39

There are two containers A and B. Once container A starts, one process will be executed, then the container will stop. Container B is just an web application (say expressjs). Is it possible to kickstart A from container B ?

tony.0919
  • 1,145
  • 5
  • 16
  • 27

3 Answers3

53

It is possible to grant a container access to docker so that it can spawn other containers on your host. You do this by exposing the docker socket inside the container, e.g:

docker run -v /var/run/docker.sock:/var/run/docker.sock --name containerB myimage ...

Now, if you have the docker client available inside the container, you will be able to control the docker daemon on your host and use that to spawn your "container A".

Before trying this approach, you should be aware of the security considerations: access to docker is the same as having root access on the host, which means if your web application has a remote compromise you have just handed the keys to your host to the attackers. This is described more fully in this article.

LockieR
  • 370
  • 6
  • 19
larsks
  • 277,717
  • 41
  • 399
  • 399
  • I followed this tip. And then I manually copied `docker` and `docker-compose` into the container. The `docker-compose` run fine inside the container. However, I need to copy `/usr/lib/x86_64-linux-gnu/libltdl.so.7.3.1` from my host into the container and then inside the container i create a symlink by `ln -sf /usr/lib/x86_64-linux-gnu/libltdl.so.7.3.1 /usr/lib/x86_64-linux-gnu/libltdl.so.7`. Inside the container: `ldd /usr/bin/docker` all libs are now resolved and I am able to run `docker` and `docker-cocmpose` inside the container. – daparic Jan 08 '18 at 15:23
  • I have the docker client installed in my container and expose the docker socket of the host system, but when I try to start a container from within the container I get a "permission denied while trying to connect to the docker daemon socket". I did "usermod -a -G docker $user" when building the container. $user does not exist outside the container. Any advice? I'm asking here as opposed to adding a new question because I feel it can be a valid or even necessary addition to this answer. – Raketenolli Sep 18 '20 at 07:19
  • It seems the problem was that the gid of the container and the host docker were different. `groupmod -g docker` in the Dockerfile fixes it. – Raketenolli Sep 18 '20 at 09:18
20

It is possible by mounting the docker socket.

Container A
It will print the time to the stdout (and its logs) and exit.

docker run --name contA ubuntu date

Container B
The trick is to mount the host's docker socket then install the docker client on the container. It will then interact with the daemon just as if you were using docker from the host. Once docker is installed, it simply restart container A every 5 seconds.

docker run --name contB -v /var/run/docker.sock:/var/run/docker.sock ubuntu bash -c "
apt-get update && apt-get install -y curl &&
curl -sSL https://get.docker.com/ | sh && 
watch --interval 5 docker restart contA"

You can see that contA is being called by looking at its logs

docker logs contA

That said, Docker is really meant for long running services. There's some talk over at the Docker github issues about specifying short lived "job" services for things like maintenance, cron jobs, etc, but nothing has been decided, much less coded. So it's best to build your system so that containers are up and stay up.

Bernard
  • 16,149
  • 12
  • 63
  • 66
  • I didn't post my answer right away so @larsks came up first. I'll keep it here anyway as it's got code you might find useful. – Bernard Sep 13 '16 at 12:46
  • It works. I am not sure whether it is a good idea to install a docker inside a docker, that would be another question. Since @larsks came up first, I just give a tick to that. – tony.0919 Sep 15 '16 at 17:38
  • 2
    It works but the code is not very clear to me. I am puzzled by https://get.docker.com/ use. Anyway, one has to install docker-ce inside the docker container ( apt-get install docker-ce ) and then use "docker restart containername" to restart another docker container – Somum Nov 29 '17 at 02:50
  • Works as charm. Now my isolated container can run others whcih is supacool! – Vadim Jul 27 '22 at 18:30
4

docker-compose.yml (credits to larsks)

# ...
        volumes:
            - /var/run/docker.sock:/var/run/docker.sock
# ...

Dockerfile (credits to Aaron V)

# ...

ENV DOCKERVERSION=19.03.12
RUN curl -fsSLO https://download.docker.com/linux/static/stable/x86_64/docker-${DOCKERVERSION}.tgz \
  && tar xzvf docker-${DOCKERVERSION}.tgz --strip 1 -C /usr/local/bin docker/docker \
  && rm docker-${DOCKERVERSION}.tgz

# ...

Node.js index.js (credits to Arpan Abhishek, Maulik Parmar and anishsane)

# ...

const { exec } = require("child_process");

# ...

        exec('docker container ls -a --format "table {{.ID}}\t{{.Names}}" | grep <PART_OF_YOUR_CONTAINER_NAME> | cut -d" " -f1 | cut -f1 | xargs -I{} docker container restart -t 0 {}', (error, stdout, stderr) => {
            if (error) {
                console.log(`error: ${error.message}`);
                return;
            }
            if (stderr) {
                console.log(`stderr: ${stderr}`);
                return;
            }
            console.log(`stdout: ${stdout}`);
        });

# ...
  • Please make sure that your application is at least behind a password protection. Exposing docker.sock in any way is a security thing.
  • Here you can find other Docker client versions: https://download.docker.com/linux/static/stable/x86_64/
  • Please replace <PART_OF_YOUR_CONTAINER_NAME> with a part of your container name.
qräbnö
  • 2,722
  • 27
  • 40