Mount daemon Docker socket for nested workloads

gtsiolis · gtsiolis · commit fe1e43f6d1be · 2026-03-20T18:22:35.000+02:00
diff --git a/internal/runtime/docker.go b/internal/runtime/docker.go
@@ -63,22 +63,15 @@ func probeSocket(candidates ...string) string {
 	return ""
 }
 
-// SocketPath returns the Unix socket path used by the Docker client.
-// Returns the actual path for the standard /var/run/docker.sock so callers
-// can bind-mount it into containers. Returns empty string for non-standard
-// sockets (Colima, OrbStack) which communicate with VMs and cannot be
-// bind-mounted. Called by internal/container/start.go to decide whether
-// to add a Docker socket bind-mount when starting LocalStack.
+// SocketPath returns the daemon-visible Unix socket path to bind-mount into
+// containers so LocalStack can launch nested workloads such as Lambda functions.
+// Even when the CLI connects through a user-scoped socket (for example Colima),
+// the daemon resolves bind mounts inside its own environment where the socket is
+// exposed at /var/run/docker.sock.
 func (d *DockerRuntime) SocketPath() string {
 	host := d.client.DaemonHost()
 	if strings.HasPrefix(host, "unix://") {
-		sock := strings.TrimPrefix(host, "unix://")
-		// Skip bind-mount for non-standard sockets (Colima, OrbStack, etc.)
-		// These sockets communicate with VMs and cannot be bind-mounted
-		if sock != "/var/run/docker.sock" {
-			return ""
-		}
-		return sock
+		return "/var/run/docker.sock"
 	}
 	return ""
 }
diff --git a/internal/runtime/docker_test.go b/internal/runtime/docker_test.go
@@ -40,25 +40,25 @@ func TestProbeSocket_ReturnsEmptyForNoCandidates(t *testing.T) {
 }
 
 func TestSocketPath_ExtractsUnixPath(t *testing.T) {
-	t.Run("standard socket returns path", func(t *testing.T) {
+	t.Run("standard socket returns daemon path", func(t *testing.T) {
 		cli, err := client.NewClientWithOpts(client.WithHost("unix:///var/run/docker.sock"))
 		require.NoError(t, err)
 		rt := &DockerRuntime{client: cli}
 		assert.Equal(t, "/var/run/docker.sock", rt.SocketPath())
 	})
 
-	t.Run("non-standard socket returns empty", func(t *testing.T) {
+	t.Run("non-standard socket returns daemon path", func(t *testing.T) {
 		cli, err := client.NewClientWithOpts(client.WithHost("unix:///home/user/.colima/default/docker.sock"))
 		require.NoError(t, err)
 		rt := &DockerRuntime{client: cli}
-		assert.Equal(t, "", rt.SocketPath(), "non-standard sockets should return empty to skip bind-mount")
+		assert.Equal(t, "/var/run/docker.sock", rt.SocketPath())
 	})
 
-	t.Run("orbstack socket returns empty", func(t *testing.T) {
+	t.Run("orbstack socket returns daemon path", func(t *testing.T) {
 		cli, err := client.NewClientWithOpts(client.WithHost("unix:///Users/user/.orbstack/run/docker.sock"))
 		require.NoError(t, err)
 		rt := &DockerRuntime{client: cli}
-		assert.Equal(t, "", rt.SocketPath(), "non-standard sockets should return empty to skip bind-mount")
+		assert.Equal(t, "/var/run/docker.sock", rt.SocketPath())
 	})
 }
 
diff --git a/test/integration/start_test.go b/test/integration/start_test.go
@@ -168,14 +168,10 @@ func TestStartCommandSetsUpContainerCorrectly(t *testing.T) {
 			t.Skip("Docker daemon is not reachable via unix socket")
 		}
 
-		// Skip bind-mount assertion for non-standard sockets (Colima, OrbStack)
-		// since these communicate with VMs and cannot be bind-mounted
-		if dockerClient.DaemonHost() != "unix:///var/run/docker.sock" {
-			t.Skip("Docker daemon uses non-standard socket (Colima/OrbStack) - socket not bind-mounted")
-		}
-
 		assert.True(t, hasBindTarget(inspect.HostConfig.Binds, "/var/run/docker.sock"),
 			"expected Docker socket bind mount to /var/run/docker.sock, got: %v", inspect.HostConfig.Binds)
+		assert.True(t, hasBindSource(inspect.HostConfig.Binds, "/var/run/docker.sock"),
+			"expected Docker socket bind mount from /var/run/docker.sock, got: %v", inspect.HostConfig.Binds)
 
 		envVars := containerEnvToMap(inspect.Config.Env)
 		assert.Equal(t, "unix:///var/run/docker.sock", envVars["DOCKER_HOST"])
@@ -224,6 +220,16 @@ func hasBindTarget(binds []string, containerPath string) bool {
 	return false
 }
 
+func hasBindSource(binds []string, hostPath string) bool {
+	for _, b := range binds {
+		parts := strings.Split(b, ":")
+		if len(parts) >= 2 && parts[0] == hostPath {
+			return true
+		}
+	}
+	return false
+}
+
 func cleanup() {
 	ctx := context.Background()
 	_ = dockerClient.ContainerStop(ctx, containerName, container.StopOptions{})
