/var/run/docker.sock:/tmp/docker.sock:ro big problem for rootless docker about acme-companion HOT 6 CLOSED

Hi.

I don't get what you mean by "checking the left side of the mapping", this is a Docker bind mount, the left side is where your socket is located on your host, --volume /run/user/UID/docker.sock:/var/run/docker.sock:ro should work if you Docker socket is located at /run/user/UID/docker.sock. If it does not, this is not because the container "check" the left side value.

What might be confusing is that nginx-proxy and acme-companion both expect the socket to be located in different places inside the running container:

• nginx-proxy expects it at /tmp/docker.sock so --volume /var/run/docker.sock:/tmp/docker.sock:ro
• acme-companion expects it at /var/run/docker.sock so --volume /var/run/docker.sock:/var/run/docker.sock:ro

from acme-companion.

You're right, what I write in the left part shouldn't matter as long as my docker socket is in that location. But the problem is that letsencrypt issues an error saying that the docker socket should be mapped to /var/run/docker.sock.

But I found a workaround which is to modify the Dockerfile:

ENV COMPANION_VERSION=$GIT_DESCRIBE \
    DOCKER_HOST=unix:///var/run/docker.sock \
    PATH=$PATH:/app

and change here the location of /var/run/docker.sock. That worked for me.

But still in principle, letsencrypt shouldn't issue an error because the left side is not located at /var/run/docker.sock. Only if the RIGHT side is not /var/run/docker.sock.

from acme-companion.

Could you provide the command line or Docker compose file that gives you an error ?

from acme-companion.

sorry to say that this was quite a while ago. Tried to recreate the env on a virtual box without success. I'll let you know if I can reproduce.

And thanks for responding, much appreciated.

from acme-companion.

I checked the code again and I can assure you that there is nothing in the code that check the leftmost part of the socket bind mount.

Again --volume /run/user/$UID/docker.sock:/var/run/docker.sock:ro should work without any modification of anything.

The important thing is that you keep the right part identical to what the image expect be default (:/var/run/docker.sock:ro) but the left part (and the left part only) can be any path to a valid Docker socket on your host machine.

--volume /run/user/$UID/docker.sock:/run/user/$UID/docker.sock:ro on the other and will not work out of the box : if you really want or need to change the in-container Docker socket location (the right part of the bind mount), you can just provide DOCKER_HOST as an environment variable to the container, no need to modify the Dockerfile.

Example:

docker run --detach \
    --name nginx-proxy-acme \
    --volumes-from nginx-proxy \
    --volume acme:/etc/acme.sh \
    --env "DOCKER_HOST=unix:///foo/bar/docker.sock" \
    --volume /run/user/$UID/docker.sock:/foo/bar/docker.sock:ro \
    nginxproxy/acme-companion

I'm closing this for now because there really isn't anything on the code that check the leftmost part of the socket bind mount against a known value, and I was unable to reproduce this issue. Feel free to re-open if you're able to reproduce.

from acme-companion.

@buchdag thank you again for making sure. That might explain why I can't reproduce this error.

I've been using acme-companion for quite a while now and was very surprised when I did get this error.

Is it possible that the code has since been modified? It's also possible of course that I made a mistake, although at the time I checked many many times. And I also remember quite clearly having copied/paste the mapping from the nginx config to acme-companion and still getting that error.

In any case, thank you again for rechecking! Much obliged.

from acme-companion.