Geek Answers Handbook

Can I launch Docker-in-Docker without using the --privileged flag

I would like to use Docker-in-Docker , however --privileged gives full access to devices. Is there a way to run this using a combination of volumes and cap-add, etc. Instead?

+7
security docker
source share
2 answers

Unfortunately, no, you must use the --privileged flag to launch Docker in Docker, you can see the official announcement where they indicate that this is one of the many purposes of the --privileged flag.

Basically, you need more access to host system devices to launch dockers than when you work without --privileged .

+6
source share

Yes, you can run docker in docker without the --privileged flag. This involves installing the docker jack in the container as follows:

  docker run -it -v /var/run/docker.sock:/var/run/docker.sock \ -v $(which docker):/bin/docker \ alpine docker ps -a

This is going to mount the dock socket and executable in a container and run docker ps -a inside the alpine container. Jerome Petazzoni, the author of the script "Dind" and worked a lot on the --privileged flag, had this to say about the docker in the docker:

https://jpetazzo.imtqy.com/2015/09/03/do-not-use-docker-in-docker-for-ci/

I have been using this approach for a while and it works very well.

A caveat with this approach is that it doesn't give a damn about storage. You are better off using data volume containers or data names rather than setting directories. Since you are using the docker socket from the host, any directories that you want to mount in the child container must be from the host context, and not from the parent container. This is strange. I got lucky with data volume containers.

+4
source share

More articles:


All Articles