Using docker socket in Kubernetes pod

Question

I want to prune docker images, I wrote a small Docker image using node-docker-api and I was able to test it locally with success.
As I've deployed the DaemonSet to Kubernetes, the pod fails to access the Docker socket:

Error: connect EACCES /var/run/docker.sock

The deployment.yaml looks as following:

apiVersion: extensions/v1beta1
kind: DaemonSet
metadata:
  labels:
    name: docker-image-cleanup
  name: docker-image-cleanup
spec:
  template:
    metadata:
      labels:
        app: docker-image-cleanup 
    spec:
      volumes:
        - name: docker-sock
          hostPath:
            path: "/var/run/docker.sock"
            type: File
        - name: docker-directory
          hostPath:
            path: "/var/lib/docker"

      containers:
        - name: docker-image-cleanup
          image: image:tag
          securityContext:
            privileged: true
          env:
            - name: PRUNE_INTERVAL_SECONDS
              value: "30"
            - name: PRUNE_DANGLING
              value: "true"
          volumeMounts:
            - mountPath: /var/run/docker.sock
              name: docker-sock
              readOnly: false
            - mountPath: "/var/lib/docker"
              name: docker-directory
              readOnly: false

Running AKS v1.13.10 - if relevant

Thomas · Answer 1 · 2019-10-30T10:34:59.940

7

There is no guarantee that your kubernetes cluster is actually using docker as container engine. As there are many alternatives like cri-o and kata containers your application/deployment should make no assumptions about the underlying container engine.

Kubernetes takes care about cleaning up unused container images automatically. See documentation on how to configure it, if you run the cluster yourself: https://kubernetes.io/docs/concepts/cluster-administration/kubelet-garbage-collection/

Aside from that it looks like you have a simple permission problem with the socket: Make sure your application in the cleanup container runs as root or has appropriate user to access the socket.

edited Oct 30 '19 at 10:34

answered Oct 30 '19 at 09:27

Thomas

11,272
2
24
40

I've made sure Docker is used. Unfortunately due to some other issues, we have to prune the unused images much more intensively than the integrated garbage collector – SagiLow Oct 30 '19 at 09:29
1

Why do you have to manually remove images, what happens if you don't? I would fix the underlying issue and not aim for breaking the abstraction provided by kubernetes. – Thomas Oct 30 '19 at 09:32
Company requirement. Thank you for the good intentions but I prefer to get an answer (if possible) for the issue I've introduced :) – SagiLow Oct 30 '19 at 09:51
What is the requirement exactly? – Thomas Oct 30 '19 at 10:21
Not to leave unused images more than x minutes on nodes – SagiLow Oct 30 '19 at 10:33
Post edit: the question is actually how should I solve the simple permission issue – SagiLow Oct 30 '19 at 10:42

score 6 · Accepted Answer · answered Oct 30 '19 at 10:47

6

I've added runAsUser: 0 to the container properties:

containers:
  - name: docker-image-cleanup
    image: image:tag
    securityContext:
      privileged: true
      runAsUser: 0

Now it works

answered Oct 30 '19 at 10:47

SagiLow

5,721
9
60
115

Using docker socket in Kubernetes pod

2 Answers2