Sometimes we want Docker inside Docker. For Example :the CI pipeline, Jenkins Docker-based dynamic agents for your CI/CD pipelines, Sandboxed environments or experimental workstations.
Here are three methods. (1) and (2) are need to be secured as they have more privileges over your docker daemon. You can use firewall in docker or make it rootless.
Following articles can help you :
Why hackers 'first love' a docker container? Hacking Docker
manish srivastava ・ Jun 4 '20
and
New Type of Docker : Rootless + Safer : for every Docker user.
manish srivastava ・ Jun 1 '20
In 3 method, we will use sysbox.
Method 1: Docker in Docker Using [/var/run/docker.sock]
If you are on the same host where Docker daemon is running, you can use the /var/run/docker.sock to manage containers.
To run docker inside docker, all you have to do it just run docker with the default Unix socket docker.sock as a volume.
docker run -v /var/run/docker.sock:/var/run/docker.sock \
-ti docker
Now, from within the container, you should be able to execute docker commands for building and pushing images to the registry.
Start Docker container in interactive mode mounting the docker.sock as volume. We will use the official docker image.
docker run -v /var/run/docker.sock:/var/run/docker.sock -ti docker
#Inside Container
docker pull ubuntu
#When you list the docker images, you should see the ubuntu image along with other docker images in your host VM
docker images
# Now create a Dockerfile inside test directory
and RUN DOCKER FILE
docker build -t test-image .
Method 2: Docker in Docker Using dind
Note: This requires your container to be run in privileged mode.
docker run --privileged -d --name dind-test docker:dind
docker exec -it dind-test /bin/sh
docker pull ubuntu
docker images
mkdir test && cd test
vi Dockerfile
#Create Docker file and then run
docker build -t test-image
Method 3: Docker in Docker Using Sysbox Runtime
Method 1 & 2 has some disadvantages in terms of security because of running the base containers in privileged mode. Nestybox tries to solve that problem by having a sysbox Docker runtime. However , with firewall implementation you can get a security layer. Check my above article.
(1) Get Sysbox CE
Community edition, based on the open-source Sysbox.
nestybox / sysbox
An open-source, next-generation "runc" that empowers rootless containers to run workloads such as Systemd, Docker, Kubernetes, just like VMs.
Introduction
Sysbox is an open-source and free container runtime (a specialized "runc") originally developed by Nestybox (acquired by Docker on 05/2022), that enhances containers in two key ways:
-
Improves container isolation:
-
Linux user-namespace on all containers (i.e., root user in the container has zero privileges on the host).
-
Virtualizes portions of procfs & sysfs inside the container.
-
Hides host info inside the container.
-
Locks the container's initial mounts, and more.
-
-
Enables containers to run same workloads as VMs:
-
With Sysbox, containers can run system-level software such as systemd Docker, Kubernetes, K3s, buildx, legacy apps, and more seamlessly & securely.
-
This software can run inside Sysbox containers without modification and without using special versions of the software (e.g., rootless variants).
-
No privileged containers, no complex images, no tricky entrypoints, no special volume mounts, etc.
-
Think of it as a "container supercharger": it enables your existing container managers /…
At the time of writing article supported distros are:
Ubuntu Bionic (18.04),Ubuntu Focal (20.04),Debian Buster (10),Debian Bullseye (11),Fedora 31,Fedora 32,CentOS 8
Installing :
git clone --recursive git@github.com:nestybox/sysbox.git
make sysbox
sudo make install
#Once Sysbox is installed, you start it with:
sudo ./scr/sysbox
#Configuring Docker
sudo ./scr/docker-cfg --sysbox-runtime=enable
(2)USE SYSBOX
docker run --runtime=sysbox-runc --name sysbox-dind -d docker:dind
docker exec -it sysbox-dind /bin/sh
CONGRATULATIONS :)
Here is a nice article
Further :
I was one of the attendee in this meeting . You can find co founder speaking about sysbox https://bluejeans.com/s/Qq_IsjrnOaG 20.05 Minutes
Top comments (3)
This is great one. I was only aware of Using [/var/run/docker.sock] which is given in official blog of Docker. Thanks for sharing these with us. Definitely will try this out.
Here's the article which I wrote about a year ago when I was only aware of using [/var/run/docker.sock] to run a container within contianer and deploy a basic website using this concept integrating Jenkins with it.
emagazine26.blogspot.com/2020/05/c...
I wanted to do so thanks ;)
One question. Why is your Twitter act. suspended?