A docker image based in ubuntu to run docker containers inside docker containers with some extras:
- Easy to use (More Info):
The option
--privileged
is not secure. Just for dev or testing purposes. To do this in the GOOD AND SECURE WAY just use: https://github.com/nestybox/sysbox
docker run -it --privileged cruizba/ubuntu-dind
or with sysbox:
docker run -it --runtime=sysbox-runc cruizba/ubuntu-dind
- Compatible with current LTS versions of Ubuntu (
focal
,jammy
andnoble
) - Support for arm64 and amd64 architectures.
- Easy to extend, customize and use.
- Always updated with current buildx, compose and docker versions.
This project was inspired by two existing repositories:
- DinD by alekslitvinenk: This repository served as the foundational idea, offering a lightweight solution. The distinguishing feature of my project is the use of Ubuntu as the base OS for the container and some improvements I made with time.
- Docker: This repository literally offers a Docker image of Docker.
On occasion, there is a need to operate Docker containers within other Docker containers often requiring workaround solutions, especially for usage in CI/CD pipelines or software demanding extensive virtualization.
There are two methods to execute DinD:
This strategy shares the socket from the host system located at /var/run/docker.sock
utilizing -v /var/run/docker.sock:/var/run/docker.sock
. Essentially, this technique allows us to spawn containers from the primary container, which is managed by the host system. However, any containers created within these secondary containers actually materialize only on the host system, not within the originating container itself. Two primary challenges often arise with this approach:
-
Networking Challenges: With the DooD system, when a container is instantiated within another container, the host system manages both containers. Thus, if we run a container from the DooD container which exposes port 3306, for example, this port would be visible to the host but won't be accessible by the container that initiated it.
-
Directory Volumes: Suppose we plan to operate 'container-1' within 'container-2' and attempt to share a directory from 'container-1' to 'container-2' using volumes. In that case, this won't work. The reason lies in socket sharing - we're actually not sharing directories from the primary container; instead, we're sharing directories from the host machine. Although there are solutions to these challenges, they often tend to be complex and convoluted.
This method, although less secure (the --privileged
option bypasses numerous containerization security features), enables the creation of a fresh container with Docker inside whenever required, effectively resolving network and volumes problems. You can now share folders from 'container-1' to 'container-2', created by 'container-1', and expose ports from 'container-2', accessible from 'container-1'.
But there are actually ways to run this container securely. You can use nestybox/sysbox runtime to run this container securely. This runtime is a container runtime that enables Docker-in-Docker (DinD) with enhanced security and performance. It's a great alternative to the --privileged
option.
You can see how to run this insecurely or securely in the Usage Guide section.
Test or use this image is quite simple, and you have two options to do it.
To use this Docker-in-Docker image, run the following command:
docker run -it --privileged cruizba/ubuntu-dind
This launches a bash terminal with an independent Docker environment isolated from your host, where you can build, run, and push Docker images.
It's not ready for production usage, but I find it useful for development and testing purposes.
For this option you need to have Sysbox installed in your system. You can see how to install it here (Package installation works only in debian-based distros sadly).
To use this Docker-in-Docker image securely, run the following command:
docker run -it --runtime=sysbox-runc cruizba/ubuntu-dind
Simply running the image will give you a clean environment to test your Docker images.
- Insecure command:
docker run -it --privileged cruizba/ubuntu-dind
- Secure command:
docker run -it --runtime=sysbox-runc cruizba/ubuntu-dind
This will run a root bash terminal inside the container, where you can run docker commands.
You can run commands directly to test images:
- Insecure command:
docker run -it --privileged cruizba/ubuntu-dind docker run hello-world
- Secure command:
docker run -it --runtime=sysbox-runc cruizba/ubuntu-dind docker run hello-world
You can extend this image to add your own tools and configurations. I will create an example where I use this image to build this project and test it, to show you how to extend it and how powerful it can be.
FROM cruizba/ubuntu-dind:latest
# Install dependencies
RUN apt-get update && apt-get install git -y
COPY entrypoint.sh /usr/local/bin/
RUN chmod +x /usr/local/bin/entrypoint.sh
entrypoint.sh:
#!/bin/bash
# Start docker
start-docker.sh
# Your commands go here
git clone https://github.com/cruizba/ubuntu-dind
cd ubuntu-dind || exit 1
docker build . -f ubuntu-jammy.Dockerfile -t ubuntu-dind-test
docker run --privileged ubuntu-dind-test docker run hello-world
This script will clone this repository, build the image and run a container from it.
It is very important to notice that you need to run the start-docker.sh
script before using docker commands. This script will start the docker daemon inside the container.
You have this example in the examples
folder.
You can find the available images in the Docker Hub. Check also the Releases section to see the available tags: Releases