volumes: support for api-socket volume type

stevvooe · stevvooe · commit 0108788e5de1 · 2025-04-14T18:49:49.000-07:00
The `api-socket` volume type allows an easy path to run containers that
need access to the Docker API socket with a simple configuration on the
service definition:

    service:
      foo:
        ...
        volumes:
          - type: api-socket

The bind mount and credentials are automatically injected using existing
service infrastructure. Some work is still needed to make this a bit
more robust.

Signed-off-by: Stephen Day &lt;stephen.day@docker.com&gt;
diff --git a/pkg/compose/create.go b/pkg/compose/create.go
@@ -37,6 +37,7 @@ import (
 	"github.com/docker/compose/v2/pkg/prompt"
 	"github.com/docker/compose/v2/pkg/utils"
 	"github.com/docker/docker/api/types/blkiodev"
+	"github.com/docker/cli/cli/config/configfile"
 	"github.com/docker/docker/api/types/container"
 	"github.com/docker/docker/api/types/filters"
 	"github.com/docker/docker/api/types/mount"
@@ -50,6 +51,11 @@ import (
 	cdi "tags.cncf.io/container-device-interface/pkg/parser"
 )
 
+const (
+	secretsDir = "/run/secrets/"
+	dockerConfigPathInContainer = secretsDir+"/docker/config.json"
+)
+
 type createOptions struct {
 	AutoRemove        bool
 	AttachStdin       bool
@@ -241,6 +247,11 @@ func (s *composeService) getCreateConfigs(ctx context.Context,
 	proxyConfig := types.MappingWithEquals(s.configFile().ParseProxyConfig(s.apiClient().DaemonHost(), nil))
 	env := proxyConfig.OverrideBy(service.Environment)
 
+	if hasAPISocket(service) {
+		// Inject the Docker API socket credentials path in the environment.
+		env = append(env, "DOCKER_CONFIG="+path.Dir(dockerConfigPathInContainer))
+	}
+
 	var mainNwName string
 	var mainNw *types.ServiceNetworkConfig
 	if len(service.Networks) > 0 {
@@ -371,6 +382,14 @@ func (s *composeService) getCreateConfigs(ctx context.Context,
 	return cfgs, nil
 }
 
+func hasAPISocket(service types.ServiceConfig) bool {
+	for _, v := range service.Volumes {
+		if v.Type == "api-socket" {
+			return true
+		}
+	}
+}
+
 // prepareContainerMACAddress handles the service-level mac_address field and the newer mac_address field added to service
 // network config. This newer field is only compatible with the Engine API v1.44 (and onwards), and this API version
 // also deprecates the container-wide mac_address field. Thus, this method will validate service config and mutate the
@@ -1001,7 +1020,7 @@ func (s *composeService) buildContainerMountOptions(ctx context.Context, p types
 		}
 	}
 
-	mounts, err := fillBindMounts(p, service, mounts)
+	mounts, err := s.fillBindMounts(p, service, mounts)
 	if err != nil {
 		return nil, err
 	}
@@ -1013,9 +1032,9 @@ func (s *composeService) buildContainerMountOptions(ctx context.Context, p types
 	return values, nil
 }
 
-func fillBindMounts(p types.Project, s types.ServiceConfig, m map[string]mount.Mount) (map[string]mount.Mount, error) {
+func (s *composeService) fillBindMounts(p types.Project, service types.ServiceConfig, m map[string]mount.Mount) (map[string]mount.Mount, error) {
 	for _, v := range s.Volumes {
-		bindMount, err := buildMount(p, v)
+		bindMount, err := s.buildMount(p, v)
 		if err != nil {
 			return nil, err
 		}
@@ -1096,11 +1115,13 @@ func buildContainerConfigMounts(p types.Project, s types.ServiceConfig) ([]mount
 	return values, nil
 }
 
-func buildContainerSecretMounts(p types.Project, s types.ServiceConfig) ([]mount.Mount, error) {
+func (s *composeService) buildContainerSecretMounts(p types.Project, service types.ServiceConfig) ([]mount.Mount, error) {
 	mounts := map[string]mount.Mount{}
 
-	secretsDir := "/run/secrets/"
-	for _, secret := range s.Secrets {
+	var secrets []types.ServiceSecretConfig
+
+
+	for _, secret := range secrets {
 		target := secret.Target
 		if secret.Target == "" {
 			target = secretsDir + secret.Source
@@ -1171,7 +1192,7 @@ func isWindowsAbs(p string) bool {
 	return false
 }
 
-func buildMount(project types.Project, volume types.ServiceVolumeConfig) (mount.Mount, error) {
+func (s *composeService) buildMount(project types.Project, volume types.ServiceVolumeConfig) (mount.Mount, error) {
 	source := volume.Source
 	// on windows, filepath.IsAbs(source) is false for unix style abs path like /var/run/docker.sock.
 	// do not replace these with  filepath.Abs(source) that will include a default drive.
@@ -1192,14 +1213,33 @@ func buildMount(project types.Project, volume types.ServiceVolumeConfig) (mount.
 		}
 	}
 
