DEV Community

Cover image for DOCKER INSIDE DOCKER
manish srivastava
manish srivastava

Posted on

DOCKER INSIDE DOCKER

#docker #linux #devops #beginners

Sometimes we want Docker inside Docker. For Example :the CI pipeline, Jenkins Docker-based dynamic agents for your CI/CD pipelines, Sandboxed environments or experimental workstations.

Here are three methods. (1) and (2) are need to be secured as they have more privileges over your docker daemon. You can use firewall in docker or make it rootless.

Following articles can help you :

manishfoodtechs

Adding FIREWALL to Docker

manish srivastava ・ Jul 4 ・ 2 min read

#devops #docker #beginners #linux
manishfoodtechs

Why hackers 'first love' a docker container? Hacking Docker

manish srivastava ・ Jun 4 '20 ・ 21 min read

#docker #linux #showdev #devops

and

manishfoodtechs

New Type of Docker : Rootless + Safer : for every Docker user.

manish srivastava ・ Jun 1 '20 ・ 9 min read

#docker #linux #devops #showdev

In 3 method, we will use sysbox.

Method 1: Docker in Docker Using [/var/run/docker.sock]

If you are on the same host where Docker daemon is running, you can use the /var/run/docker.sock to manage containers.

To run docker inside docker, all you have to do it just run docker with the default Unix socket docker.sock as a volume.

docker run -v /var/run/docker.sock:/var/run/docker.sock \
           -ti docker
Enter fullscreen mode Exit fullscreen mode

Now, from within the container, you should be able to execute docker commands for building and pushing images to the registry.

Start Docker container in interactive mode mounting the docker.sock as volume. We will use the official docker image.

docker run -v /var/run/docker.sock:/var/run/docker.sock -ti docker

#Inside Container

docker pull ubuntu

#When you list the docker images, you should see the ubuntu image along with other docker images in your host VM

docker images

# Now create a Dockerfile inside test directory
and RUN DOCKER FILE
docker build -t test-image .
Enter fullscreen mode Exit fullscreen mode

Method 2: Docker in Docker Using dind

Note: This requires your container to be run in privileged mode.

docker run --privileged -d --name dind-test docker:dind
docker exec -it dind-test /bin/sh
docker pull ubuntu
docker images
mkdir test && cd test
vi Dockerfile
#Create Docker file and then run
docker build -t test-image
Enter fullscreen mode Exit fullscreen mode

Method 3: Docker in Docker Using Sysbox Runtime

Method 1 & 2 has some disadvantages in terms of security because of running the base containers in privileged mode. Nestybox tries to solve that problem by having a sysbox Docker runtime. However , with firewall implementation you can get a security layer. Check my above article.

(1) Get Sysbox CE
Community edition, based on the open-source Sysbox.

GitHub logo nestybox / sysbox

An open-source, next-generation "runc" that empowers rootless containers to run workloads such as Systemd, Docker, Kubernetes, just like VMs.

sysbox

GitHub license build status

Introduction

Sysbox is an open-source container runtime (aka runc), originally developed by Nestybox, that enhances containers in two key ways:

  • Improves container isolation: Sysbox always enables the Linux user-namespace on containers (i.e., root user in the container has zero privileges on the host), hides host info inside the container, locks the container's initial mounts, and more.

  • Enables containers to act as VMs: with Sysbox, containers become capable of running most workloads that run in physical hosts or VMs, including systemd, Docker, Kubernetes, and more, seamlessly and with proper isolation (no privileged containers, no complex images, no tricky entrypoints, no special volume mounts, etc.)

Sysbox is an OCI-based "runc", meaning that you typically use Docker and Kubernetes to deploy these enhanced containers (in fact Sysbox works under the covers, you don't interact with it directly). Thus there is no need to learn new tools or modify your existing container…

View on GitHub

At the time of writing article supported distros are:
Ubuntu Bionic (18.04),Ubuntu Focal (20.04),Debian Buster (10),Debian Bullseye (11),Fedora 31,Fedora 32,CentOS 8

Installing :

git clone --recursive git@github.com:nestybox/sysbox.git
make sysbox
sudo make install
#Once Sysbox is installed, you start it with:
sudo ./scr/sysbox
#Configuring Docker
sudo ./scr/docker-cfg --sysbox-runtime=enable
Enter fullscreen mode Exit fullscreen mode

(2)USE SYSBOX

docker run --runtime=sysbox-runc --name sysbox-dind -d docker:dind
docker exec -it sysbox-dind /bin/sh
Enter fullscreen mode Exit fullscreen mode

CONGRATULATIONS :)

Here is a nice article

Further :
I was one of the attendee in this meeting . You can find co founder speaking about sysbox https://bluejeans.com/s/Qq_IsjrnOaG 20.05 Minutes

Click here for joining my team

Top comments (3)

Collapse
 
abhinavd26 profile image
Abhinav Dubey

This is great one. I was only aware of Using [/var/run/docker.sock] which is given in official blog of Docker. Thanks for sharing these with us. Definitely will try this out.
Here's the article which I wrote about a year ago when I was only aware of using [/var/run/docker.sock] to run a container within contianer and deploy a basic website using this concept integrating Jenkins with it.

emagazine26.blogspot.com/2020/05/c...

Collapse
 
lepinekong profile image
lepinekong

I wanted to do so thanks ;)

Collapse
 
mccurcio profile image
Matt Curcio

One question. Why is your Twitter act. suspended?

Read next

art_ptushkin profile image

How to configure DNS caching timeout in a Spring Boot docker image?

Artem Ptushkin -

aymanepraxe profile image

Mastering JWT Security

aymane aallaoui -

hirushafernando profile image

Automate Docker Image Building , Tagging And Publishing With Github Actions

Hirusha Fernando -

gyanshukumar profile image

Introduction to REST_API

Gyanshu Kumar -