10

I have a container that needs to run other containers at some point.

I use group_add to add my container's user to the host's docker user group.

This works fine if I set the group id, but not with the group name. Documentation says it should work with both https://docs.docker.com/compose/compose-file/compose-file-v2/#group_add . Any ideas on this issue ?

Here is a simplified version of my docker-compose file :

version: '2.1'
services:
    my-worker:
        image: workers/data-handler:1.0.2
        volumes:
            - /var/run/docker.sock:/var/run/docker.sock
        group_add:
            - 994 #docker group id
        command: run
CC BY-SA 4.0
Improve this question

1 Answer 1

Reset to default
3

It is likely that the docker group inside the image does not have the same group id as the host. Check the group id of docker inside the container:

$ getent group docker | cut -d: -f3

When you use group_add: docker it looks up the docker group inside the container, so your user won't have the right permissions. Since you are mounting the docker.sock file, it will use the host permissions (including ids), so you need to provide the correct id.

I have not got this to work in my environment in a workable fashion and resorted to a shell script instead of docker-compose since it worked in my use case and I am not using the extra functionality docker-compose provides.

#!/bin/bash

DOCKER_GROUP=$(getent group docker | cut -d: -f3)
docker run \
    -v /var/run/docker.sock:/var/run/docker.sock \
    --group-add $DOCKER_GROUP \
    workers/data-handler:1.0.2
CC BY-SA 4.0
Improve this answer
2
  • The docker group gid inside the container should be irrelevant according to the docker run documentation (unless there's a bug in a corner case when --group-add=name conflicts with an existing name inside the container and it silently ignores the command). The official Docker documentation shows that --group-add=docker will lookup the GID on the host, and map that thru to the same GID inside the container and grant the executing container user membership in that group regardless of whether the host group is specified by name or explicit GID.
    – mtalexan
    Commented Dec 13, 2023 at 14:41
  • 2
    @mtalexan could you point me to the documentation? I didn't see that level of detail on the docker run reference page. Maybe this has been functionality has been added in the last 2 and half years, and I will try to see if I can reproduce with latest docker I have installed.
    – clcto
    Commented Dec 13, 2023 at 21:17

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Not the answer you're looking for? Browse other questions tagged or ask your own question.