+	vtype := mount.Type(volume.Type)
+	if volume.Type == "api-socket" { // TODO: use VolumeTypeAPISocket when compose-go PR merged
+		vtype = mount.TypeBind // rewrite to a bind mount
+
+		if volume.Source == "" {
+			socketPath := s.dockerCli.DockerEndpoint().Host
+			if !strings.HasPrefix(socket, "unix://") {
+				return "", fmt.Errorf("flag --use-api-socket can only be used with unix sockets: docker endpoint %s incompatible", socket)
+			}
+			socket = strings.TrimPrefix(socket, "unix://") // should we confirm absolute path?
+			volume.Source = socketPath
+		}
+
+		if volume.Target == "" {
+			volume.Target = "/var/run/docker.sock"
+		}
+	}
+
 	bind, vol, tmpfs, img := buildMountOptions(volume)
 
 	if bind != nil {
-		volume.Type = types.VolumeTypeBind
+		vtype = mount.TypeBind
 	}
 
+
 	return mount.Mount{
-		Type:          mount.Type(volume.Type),
+		Type:          vtype,
 		Source:        source,
 		Target:        volume.Target,
 		ReadOnly:      volume.ReadOnly,
@@ -1212,7 +1252,7 @@ func buildMount(project types.Project, volume types.ServiceVolumeConfig) (mount.
 }
 
 func buildMountOptions(volume types.ServiceVolumeConfig) (*mount.BindOptions, *mount.VolumeOptions, *mount.TmpfsOptions, *mount.ImageOptions) {
-	if volume.Type != types.VolumeTypeBind && volume.Bind != nil {
+	if (volume.Type != types.VolumeTypeBind && volume.Type != "api-socket" && volume.Bind != nil { // TODO: use VolumeTypeAPISocket when compose-go PR merged
 		logrus.Warnf("mount of type `%s` should not define `bind` option", volume.Type)
 	}
 	if volume.Type != types.VolumeTypeVolume && volume.Volume != nil {
@@ -1228,6 +1268,8 @@ func buildMountOptions(volume types.ServiceVolumeConfig) (*mount.BindOptions, *m
 	switch volume.Type {
 	case "bind":
 		return buildBindOption(volume.Bind), nil, nil, nil
+	case "api-socket":
+		return nil, nil, nil, nil // defer to defaults when binding the API socket
 	case "volume":
 		return nil, buildVolumeOptions(volume.Volume), nil, nil
 	case "tmpfs":
@@ -1242,6 +1284,7 @@ func buildBindOption(bind *types.ServiceVolumeBind) *mount.BindOptions {
 	if bind == nil {
 		return nil
 	}
+
 	opts := &mount.BindOptions{
 		Propagation:      mount.Propagation(bind.Propagation),
 		CreateMountpoint: bind.CreateHostPath,
diff --git a/pkg/compose/secrets.go b/pkg/compose/secrets.go
@@ -25,11 +25,39 @@ import (
 	"time"
 
 	"github.com/compose-spec/compose-go/v2/types"
+	"github.com/docker/cli/cli/config/configfile"
 	"github.com/docker/docker/api/types/container"
 )
 
 func (s *composeService) injectSecrets(ctx context.Context, project *types.Project, service types.ServiceConfig, id string) error {
-	for _, config := range service.Secrets {
+	if hasAPISocket(service) {
+		// Generate a "secret" for the authconfig for the API socket.
+		creds, err := s.dockerCli.ConfigFile().GetAllCredentials()
+		if err != nil {
+			return fmt.Errorf("resolving credentials failed: %w", err)
+		}
+
+		// Create a new config file with just the auth.
+		newConfig := &configfile.ConfigFile{
+			AuthConfigs: creds,
+		}
+		var configBuf bytes.Buffer
+		if err := newConfig.SaveToWriter(&configBuf); err != nil {
+			return fmt.Errorf("saving creds for API socket: %w", err)
+		}
+
+		mode := types.FileMode(0o400)
+		b, err := createTar(configBuf.String(), types.FileReferenceConfig{
+			Target: dockerConfigPathInContainer,
+			Mode:   &mode,
+		})
+
+		if err = s.apiClient().CopyToContainer(ctx, id, "/", &b, container.CopyToContainerOptions{}); err != nil {
+			return fmt.Errorf("copying creds for API socket: %w", err)
+		}
+	}
+
+	for _, config := range secrets {
 		file := project.Secrets[config.Source]
 		if file.Environment == "" {
 			continue
@@ -40,9 +68,9 @@ func (s *composeService) injectSecrets(ctx context.Context, project *types.Proje
 		}
 
 		if config.Target == "" {
-			config.Target = "/run/secrets/" + config.Source
+			config.Target = secretsDir + config.Source
 		} else if !isAbsTarget(config.Target) {
-			config.Target = "/run/secrets/" + config.Target
+			config.Target = secretsDir + config.Target
 		}
 
 		content := file.Content
