DEV Community

Cover image for DOCKER INSIDE DOCKER
manish srivastava
manish srivastava

Posted on

DOCKER INSIDE DOCKER

#docker #linux #devops #beginners

Sometimes we want Docker inside Docker. For Example :the CI pipeline, Jenkins Docker-based dynamic agents for your CI/CD pipelines, Sandboxed environments or experimental workstations.

Here are three methods. (1) and (2) are need to be secured as they have more privileges over your docker daemon. You can use firewall in docker or make it rootless.

Following articles can help you :

manishfoodtechs

Adding FIREWALL to Docker

manish srivastava ・ Jul 4 '21

#devops #docker #beginners #linux
manishfoodtechs

Why hackers 'first love' a docker container? Hacking Docker

manish srivastava ・ Jun 4 '20

#docker #linux #showdev #devops

and

manishfoodtechs

New Type of Docker : Rootless + Safer : for every Docker user.

manish srivastava ・ Jun 1 '20

#docker #linux #devops #showdev

In 3 method, we will use sysbox.

Method 1: Docker in Docker Using [/var/run/docker.sock]

If you are on the same host where Docker daemon is running, you can use the /var/run/docker.sock to manage containers.

To run docker inside docker, all you have to do it just run docker with the default Unix socket docker.sock as a volume.

docker run -v /var/run/docker.sock:/var/run/docker.sock \
           -ti docker
Enter fullscreen mode Exit fullscreen mode

Now, from within the container, you should be able to execute docker commands for building and pushing images to the registry.

Start Docker container in interactive mode mounting the docker.sock as volume. We will use the official docker image.

docker run -v /var/run/docker.sock:/var/run/docker.sock -ti docker

#Inside Container

docker pull ubuntu

#When you list the docker images, you should see the ubuntu image along with other docker images in your host VM

docker images

# Now create a Dockerfile inside test directory
and RUN DOCKER FILE
docker build -t test-image .
Enter fullscreen mode Exit fullscreen mode

Method 2: Docker in Docker Using dind

Note: This requires your container to be run in privileged mode.

docker run --privileged -d --name dind-test docker:dind
docker exec -it dind-test /bin/sh
docker pull ubuntu
docker images
mkdir test && cd test
vi Dockerfile
#Create Docker file and then run
docker build -t test-image
Enter fullscreen mode Exit fullscreen mode

Method 3: Docker in Docker Using Sysbox Runtime

Method 1 & 2 has some disadvantages in terms of security because of running the base containers in privileged mode. Nestybox tries to solve that problem by having a sysbox Docker runtime. However , with firewall implementation you can get a security layer. Check my above article.

(1) Get Sysbox CE
Community edition, based on the open-source Sysbox.

GitHub logo nestybox / sysbox

An open-source, next-generation "runc" that empowers rootless containers to run workloads such as Systemd, Docker, Kubernetes, just like VMs.

sysbox

GitHub license build status

Introduction

Sysbox is an open-source and free container runtime (a specialized "runc") originally developed by Nestybox (acquired by Docker on 05/2022), that enhances containers in two key ways:

  • Improves container isolation:

    • Linux user-namespace on all containers (i.e., root user in the container has zero privileges on the host).

    • Virtualizes portions of procfs & sysfs inside the container.

    • Hides host info inside the container.

    • Locks the container's initial mounts, and more.

  • Enables containers to run same workloads as VMs:

    • With Sysbox, containers can run system-level software such as systemd Docker, Kubernetes, K3s, buildx, legacy apps, and more seamlessly & securely.

    • This software can run inside Sysbox containers without modification and without using special versions of the software (e.g., rootless variants).

    • No privileged containers, no complex images, no tricky entrypoints, no special volume mounts, etc.

Think of it as a "container supercharger": it enables your existing container managers /…

View on GitHub

At the time of writing article supported distros are:
Ubuntu Bionic (18.04),Ubuntu Focal (20.04),Debian Buster (10),Debian Bullseye (11),Fedora 31,Fedora 32,CentOS 8

Installing :

git clone --recursive git@github.com:nestybox/sysbox.git
make sysbox
sudo make install
#Once Sysbox is installed, you start it with:
sudo ./scr/sysbox
#Configuring Docker
sudo ./scr/docker-cfg --sysbox-runtime=enable
Enter fullscreen mode Exit fullscreen mode

(2)USE SYSBOX

docker run --runtime=sysbox-runc --name sysbox-dind -d docker:dind
docker exec -it sysbox-dind /bin/sh
Enter fullscreen mode Exit fullscreen mode

CONGRATULATIONS :)

Here is a nice article

Further :
I was one of the attendee in this meeting . You can find co founder speaking about sysbox https://bluejeans.com/s/Qq_IsjrnOaG 20.05 Minutes

Click here for joining my team

Top comments (3)

Collapse
 
abhinavd26 profile image
Abhinav Dubey

This is great one. I was only aware of Using [/var/run/docker.sock] which is given in official blog of Docker. Thanks for sharing these with us. Definitely will try this out.
Here's the article which I wrote about a year ago when I was only aware of using [/var/run/docker.sock] to run a container within contianer and deploy a basic website using this concept integrating Jenkins with it.

emagazine26.blogspot.com/2020/05/c...

Collapse
 
lepinekong profile image
lepinekong

I wanted to do so thanks ;)

Collapse
 
mccurcio profile image
Matt Curcio

One question. Why is your Twitter act. suspended?

Read next

sukhrobtech profile image

Big O notation

Sukhrob Tech -

quanphat profile image

How to integrate Elasticsearch in Express

Le Quan Phat -

574n13y profile image

Terraform: Infrastructure as Code for the Modern DevOps Engineer

Vivesh -

signadot profile image

Why Shift Testing Left Part 2: QA Does More After Devs Run Tests

Signadot -