13. This exit code is passed to the caller of docker run and recorded in the test container’s metadata.

Capture container ID (-cidfile)

$ docker run --cidfile /tmp/docker_test.cid ubuntu echo "test"

Shell

This will create a container and print tests to the console. The --cidfile flag makes Docker attempt to create a new file and write the container ID to it. If the file already exists, Docker will return an error. Docker closes this file when the Docker run exits.

Full container functionality (-privileged)

$ docker run -t -i --rm ubuntu bash
root@bc338942ef20:/# mount -t tmpfs none /mnt
mount: permission denied

Shell

This will not work because most potentially dangerous kernel capabilities are dropped by default; including cap_sys_admin (which is needed to mount filesystems). However, the --privileged flag will allow it to run:

$ docker run -t -i --privileged ubuntu bash
root@50e3f57e16e6:/# mount -t tmpfs none /mnt
root@50e3f57e16e6:/# df -h
Filesystem Size Used Avail Use% Mounted on
none 1.9G 0 1.9G 0% /mnt

Shell

Set working directory [-w]

$ docker run -w /path/to/dir/ -i -t ubuntu pwd

Shell

-w allows execution of commands in a directory, here /path/to/dir/. If the path does not exist, it is created inside the container.

Set storage driver options for each container

$ docker run -it --storage-opt size=120G fedora /bin/bash

Shell

Mount tmpfs (-tmpfs)

$ docker run -d --tmpfs /run:rw,noexec,nosuid,size=65536k my_image

Shell

The --tmpfs flag mounts an empty tmpfs into the container with rw, noexec, nosuid, size=65536k options.

Mount volumes (-v, --read-only)

$ docker run -v `pwd`:`pwd` -w `pwd` -i -t ubuntu pwd

Shell

The -v flag mounts the current working directory into the container. -w enables execution of commands in the current working directory, changing directory to the value returned by pwd. So this combination executes the command using the container, but in the current working directory.

$ docker run -v /doesnt/exist:/foo -w /foo -i -t ubuntu bash

Shell

When the host directory for a bound volume does not exist, Docker will automatically create this directory on the host. In the example above, Docker will create the /doesnt/exists folder before starting the container.

$ docker run --read-only -v /icanwrite busybox touch /icanwrite/here

Shell

Volumes can be used in combination with --read-only to control where the container writes files. The --read-only flag mounts the container's root filesystem as read-only and disallows writing to locations outside of the container's specified volume.

The above article about calling and executing the host's docker operations in the docker container is all I have to share with you. I hope it can give you a reference, and I also hope that you will support 123WORDPRESS.COM.