Is it ok to run docker from inside docker

Question

I m running Jenkins inside a Docker container  I wonder if it s ok for the Jenkins container to also be a Docker host  What I m thinking about is to start a new docker container for each integration test build from inside Jenkins  to start databases  message brokers etc   The containers should thus be shutdown after the integration tests are completed  Is there a reason to avoid running docker containers from inside another docker container in this way

User · Answer

Yes  we can run docker in docker  we ll need to attach the unix sockeet   var run docker sock  on which the docker daemon listens by default as volume to the parent docker using  -v  var run docker sock  var run docker sock   Sometimes  permissions issues may arise for docker daemon socket for which you can write  sudo chmod 757  var run docker sock    And also it would require to run the docker in privileged mode  so the commands would be   sudo chmod 757  var run docker sock  docker run --privileged true -v  var run docker sock  var run docker sock -it

User · Answer

Running Docker inside Docker  a k a  dind   while possible  should be avoided  if at all possible   Source provided below   Instead  you want to set up a way for your main container to produce and communicate with sibling containers   J  r  me Petazzoni     the author of the feature that made it possible for Docker to run inside a Docker container     actually wrote a blog post saying not to do it  The use case he describes matches the OP s exact use case of a CI Docker container that needs to run jobs inside other Docker containers    Petazzoni lists two reasons why dind is troublesome    It does not cooperate well with Linux Security Modules  LSM   It creates a mismatch in file systems that creates problems for the containers created inside parent containers    From that blog post  he describes the following alternative        The  simplest way is to just expose the Docker socket to your CI container  by bind-mounting it with the -v flag       Simply put  when you start your CI container  Jenkins or other   instead of hacking something together with Docker-in-Docker  start it with   docker run -v  var run docker sock  var run docker sock           Now this container will have access to the Docker socket  and will therefore be able to start containers  Except that instead of starting  child  containers  it will start  sibling  containers

User · Answer

I answered a similar question before on how to run a Docker container inside Docker   To run docker inside docker is definitely possible  The main thing is that you run the outer container with extra privileges  starting with --privileged true  and then install docker in that container  Check this blog post for more info  Docker-in-Docker  One potential use case for this is described in this entry  The blog describes how to build docker containers within a Jenkins docker container  However  Docker inside Docker it is not the recommended approach to solve this type of problems  Instead  the recommended approach is to create  quot sibling quot  containers as described in this post  So  running Docker inside Docker was by many considered as a good type of solution for this type of problems  Now  the trend is to use  quot sibling quot  containers instead  See the answer by  predmijat on this page for more info

User · Answer

It s OK to run Docker-in-Docker  DinD  and in fact Docker  the company  has an official DinD image for this   The caveat however is that it requires a privileged container  which depending on your security needs may not be a viable alternative   The alternative solution of running Docker using sibling containers  aka Docker-out-of-Docker or DooD  does not require a privileged container  but has a few drawbacks that stem from the fact that you are launching the container from within a context that is different from that one in which it s running  i e   you launch the container from within a container  yet it s running at the host s level  not inside the container    I wrote a blog describing the pros cons of DinD vs DooD here   Having said this  Nestybox  a startup I just founded  is working on a solution that runs true Docker-in-Docker securely  without using privileged containers   You can check it out at www nestybox com

[jenkins] Is it ok to run docker from inside docker?

Examples related to jenkins

Examples related to docker

Examples related to docker-dind