Create a socket for docker/docker Go API usage

[mathstuf]

Is this a BUG REPORT or FEATURE REQUEST? (leave only one on its own line)

/kind feature

Description

gitlab-runner tries to call to docker using the socket HTTP API. This does not work on CentOS 8 because podman-docker doesn't expose that API. I think a simple daemon that set up the socket and listened for the API calls and turned them into podman commands to run would suffice.

Steps to reproduce the issue:

1. Install podman-docker on CentOS8
2. Install gitlab-runner via https://docs.gitlab.com/runner/install/linux-repository.html (no CentOS8 repo yet; just using the 7 binaries)
3. gitlab-runner can't use docker because it expects the socket to exist. Any docker/docker Go library user will fail

Describe the results you expected:

podman-docker should also support the socket communication.

Output of podman version:

Version:       1.0.5
Go Version:    go1.11.6
OS/Arch:       linux/amd64

Additional environment details (AWS, VirtualBox, physical, etc.):

Physical CentOS8 host.

[baude]

hang tight and keep your eye on our repository.

[abitrolly]

The same problem with https://buildpacks.io/

✗ alias docker=podman
✗ pack build myapp --builder heroku/buildpacks:18
ERROR: failed to fetch builder image 'index.docker.io/heroku/buildpacks:18': Cannot connect to 
the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running?

May greatly simplify getting podman supported buildpacks/pack#413

[rhatdan]

If you guys would like to contribute, take a look at
https://github.com/containers/libpod/tree/apiv2

[abitrolly]

What to look at? Is it some sort of varlink wrapper?

[rhatdan]

No this is Podman implementing the Docker API.

[abitrolly]

I thought that varlink is the API and everything else should be a wrapper over that rather than rewrite.

[mheon]

There'll be more details in the future, but this is and will continue to be entirely separate from the Varlink API.

[github-actions]

A friendly reminder that this issue had no activity for 30 days.

[rhatdan]

The API server has merged into master, so we are a lot closer on this. Should have stuff you can play with in next couple of weeks on master branch.

[baude]

I think you can begin to playu with it now. Keep in mind it is very much unstable

[n1trux]

Can I somehow use this to create a podman socket where "legacy" docker applications can listen on?

I found this tutorial on setting up a varlink socket but it's incompatible or rather not a plug-in replacement to /var/run/docker.sock, right?

EDIT: Ooooh, I think I get it. There's support for an API server component in pkg/api/server/server.go, but there's actually no command to run said server, correct?

[mheon]

podman system service available starting in 1.8.1 (I believe) should do what you're looking for. Please note that HTTP API support is still very early and under heavy development.

[rhatdan]

The podman-docker package should be creating a link between the two sockets, at least that is what is supposed to happen.

ln -s /run/podman.sock /run/docker.sock

[abitrolly]

I am trying to use 3rd party utility that uses Docker socket. But running podman system service has no effect. podman 1.8.2 runs with the message This function is EXPERIMENTAL.

✗ pack build myapp --builder heroku/buildpacks:18
ERROR: failed to fetch builder image 'index.docker.io/heroku/buildpacks:18': Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running?

How is it supposed to work?

[rhatdan]

Podman service is created at /var/run/podman.sock (/run/podman.sock)
If you want to support docker, then ln -s /run/podman.sock /run/docker.sock

If you install podman-docker, it is supposed to create this link automatically, although I have not confirmed.

[baude]

did you run as root? else you would have to look closer at whatever error messages it gave. you can also curl the endpoint.

[abitrolly]

@baude run podman system service without run. It didn't complain about anything, and I thought everything is fine. Running with sudo didn't change anything, and I guess that's because /run/docker.sock is not created.

@rhatdan there is no /run/podman.sock regardless of if podman system service runs with sudo or without it.

$ ls -la /run/podman.sock
ls: cannot access '/run/podman.sock': No such file or directory

[mheon]

Probably at /run/podman/podman.sock by default AFAIK

[abitrolly]

@mheon path appears only when podman is run under root. Is it possible to still keep podman run in userspace?

$ sudo ls -la /run/podman/podman.sock
srwxr-xr-x. 1 root root 0 Apr  6 17:02 /run/podman/podman.sock

The socket is not accessible without root.

$ nc -U /run/podman/podman.sock
Ncat: Permission denied.

[mheon]

I think that, when run without root, we make a socket somewhere in /run/user/$UID/ but I'm not 100% sure that is implemented yet.

[mheon]

(The intention is that, if you want to run Podman rootless with the API, the service will also be running without root, on a separate socket than root)

[n1trux]

when run without root, we make a socket somewhere in /run/user/$UID/

That would be pretty great!

Could you tell me where the code for this feature is exactly? I don't really "get" the code yet.

[abitrolly]

podman indeed creates socket in /run/user/$UID/podman/podman.sock when running podman system service rootless.

$ nc -U /run/user/1000/podman/podman.sock
dsfsd
HTTP/1.1 400 Bad Request
...

[rhatdan]

Yes we definitely do NOT want /run/podman/podman.sock to be available to anything other then root. This would open a Huge security hole if this is is available to non root users.

[yajo]

The man page says it all. Yo might need to add the ˋ-tˋ parameter.

See https://www.mankier.com/1/podman-system-service

[abitrolly]

@yajo the man page specified invalid number of slashes - it should be unix://$XDG_RUNTIME_DIR/podman/podman.sock. Otherwise works fine.

Maybe podman system service could output the path to the socket it is listening to? For use in scripts, for example.

[abitrolly]

The full example how to redirect Docker API application to podman (using pack project - buildpacks/pack#564).

podman system service &
export DOCKER_HOST=unix://$XDG_RUNTIME_DIR/podman/podman.sock
pack build myapp --builder heroku/heroku-buildpack-ruby -v

The command above fails, but connection to podman is successful.