feat: Use socat for the Docker socket if needed

Roemer · Roemer · commit 1cb8e365bba5 · 2025-11-11T15:49:14.000Z
diff --git a/features/src/docker-out/README.md b/features/src/docker-out/README.md
@@ -6,7 +6,7 @@ Installs a Docker client which re-uses the host Docker socket.
 
 ```json
 "features": {
-    "ghcr.io/postfinance/devcontainer-features/docker-out:0.3.0": {
+    "ghcr.io/postfinance/devcontainer-features/docker-out:0.4.0": {
         "version": "latest",
         "composeVersion": "latest",
         "buildxVersion": "latest",
@@ -36,7 +36,7 @@ Installs a Docker client which re-uses the host Docker socket.
 
 ### VS Code Extensions
 
-- `ms-azuretools.vscode-docker`
+- `ms-azuretools.vscode-containers`
 
 ## Notes
 
diff --git a/features/src/docker-out/devcontainer-feature.json b/features/src/docker-out/devcontainer-feature.json
@@ -1,6 +1,6 @@
 {
     "id": "docker-out",
-    "version": "0.3.0",
+    "version": "0.4.0",
     "name": "Docker outside Docker",
     "description": "Installs a Docker client which re-uses the host Docker socket.",
     "options": {
@@ -51,7 +51,7 @@
             "default": "",
             "description": "The download URL to use for Docker binaries."
         },
-        "versionsUrl":{
+        "versionsUrl": {
             "type": "string",
             "default": "",
             "description": "The URL to use for checking available versions."
@@ -70,14 +70,14 @@
     "customizations": {
         "vscode": {
             "extensions": [
-                "ms-azuretools.vscode-docker"
+                "ms-azuretools.vscode-containers"
             ]
         }
     },
     "mounts": [
         {
             "source": "/var/run/docker.sock",
-            "target": "/var/run/docker.sock",
+            "target": "/var/run/docker-host.sock",
             "type": "bind"
         }
     ],
diff --git a/features/src/docker-out/docker-init.sh b/features/src/docker-out/docker-init.sh
@@ -1,27 +1,82 @@
 #!/usr/bin/env bash
 set -e
 
-# Find the GID of the socket
-SOCKET_GID=$(stat -c '%g' /var/run/docker.sock)
-
-# Find an existing group with the same GID
-# This is needed eg. for alpine which already has GID 999 (ping)
-# If this breaks some things, we might need to implement a solution based on socat
-EXISTING_GROUP=$(getent group $SOCKET_GID | cut -d: -f1)
-if [ -n "$EXISTING_GROUP" ]; then
-  # Delete this group
-  sudo groupdel $EXISTING_GROUP
-fi
+# Wrapper function to only use sudo if not already root
+sudoIf() {
+    if [ "$(id -u)" -ne 0 ]; then
+        sudo "$@"
+    else
+        "$@"
+    fi
+}
+
+# Source socket (socket on the host)
+SOURCE_SOCKET="${SOURCE_SOCKET:-"/var/run/docker-host.sock"}"
+# Target socket (socket in the container)
+TARGET_SOCKET="${TARGET_SOCKET:-"/var/run/docker.sock"}"
 
 # Determine the correct user
 USERNAME="${USERNAME:-"${_REMOTE_USER:-"auto"}"}"
 if [ "${USERNAME}" = "auto" ]; then
   USERNAME=$(awk -v val=1000 -F ":" '$3==val{print $1}' /etc/passwd)
 fi
 
-# Create a matching docker group in the container and add the current user to it
-sudo groupadd -g $SOCKET_GID docker
-sudo usermod -a -G docker $USERNAME
+# Check if the docker group exists
+if ! getent group docker > /dev/null 2>&1; then
+  # Create the docker group
+  echo "Adding missing docker group"
+  sudoIf groupadd --system docker
+fi
+
+# Add the user to the docker group
+sudoIf usermod -a -G docker $USERNAME
+
+# By default, make the source and target sockets the same
+if [ "${SOURCE_SOCKET}" != "${TARGET_SOCKET}" ]; then
+    sudoIf touch "${SOURCE_SOCKET}"
+    sudoIf ln -s "${SOURCE_SOCKET}" "${TARGET_SOCKET}"
+fi
+
+# Get the id of the docker group
+DOCKER_GID=$(getent group docker | cut -d: -f3)
+
+# Find the GID of the source socket
+SOCKET_GID=$(stat -c '%g' ${SOURCE_SOCKET})
+
+# If the group ids don't match, we need to adjust
+if [ "$DOCKER_GID" = "$SOCKET_GID" ]; then
+  echo "Docker group GID matches socket GID ($DOCKER_GID), no changes needed."
+else
+  # Find an existing group with the same GID as the source socket
+  EXISTING_GROUP=$(getent group $SOCKET_GID | cut -d: -f1)
+  # If no group is found, just adjust the docker group to match the socket GID
+  if [ -z "$EXISTING_GROUP" ]; then
+    echo "Adjusting docker group GID ($DOCKER_GID) to match socket GID ($SOCKET_GID)."
+    sudoIf groupmod -g $SOCKET_GID docker
+  else
+    # Use socat
+    echo "Using socat to bridge socket from GID $SOCKET_GID to docker GID $DOCKER_GID."
+    sudoIf rm -rf ${TARGET_SOCKET}
+    # Check if socat is installed
+    if command -v socat > /dev/null 2>&1; then
+      echo "socat is already installed."
+    else
+      echo "socat is not installed. Installing socat."
+      if command -v apt-get > /dev/null 2>&1; then
+        # Apt-based
+        sudoIf apt-get update && sudoIf apt-get install -y socat
+      elif command -v apk > /dev/null 2>&1; then
+        # Apk-based
+        sudoIf apk add socat
+      else
+        echo "Error: socat is required but could not be installed. Please install socat manually."
+        exit 1
+      fi
+    fi
+    # Create the socat bridge
+    sudoIf socat UNIX-CONNECT:${SOURCE_SOCKET} UNIX-LISTEN:${TARGET_SOCKET},fork,user=${USERNAME},group=docker,mode=660
+  fi
+fi
 
 # Execute whatever commands were passed in (if any). This allows us
 # to set this script to ENTRYPOINT while still executing the default CMD.
