run: flag to include the docker socket

Adds a flag, `--include-docker-socket` that can be used to start a container with the correctly configured parameters to ensure that accessing the docker socket will work with out the fiddly flags. There are a few problems with this approach: 1. We need a reliably way to clean up the configuration file. This currently is put into a tmp file then bind mounted. There is probably a better way to do this such as copying in the file. 2. We need a way to resolve the correct socket outside the container. If a different socket is used or a address and port, this will attempt to bind mount a nonexistent socket. Either way, this is good start and resolves a long standing issue. Signed-off-by: Stephen Day <[email protected]>
docker · Feb 21, 2025 · ef509b0 · ef509b0
1 parent 77a8a8c
commit ef509b0
Show file tree

Hide file tree

Showing 2 changed files with 46 additions and 5 deletions.
diff --git a/cli/command/container/create.go b/cli/command/container/create.go
@@ -13,6 +13,7 @@ import (
 	"github.com/docker/cli/cli/command"
 	"github.com/docker/cli/cli/command/completion"
 	"github.com/docker/cli/cli/command/image"
+	"github.com/docker/cli/cli/config/configfile"
 	"github.com/docker/cli/cli/internal/jsonstream"
 	"github.com/docker/cli/cli/streams"
 	"github.com/docker/cli/opts"
@@ -34,11 +35,12 @@ const (
 )
 
 type createOptions struct {
-	name      string
-	platform  string
-	untrusted bool
-	pull      string // always, missing, never
-	quiet     bool
+	name                string
+	platform            string
+	untrusted           bool
+	pull                string // always, missing, never
+	quiet               bool
+	includeDockerSocket bool
 }
 
 // NewCreateCommand creates a new cobra.Command for `docker create`
@@ -69,6 +71,7 @@ func NewCreateCommand(dockerCli command.Cli) *cobra.Command {
 	flags.StringVar(&options.name, "name", "", "Assign a name to the container")
 	flags.StringVar(&options.pull, "pull", PullImageMissing, `Pull image before creating ("`+PullImageAlways+`", "|`+PullImageMissing+`", "`+PullImageNever+`")`)
 	flags.BoolVarP(&options.quiet, "quiet", "q", false, "Suppress the pull output")
+	flags.BoolVarP(&options.includeDockerSocket, "include-docker-socket", "", false, "Bind mount docker socket and required auth")
 
 	// Add an explicit help that doesn't have a `-h` to prevent the conflict
 	// with hostname
@@ -247,6 +250,43 @@ func createContainer(ctx context.Context, dockerCli command.Cli, containerCfg *c
 		return nil
 	}
 
+	if options.includeDockerSocket {
+		// We'll create two new mounts to handle this flag:
+		// 1. Mount the actual docker socket.
+		// 2. A synthezised ~/.docker/config.json with resolved tokens.
+
+		// TODO(sjd): Works in naive use cases where we are connected to an
+		// engine locally. We'll need to resolve the external socket for this
+		// work widely.
+		containerCfg.HostConfig.Binds = append(containerCfg.HostConfig.Binds,
+			"/var/run/docker.sock:/var/run/docker.sock")
+
+		fp, err := os.CreateTemp("", "docker-config-*****.json")
+		if err != nil {
+			return "", fmt.Errorf("creating temp for auth: %w", err)
+		}
+		defer fp.Close()
+
+		creds, err := dockerCli.ConfigFile().GetAllCredentials()
+		if err != nil {
+			return "", fmt.Errorf("resolving credentials failed: %w", err)
+		}
+
+		// Create a new config file with just the auth.
+		newConfig := &configfile.ConfigFile{
+			AuthConfigs: creds,
+		}
+
+		if err := newConfig.SaveToWriter(fp); err != nil {
+			return "", fmt.Errorf("saving creds: %w", err)
+		}
+
+		// TODO(sjd): Need a way to clean this cred file up after the cli
+		// process exits.
+		containerCfg.HostConfig.Binds = append(containerCfg.HostConfig.Binds,
+			fp.Name()+":/root/.docker/config.json")
+	}
+
 	var platform *specs.Platform
 	// Engine API version 1.41 first introduced the option to specify platform on
 	// create. It will produce an error if you try to set a platform on older API

diff --git a/cli/command/container/run.go b/cli/command/container/run.go
@@ -60,6 +60,7 @@ func NewRunCommand(dockerCli command.Cli) *cobra.Command {
 	flags.StringVar(&options.detachKeys, "detach-keys", "", "Override the key sequence for detaching a container")
 	flags.StringVar(&options.pull, "pull", PullImageMissing, `Pull image before running ("`+PullImageAlways+`", "`+PullImageMissing+`", "`+PullImageNever+`")`)
 	flags.BoolVarP(&options.quiet, "quiet", "q", false, "Suppress the pull output")
+	flags.BoolVarP(&options.createOptions.includeDockerSocket, "include-docker-socket", "", false, "Bind mount docker socket and required auth")
 
 	// Add an explicit help that doesn't have a `-h` to prevent the conflict
 	// with hostname