support `containerd` listen on `--address=fd://`

[dungdm93]

What is the problem you're trying to solve

As Docker gradually moves to paid subscription, I'd like to use continaerd & nerdctl instead. However, nerdctl need to be run as root or require containerd run in rootless mode.
It would be nice if have a way to nerdctl access system containerd (from non-root user) and provide same experiment as docker does.

Describe the solution you'd like

Any non-root users can interact with docker as long as they are in docker group. It's because /var/run/docker.sock which controlled by docker.socket run as mod 0660 and group docker:

And then in docker.service, it use socket pre-created from systemd (-H fd://) instead of create its own (Moby code)

In containerd side, when I run /usr/bin/containerd -a fd://, I got the following error:

I look like ttrpc socket issue.

Additional context

> containerd --version
containerd containerd.io 1.4.11 5b46e404f6b9f661a205e28d59c982d3634148f8
> docker version
Client: Docker Engine - Community
 Version:           20.10.9
 API version:       1.41
 Go version:        go1.16.8
 Git commit:        c2ea9bc
 Built:             Mon Oct  4 16:08:29 2021
 OS/Arch:           linux/amd64
 Context:           default
 Experimental:      true

Server: Docker Engine - Community
 Engine:
  Version:          20.10.9
  API version:      1.41 (minimum version 1.12)
  Go version:       go1.16.8
  Git commit:       79ea9d3
  Built:            Mon Oct  4 16:06:37 2021
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          1.4.11
  GitCommit:        5b46e404f6b9f661a205e28d59c982d3634148f8
 runc:
  Version:          1.0.2
  GitCommit:        v1.0.2-0-g52b36a2
 docker-init:
  Version:          0.19.0
  GitCommit:        de40ad0

[AkihiroSuda]

It would be nice if have a way to nerdctl access system containerd (from non-root user) and provide same experiment as docker does.

Why not just use sudo nerdctl?

[dungdm93]

@AkihiroSuda because of sudo

[MoHelmys]

Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get http://%2Fvar%2Frun%2Fdocker.sock/v1.24/version: dial unix /var/run/docker.sock: connect: permission denied code example

Use This for Ubuntu:

sudo chmod 666 /var/run/docker.sock

Example 1: Got permission denied while trying to connect to the Docker daemon socket
sudo chmod 666 /var/run/docker.sock
Example 2: Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get http://%2Fvar%2Frun%2Fdocker.sock/v1.40/containers/json: dial unix /var/run/docker.sock: connect: permission denied
sudo usermod -aG docker ${USER}
Example 3: Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock:
newgrp docker
Example 4: got permission denied docker
docker deamon permission issue

Example 5: Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Post http://%2Fvar%2Frun%2Fdocker.sock/v1.24/auth: dial unix /var/run/docker.sock: connect: permission denied
docker permission for linux ec2 Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Post http://%2Fvar%2Frun%2Fdocker.sock/v1.24/auth: dial unix /var/run/docker.sock: connect: permission denied
docker permission for linux ec2

[thaJeztah]

Use This for Ubuntu:

sudo chmod 666 /var/run/docker.sock

Please DON'T recommend this. Permissions on /var/run/docker.sock are like that for a reason; access to /var/run/docker.sock is equivalent to root access on the host. Changing the permissions of the socket to be accessible everyone means granting all users root access. See https://docs.docker.com/go/attack-surface/

[metux]

Why that funny way of letting systemd creating the socket in the first place, instead of just doing it the classic way via fs ?

[slonopotamus]

Why that funny way of letting systemd creating the socket in the first place, instead of just doing it the classic way via fs ?

That way systemd can launch containerd only when someone tries to talk to it.

See #10454 for a more straightforward approach to the same issue.

[samuelkarp]

Closing in favor of #10454, which seems to capture the same request (but without systemd socket activation). If there is a request for socket activation generally (e.g., not conflated with group access), feel free to open a new issue.