0

I'm trying to have a docker:dind container that runs a single command, and then exits. All the examples are based on a daemonized container, and I'm trying to avoid that, I want the container to exit once the entrypoint process finishes.

Out of the box, docker:dind image prescribes the entrypoint of dockerd-entrypoint.sh, which starts and then holds on to an actual docker daemon running within. Effectively, this container is now providing a service - I can "exec" into it, and run nested containers:

$ docker run --rm --privileged -t -i docker:dind &
$ docker exec -it <conatiner_name> sh
/ # docker run -it --rm fedora
[root@xxxx /] #

However, I don't want it to provide a service. What I want is to run a new container each time to perform a task. A task that involves creating and using nested containers, and once the task is finished, I want the container to stop. So I would create my own image based on docker:dind, with an example Dockerfile:

FROM docker:dind
COPY my_task.sh /

If I replace the default entrypoint, obviously none of the DIND magic runs, and DIND is not available.

The dockerd-entrypoint.sh entrypoint does, however, accept arguments; if an argument is provided at start-up, dockerd-entrypoint.sh script instead calls docker-entrypoint.sh, the docker daemon isn't started, the environment variable $DOCKER_HOST is set to tcp://docker:2375, which doesn't resolve. I don't understand the point of that functionality (It may only be intended for rootless variants).

$ docker run --rm --privileged -t -i docker:dind sh
/ # export |grep DOCKER
export DOCKER_HOST='tcp://docker:2375'
export DOCKER_TLS_CERTDIR='/certs'
export DOCKER_VERSION='20.10.9'
/ # docker ps
error during connect: Get "http://docker:2375/v1.24/containers/json": dial tcp: lookup docker on 192.168.83.1:53: no such host

While testing, I've changed the entrypoint to /bin/sh, then tried running dockerd-entrypoint.sh from that shell (something that my "task script" would do). That starts the daemon properly, but the shell then holds on to the docker daemon and is unavailable for further commands. Trying to run dockerd-entrypoint.sh in the background using job control leads to an immediate exit after the daemon start-up.

So, finally, overriding the entrypoint, then running setsid -f dockerd-entrypoint.sh does seem to work - the daemon properly goes into background, the shell is free to do other commands, and the container exits when the shell does.

However, it feels like I'm missing something here, like the default entrypoint script is supposed to work as a wrapper, and "provide" DIND capabilities to whatever command that it wraps.

So, what is the proper way of running a single task DIND containers?

David Maze
  • 130,717
  • 29
  • 175
  • 215
Pawel Veselov
  • 3,996
  • 7
  • 44
  • 62
  • Is the sequence you're trying for to start a nested Docker daemon; run a single container within that to completion; and after the container has exited, shut down the daemon? That seems like it will intrinsically require two commands. Can you launch the actual container on the host Docker daemon without the intermediate DinD container? – David Maze Oct 19 '21 at 04:28
  • @DavidMaze The sample commands are just to showcase that DIND is working or not working. The point is to have a single entrypoint command that can run the daemon, do the necessary work (involving running nested containers), and then exit along with the top-level container. – Pawel Veselov Oct 19 '21 at 10:16
  • In general a Docker container does only one thing. So saying you want to start the nested Docker daemon _and_ launch containers breaks that pattern. You either need to write your own script to manage all of the processes in that container, or separately launch the DinD container and the nested containers. (You might look at the `postgres` image's entrypoint script for the amount of work required to start a database server and load initial data into it; this task is similar.) – David Maze Oct 19 '21 at 13:07
  • @DavidMaze containers like "postgres" provide a service, and what I'm concerned with is a task. I've edited my question so that is more clear. – Pawel Veselov Oct 19 '21 at 13:26
  • The Docker daemon is a service too. – David Maze Oct 19 '21 at 13:56

0 Answers0