3

Say I am running in a container which was started with:

docker run -v /var/run/docker.sock:/var/run/docker.sock foo

then I launch another container from within the above one:

docker run -v /var/run/docker.sock:/var/run/docker.sock bar

my question is - is the /var/run/docker.sock from the second command pointing to the same /var/run/docker.sock as the first command?

The containers should be siblings, so my second question is - how can I get files from the "outer" container into the "inner" the container using the -v option? I am looking to do:

docker run -v "/foo:/bar" -v /var/run/docker.sock:/var/run/docker.sock bar

1 Answers1

0

When one mounts a docker socket into a container, s/he's giving the container control over the instance of docker running on the host.

You can think of this as analogous to giving multiple containers the URL of a website. Whatever an analogous containers does affects the analogous website, and those changes will be visible to all.

In concrete terms, under this setup, there is no hierarchy of containers: Just multiple containers controlling the same docker daemon that could have otherwise been controlled via the docker command on the host. Each container will have an equal ability to do pretty much anything on the host, via the docker daemon, and the isolation provided by containers by default will almost entirely be subverted.

For this reason, docker in docker has some inherent security implications, but more on those can be found elsewhere on the internet.

To answer your second question, copying files between containers involves running a command that emits the contents of the file in the source container, and piping it to a command that writes to the destination file in the destination container. For example:

docker exec container1 cat /source/file | docker exec -i container2 bash -c "cat > /dest/file"

Copying multiple files could involve creating a tarball in the source and expanding it in the other:

docker exec container1 tar -C /source -c dir| docker exec -i container2 tar -C /dest -x

As a convenience, and for situations where a shell or tar are not available within a container, docker cp can be used to copy files from a container to the host. By copying a file from a source container to the host, and then to the destination container, you can arrive at the same solution, at the cost of a a bit of temporary storage. For example:

docker cp container1:/source/file file
docker cp file container2:/dest/file

You were onto something, though. An alternative would be to mount a directory from the host into both containers and communicate via that directory. For example:

mkdir shared
docker run -d --name=container1 -v $PWD/shared:/mnt/share image command
docker run -d --name=container2 -v $PWD/shared:/mnt/share image command

Typos notwithstanding, the example above will result in two containers becoming available. The processes in those two containers may share files via /mnt/share with will be backed by the shared/ directory on the host.

ctt
  • 1,405
  • 8
  • 18
  • why can he mount `-v /foo:/bar`? when running docker inside the first container is it like the host for the volume command for the second container? – matanper May 10 '19 at 22:46
  • @matanper you're correct. If that example in the question is an attempt to make a directory within one container available to another via a `-v` mount, this will not really work. Commands that any `docker` client sends via that socket are sent to a solitary docker daemon: The one running on the host. This daemon expects the source directories provided to `-v` to be available on the host, and will try to find them there. OP should use one of the techniques described in this answer (or in the Docker documentation) to copy files between containers. – ctt May 10 '19 at 22:55
  • can you show an example of sharing a volume between the two containers? –  May 10 '19 at 23:13
  • 1
    @MrCholo I expanded on the last bit a little, but the idea is to create a directory on the host (either a plain ol' directory, or a named volume) and use `-v` to mount it into two containers. Those containers will then be able to share files via this directory. – ctt May 10 '19 at 23:22