feat: automatically add socket's group when using --use-api-socket

felipecrs · felipecrs · commit 232d4bde718c · 2026-05-19T01:08:18.000-03:00
Signed-off-by: Felipe Santos &lt;felipecassiors@gmail.com&gt;
diff --git a/cli/command/container/create.go b/cli/command/container/create.go
@@ -36,6 +36,12 @@ const (
 	PullImageNever   = "never"
 )
 
+// dockerSocketPath is the path to the Docker Engine API socket.
+//
+// TODO(thaJeztah): hard-coded until https://github.com/moby/moby/pull/43459
+// provides a discovery mechanism.
+const dockerSocketPath = "/var/run/docker.sock"
+
 type createOptions struct {
 	name         string
 	platform     string
@@ -254,13 +260,13 @@ func createContainer(ctx context.Context, dockerCLI command.Cli, containerCfg *c
 			return "", errors.New("flag --use-api-socket can't be used with a Windows Docker Engine")
 		}
 
-		// hard-code engine socket path until https://github.com/moby/moby/pull/43459 gives us a discovery mechanism
-		containerCfg.HostConfig.Mounts = append(containerCfg.HostConfig.Mounts, mount.Mount{
+		hostConfig.Mounts = append(hostConfig.Mounts, mount.Mount{
 			Type:        mount.TypeBind,
-			Source:      "/var/run/docker.sock",
-			Target:      "/var/run/docker.sock",
+			Source:      dockerSocketPath,
+			Target:      dockerSocketPath,
 			BindOptions: &mount.BindOptions{},
 		})
+		addSocketGroup(&hostConfig.GroupAdd, dockerSocketPath)
 
 		/*
 
diff --git a/cli/command/container/use_api_socket_unix.go b/cli/command/container/use_api_socket_unix.go
@@ -0,0 +1,24 @@
+//go:build !windows
+
+package container
+
+import (
+	"os"
+	"strconv"
+	"syscall"
+)
+
+// addSocketGroup appends the GID of the socket file at path to groupAdd, so
+// non-root users can access the socket without an explicit --group-add flag.
+// Errors are silently ignored; this is best-effort.
+func addSocketGroup(groupAdd *[]string, path string) {
+	fi, err := os.Stat(path)
+	if err != nil {
+		return
+	}
+	stat, ok := fi.Sys().(*syscall.Stat_t)
+	if !ok {
+		return
+	}
+	*groupAdd = append(*groupAdd, strconv.FormatUint(uint64(stat.Gid), 10))
+}
diff --git a/cli/command/container/use_api_socket_windows.go b/cli/command/container/use_api_socket_windows.go
@@ -0,0 +1,4 @@
+package container
+
+// addSocketGroup is a no-op on Windows.
+func addSocketGroup(_ *[]string, _ string) {}
