0

I have a project that consists of dozens of dozens of containers per host. Until now, I have been using SSH/Ansible to spawn containers on my VMs on bootstrap, but now I would like a daemon to run on each host to start containers only when needed.

For better dependency management, I'd be glad if I could have my daemon run itself in a privileged container (security is not a problem), communicating with the host Docker daemon to run new containers (see the following schema). Is that possible in a non-hacky way, or does Docker completely forbid containers interacting with their underlying Docker daemon?

enter image description here

If this is not possible, can you tell me about your preferred way to programmatically launch docker containers? Thanks in advance :)

Adrien Luxey
  • 552
  • 1
  • 6
  • 16

1 Answers1

5

I haven't used privileged containers much, but I think what you are proposing would work. However, another popular solution is mounting the docker socket to the container. That will achieve what you are trying to do.

docker run -v /var/run/docker.sock:/var/run/docker.sock <image> <cmd>

It's not recommended as you can see from the magnitude of recommendations against it in this simple google search. But since you don't worry about security you might be fine.

datacarl
  • 2,591
  • 25
  • 21
  • 1
    This, and the api docs for the win. https://docs.docker.com/engine/api/ – user2105103 Mar 17 '17 at 21:00
  • Thanks, it looks perfect. About security, I presume a daemon that can control Docker on the host is as root as a container with an exposed Docker socket, isn't it? – Adrien Luxey Mar 20 '17 at 09:18