What's the best way to run a service that needs access to dockerd?

I have a non-containerized backend service (Go binary) that needs to spin up short-lived docker containers.

The way I got this working was using the exec driver and passing in the a DRIVER_HOST environment variable to use the host’s docker daemon (the one that Nomad uses).

The issue that I run in is:

  • The Go binary creates a temp directory in /tmp and mounts this into the container.
  • The directory is created with the nobody user in the isolated environment
  • When this directory is mounted as a volume in Docker, the container cannot “see” the directory since the directory was initially created in the isolated environment.

What would be the best way to create this setup? Of course, the escape hatch is to use the raw_exec driver but it doesn’t look like a secure option since everything runs as root by default.