Menu
sock is basically the Unix socket the Docker daemon listens on by default. It is also a tool used to communicate with the Docker daemon from within a container. Sometimes, containers need to bind mount the /var/run/docker.
You should verify that the Docker socket file is owned by root and group owned by docker.
By default, the docker daemon will use the unix socket unix:///var/run/docker.sock (you can check this is the case for you by doing a sudo netstat -tunlp and note that there is no docker daemon process listening on any ports).
Docker is an open source containerization platform. It enables developers to package applications into containers—standardized executable components combining application source code with the operating system (OS) libraries and dependencies required to run that code in any environment.
docker.sock is the UNIX socket that Docker daemon is listening to. It's the main entry point for Docker API. It also can be TCP socket but by default for security reasons Docker defaults to use UNIX socket.
Docker cli client uses this socket to execute docker commands by default. You can override these settings as well.
There might be different reasons why you may need to mount Docker socket inside a container. Like launching new containers from within another container. Or for auto service discovery and Logging purposes. This increases attack surface so you should be careful if you mount docker socket inside a container there are trusted codes running inside that container otherwise you can simply compromise your host that is running docker daemon, since Docker by default launches all containers as root.
Docker socket has a docker group in most installation so users within that group can run docker commands against docker socket without root permission but actual docker containers still get root permission since docker daemon runs as root effectively (it needs root permission to access namespace and cgroups).
I hope it answers your question.
More info: https://docs.docker.com/engine/reference/commandline/dockerd/#examples
I know it bit late but I hope my answer will give so many insights
Let me first talk about Unix Sockets
The term Sockets commonly refers to IP Sockets. These are the ones that are bound to a port (and address), we send TCP requests to, and get responses from.
Another type of Socket is a Unix Socket, these sockets are used for IPC (Interprocess Communication). They’re also called Unix Domain Sockets (UDS). Unix Sockets use the local filesystem for communication, while IP Sockets use the network.
The Docker daemon can listen for Docker Engine API requests via three different types of Socket: unix, tcp, and fd.
By default, a unix domain socket (or IPC socket) is created at /var/run/docker.sock
Let us see some live examples:
Docker Server uses this socket to listen to the REST API, and the clients use the socket to send API requests to the server.
curl can talk to a Unix Socket via the
--unix-socketflag. Since Docker Server API is exposed as REST, we’d need to send commands over HTTP. Also, as this server is local (remember, the file system), we can pass any hostname in the URL (or stick to the localhost, that will work fine too!). The server does not care about the hostname, just the path.
curl --unix-socket /var/run/docker.sock http://localhost/images/json | jq
[
{
"Containers": -1,
"Created": 1525888860,
"Id": "sha256:24a77bfbb9ee3aeef9e24766ad6e9fa57f85c67596f154e8916e4f314067e149",
"Labels": null,
"ParentId": "",
"RepoDigests": [
"postgres@sha256:b06cdddba62f1550a1c674270814e72eaa8734d95912019b4ddc288b650ad67d"
],
"RepoTags": null,
"SharedSize": -1,
"Size": 39507096,
"VirtualSize": 39507096
}
]
Some commands:
You can do a lot of stuff with docker.sock
check out this beautiful article
it basically exposes the host docker daemon to the container. so you can invoke docker api/client from your container, to start/stop/build images/containers like directly calling those commands on the host.
When you install docker in a machine. Two diffrent programs come in:
Docker Server recives commands over a socket (either over a network or through a "file")
Docker Client communicates over a network and sends message to the Docker server to say make a container, start a container, stop a container etc.
When the client and server are running on the same computer, they can connect through a special file called a socket. And since they can communicate through a file and Docker can efficiently share files between hosts and containers, it means you can run the client inside Docker itself.
Here is a sample:
docker run --rm -it -v /var/run/docker.sock:/var/run/docker.sock docker sh
This command creates a container that docker client installed within. And check the volume part: -v /var/run/docker.sock:/var/run/docker.sock
With -v flag it shares host docker.sock file so you can manipulate the containers within the host via a container.
/ # docker run --rm -it ubuntu bash --> Creates a new container via container
Run docker ps on host terminal.
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
0f9e333b59fe ubuntu "bash" 5 seconds ago Up 4 seconds zealous_wilson
b4a8af31416b docker "docker-entrypoint.s…" 16 minutes ago Up 16 minutes epic_elion
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With