Best IT Recipes

Is it possible to run docker from inside dockers?

I am running Jenkins inside a Docker container. I wonder if itโ€™s good for the Jenkins container to also be a Docker host? Iโ€™m thinking of starting a new docker container for each integration test build from within Jenkins (to run databases, message brokers, etc.). Therefore, containers should be disconnected after completion of integration tests. Is there any reason to avoid running docker containers from inside another docker container this way?

+149
docker jenkins docker-dind
Jan 10 '15 at 18:29
source share
3 answers

Running Docker inside Docker (aka dind) should be avoided whenever possible, if at all possible. (The source is presented below.) Instead, you want to configure the way for your main container to produce and communicate with twin containers.

Jerome Petazzoni - the author of the feature that allowed Docker to run inside the Docker container - actually wrote a blog post saying it wasnโ€™t to do this . The use case that he describes corresponds to a specific use case for the CI Docker OP container, which should run tasks inside other Docker containers.

Petazzoni lists two reasons why trouble is:

  • It interacts poorly with Linux Security Modules (LSMs).
  • It creates a mismatch on file systems, which creates problems for containers created inside parent containers.

From this blog post, he describes the following alternative:

[The easiest way is to simply expose the Docker socket in your CI container by associating it with the -v flag.

Simply put, when you launch your CI container (Jenkins or another), instead of hacking something with Docker-in-Docker, start it with

 docker run -v /var/run/docker.sock:/var/run/docker.sock ...

Now this container will have access to the Docker socket and, therefore, will be able to launch containers. Except that instead of launching "child" containers, it launches "sibling" containers.

+180
Oct 07 '15 at 10:10
source share

Earlier, I answered a similar question about how to run a Docker container inside Docker .

Running docker inside docker is definitely possible. The main --privileged=true that you run an external container with additional privileges (starting with --privileged=true ), and then install the docker in this container.

Check out this blog post for more info: Docker-in-Docker .

One possible use case for this is described in this entry . The blog post describes how to create dock containers in a Jenkins dock container.

However, Docker inside Docker is not the recommended approach for solving this type of problem. Instead, it is recommended that you create โ€œsiblingโ€ containers as described in this post.

Thus, launching Docker inside Docker was considered by many to be a good solution to this type of problem. Now, the trend is to use "sister" containers instead. See @predmijat's answer on this page for more information.

+47
Jan 10 '15 at 18:33
source share

You can run Docker-in-Docker (DinD), and in fact for this Docker (company) has an official DinD image .

However, the caveat is that this requires a privileged container, which, depending on your security needs, may not be a viable alternative.

An alternative solution to launch Docker using single-level containers (also called Docker-out-of-Docker or DooD) does not require a privileged container, but has several drawbacks that stem from the fact that you start the container from a context that is different from that in which it is running (i.e. you start the container from the container, but it works at the host level, and not inside the container).

I wrote a blog describing the pros and cons of DinD vs DooD here .

Having said that, Nestybox (the startup I just founded) is working on a solution that safely runs a real Docker-in-Docker (without using privileged containers). You can check it out at www.nestybox.com .

0
Sep 18 '19 at 19:52
source share


More articles:


All Articles