Secure, Efficient Docker-in-Docker with Nestybox

TL;DR

What is Docker-in-Docker?

Use Cases

DinD and DooD

  • Running the Docker daemon inside a container (DinD).
  • Running only the Docker CLI in a container, and connecting it to the Docker daemon on the host. This approach has been nicknamed Docker-out-of-Docker (DooD).

DinD

$ echo 1 > /proc/sys/kernel/sysrq && echo b > /proc/sysrq-trigger

DooD

$ docker run -it -v /var/run/docker.sock:/var/run/docker.sock docker
  • Permission problems: the user in the Docker CLI container may not have sufficient permissions to access the Docker daemon on the host via the socket. This is a common problem causing headaches, in particular in CI/CD scenarios such as Jenkins + Docker.
  • Container naming collisions: if the container running the Docker CLI creates a container named some_cont, the creation will fail if some_cont already exists on the host. Avoiding such naming collisions may not always trivial depending on the use case.
  • Mount paths: if the container running the Docker CLI creates a container with a bind mount, the mount path must be relative to the host (as otherwise, the host Docker daemon on the host won’t be able to perform the mount correctly).
  • Port mappings: if the container running the Docker CLI creates a container with a port mapping, the port mapping occurs at the host level, potentially colliding with other port mappings.

Solution: DinD with Nestybox System Containers

$ docker run --runtime=sysbox-runc -it my-dind-image
$ docker run --runtime=sysbox-runc --name some-docker -d \
--network some-network --network-alias docker \
-e DOCKER_TLS_CERTDIR=/certs \
-v some-docker-certs-ca:/certs/ca \
-v some-docker-certs-client:/certs/client \
docker:dind

In a Nutshell

  • There are valid use cases for running Docker-in-Docker (DinD).
  • Docker’s officially supported DinD solution requires a privileged container. It’s not ideal. It may be fine in trusted scenarios, but it’s risky otherwise.
  • There is an alternative that consists of running only the Docker CLI in a container and connecting it with the Docker daemon on the host. It’s nicknamed Docker-out-of-Docker (DooD). While it has some benefits, it also has several drawbacks which may void it’s use depending on your environment.
  • Nestybox system containers offer a new alternative. They support running Docker-in-Docker securely, without using privileged containers and with total isolation between the Docker in the system container and the Docker on the host. It’s very easy to use as shown above.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store