DOCKER INSIDE DOCKER

Sometimes we want Docker inside Docker. For Example :the CI pipeline, Jenkins Docker-based dynamic agents for your CI/CD pipelines, Sandboxed environments or experimental workstations.

Here are three methods. (1) and (2) are need to be secured as they have more privileges over your docker daemon. You can use firewall in docker or make it rootless.

Following articles can help you :

and

In 3 method, we will use sysbox.

Method 1: Docker in Docker Using [/var/run/docker.sock]

If you are on the same host where Docker daemon is running, you can use the /var/run/docker.sock to manage containers.

To run docker inside docker, all you have to do it just run docker with the default Unix socket docker.sock as a volume.

docker run -v /var/run/docker.sock:/var/run/docker.sock \
           -ti docker

Now, from within the container, you should be able to execute docker commands for building and pushing images to the registry.

Start Docker container in interactive mode mounting the docker.sock as volume. We will use the official docker image.

docker run -v /var/run/docker.sock:/var/run/docker.sock -ti docker

#Inside Container

docker pull ubuntu

#When you list the docker images, you should see the ubuntu image along with other docker images in your host VM

docker images

# Now create a Dockerfile inside test directory
and RUN DOCKER FILE
docker build -t test-image .

Method 2: Docker in Docker Using dind

Note: This requires your container to be run in privileged mode.

docker run --privileged -d --name dind-test docker:dind
docker exec -it dind-test /bin/sh
docker pull ubuntu
docker images
mkdir test && cd test
vi Dockerfile
#Create Docker file and then run
docker build -t test-image

Method 3: Docker in Docker Using Sysbox Runtime

Method 1 & 2 has some disadvantages in terms of security because of running the base containers in privileged mode. Nestybox tries to solve that problem by having a sysbox Docker runtime. However , with firewall implementation you can get a security layer. Check my above article.

(1) Get Sysbox CE
Community edition, based on the open-source Sysbox.

GitHub logo nestybox / sysbox

An open-source, next-generation "runc" that empowers rootless containers to run workloads such as Systemd, Docker, Kubernetes, just like VMs.

sysbox

GitHub license build status

Introduction

Sysbox is an open-source container runtime (aka runc), originally developed by Nestybox, that enhances containers in two key ways:

  • Improves container isolation: Sysbox always enables the Linux user-namespace on containers (i.e., root user in the container has zero privileges on the host), hides host info inside the container, locks the container's initial mounts, and more.

  • Enables containers to act as VMs: with Sysbox, containers become capable of running most workloads that run in physical hosts or VMs, including systemd, Docker, Kubernetes, and more, seamlessly and with proper isolation (no privileged containers, no complex images, no tricky entrypoints, no special volume mounts, etc.)

Sysbox is an OCI-based "runc", meaning that you typically use Docker and Kubernetes to deploy these enhanced containers (in fact Sysbox works under the covers, you don't interact with it directly). Thus there is no need to learn new tools or modify your existing container…

At the time of writing article supported distros are:
Ubuntu Bionic (18.04),Ubuntu Focal (20.04),Debian Buster (10),Debian Bullseye (11),Fedora 31,Fedora 32,CentOS 8

Installing :

git clone --recursive [email protected]:nestybox/sysbox.git
make sysbox
sudo make install
#Once Sysbox is installed, you start it with:
sudo ./scr/sysbox
#Configuring Docker
sudo ./scr/docker-cfg --sysbox-runtime=enable

(2)USE SYSBOX

docker run --runtime=sysbox-runc --name sysbox-dind -d docker:dind
docker exec -it sysbox-dind /bin/sh

CONGRATULATIONS :)

Here is a nice article

Further :
I was one of the attendee in this meeting . You can find co founder speaking about sysbox https://bluejeans.com/s/Qq_IsjrnOaG 20.05 Minutes

31