Can anyone explain docker.sock

docker.sock is the UNIX socket that Docker daemon is listening to. It's the main entry point for Docker API. It also can be TCP socket but by default for security reasons Docker defaults to use UNIX socket.

Docker cli client uses this socket to execute docker commands by default. You can override these settings as well.

There might be different reasons why you may need to mount Docker socket inside a container. Like launching new containers from within another container. Or for auto service discovery and Logging purposes. This increases attack surface so you should be careful if you mount docker socket inside a container there are trusted codes running inside that container otherwise you can simply compromise your host that is running docker daemon, since Docker by default launches all containers as root.

Docker socket has a docker group in most installation so users within that group can run docker commands against docker socket without root permission but actual docker containers still get root permission since docker daemon runs as root effectively (it needs root permission to access namespace and cgroups).

I hope it answers your question.

More info: https://docs.docker.com/engine/reference/commandline/dockerd/#examples


I know it bit late but I hope my answer will give so many insights

Let me first talk about Unix Sockets

The term Sockets commonly refers to IP Sockets. These are the ones that are bound to a port (and address), we send TCP requests to, and get responses from.

Another type of Socket is a Unix Socket, these sockets are used for IPC (Interprocess Communication). They’re also called Unix Domain Sockets (UDS). Unix Sockets use the local filesystem for communication, while IP Sockets use the network.

The Docker daemon can listen for Docker Engine API requests via three different types of Socket: unix, tcp, and fd.

By default, a unix domain socket (or IPC socket) is created at /var/run/docker.sock

Let us see some live examples:

Docker Server uses this socket to listen to the REST API, and the clients use the socket to send API requests to the server.

curl can talk to a Unix Socket via the --unix-socket flag. Since Docker Server API is exposed as REST, we’d need to send commands over HTTP. Also, as this server is local (remember, the file system), we can pass any hostname in the URL (or stick to the localhost, that will work fine too!). The server does not care about the hostname, just the path.

curl --unix-socket /var/run/docker.sock http://localhost/images/json | jq

 [
  {
    "Containers": -1,
    "Created": 1525888860,
    "Id": "sha256:24a77bfbb9ee3aeef9e24766ad6e9fa57f85c67596f154e8916e4f314067e149",
    "Labels": null,
    "ParentId": "",
    "RepoDigests": [
      "postgres@sha256:b06cdddba62f1550a1c674270814e72eaa8734d95912019b4ddc288b650ad67d"
    ],
    "RepoTags": null,
    "SharedSize": -1,
    "Size": 39507096,
    "VirtualSize": 39507096
  }
]

Some commands:

  • curl --unix-socket /var/run/docker.sock http://localhost/images/json | jq
  • curl --unix-socket /var/run/docker.sock http://localhost/containers/json | jq
  • curl -i -X POST --unix-socket /var/run/docker.sock "http://foo/images/a95fgf458dfd/tag?repo=redis&tag=foo"
  • curl --no-buffer --unix-socket /var/run/docker.sock http://localhost/events

You can do a lot of stuff with docker.sock

check out this beautiful article