feat: automatically add socket's group when using --use-api-socket

Author: felipecrs

cli/command/container/create.go

@@ -257,11 +257,16 @@ func createContainer(ctx context.Context, dockerCLI command.Cli, containerCfg *c
 		// hard-code engine socket path until https://github.com/moby/moby/pull/43459 gives us a discovery mechanism
 		containerCfg.HostConfig.Mounts = append(containerCfg.HostConfig.Mounts, mount.Mount{
 			Type:        mount.TypeBind,
-			Source:      "/var/run/docker.sock",
-			Target:      "/var/run/docker.sock",
+			Source:      dockerSocketPath,
+			Target:      dockerSocketPath,
 			BindOptions: &mount.BindOptions{},
 		})
 
+		// Automatically add the socket's group so that non-root users (e.g.,
+		// when using --user) can access the socket without needing an explicit
+		// --group-add flag.
+		addSocketGroup(&hostConfig.GroupAdd, dockerSocketPath)
+
 		/*
 
 		   Ideally, we'd like to copy the config into a tmpfs but unfortunately,

cli/command/container/use_api_socket_unix.go

@@ -0,0 +1,24 @@
+//go:build !windows
+
+package container
+
+import (
+	"os"
+	"strconv"
+	"syscall"
+)
+
+// addSocketGroup appends the GID of the socket file at path to groupAdd, so
+// non-root users can access the socket without an explicit --group-add flag.
+// Errors are silently ignored; this is best-effort.
+func addSocketGroup(groupAdd *[]string, path string) {
+	fi, err := os.Stat(path)
+	if err != nil {
+		return
+	}
+	stat, ok := fi.Sys().(*syscall.Stat_t)
+	if !ok {
+		return
+	}
+	*groupAdd = append(*groupAdd, strconv.FormatUint(uint64(stat.Gid), 10))
+}

cli/command/container/use_api_socket_windows.go

@@ -0,0 +1,5 @@
+package container
+
+// addSocketGroup is a no-op on Windows; the Windows engine is already rejected
+// earlier in createContainer via the OSType check.
+func addSocketGroup(_ *[]string, _ string) {}