dockerEstimated reading time: 7 minutes
Docker in Docker!
GitHub repo: https://github.com/docker-library/docker
Supported tags and respective
Where to file issues:
Tianon (of the Docker Project)
What is Docker in Docker?
Although running Docker inside Docker is generally not recommended, there are some legitimate use cases, such as development of Docker itself.
Docker is an open-source project that automates the deployment of applications inside software containers, by providing an additional layer of abstraction and automation of operating-system-level virtualization on Linux, Mac OS and Windows.
Before running Docker-in-Docker, be sure to read through Jérôme Petazzoni’s excellent blog post on the subject, where he outlines some of the pros and cons of doing so (and some nasty gotchas you might run into).
If you are still convinced that you need Docker-in-Docker and not just access to a container’s host Docker server, then read on.
How to use this image
Start a daemon instance
$ docker run --privileged --name some-docker -d docker:dind
--privileged is required for Docker-in-Docker to function properly, but it should be used with care as it provides full access to the host environment, as explained in the relevant section of the Docker documentation.
Warning: by default, the
dind variants of this image add
--host=tcp://0.0.0.0:2375 (on top of the explicit default of
--host=unix:///var/run/docker.sock) in order to allow other containers to access
dockerd (as the following examples illustrate). If you use
--network=host, shared network namespaces (as in Kubernetes pods), or otherwise have network access to the container (including containers started within the
dind instance via their gateway interface), this is a potential security issue (which can lead to access to the host system, for example). To disable this image behavior, simply override the container command or entrypoint to run
dockerd directly (
... docker:dind dockerd ... or
... --entrypoint dockerd docker:dind ...). It is recommended to implement TLS (
... docker:dind dockerd --host tcp://0.0.0.0:2376 --tlsverify ...) if network access to the
dind instance is required.
Connect to it from a second container
$ docker run --rm --link some-docker:docker docker:edge version Client: Version: 17.05.0-ce API version: 1.27 (downgraded from 1.29) Go version: go1.7.5 Git commit: 89658be Built: Fri May 5 15:36:11 2017 OS/Arch: linux/amd64 Server: Version: 17.03.1-ce API version: 1.27 (minimum version 1.12) Go version: go1.7.5 Git commit: c6d412e Built: Tue Mar 28 00:40:02 2017 OS/Arch: linux/amd64 Experimental: false
$ docker run -it --rm --link some-docker:docker docker:edge sh / # docker version Client: Version: 17.05.0-ce API version: 1.27 (downgraded from 1.29) Go version: go1.7.5 Git commit: 89658be Built: Fri May 5 15:36:11 2017 OS/Arch: linux/amd64 Server: Version: 17.03.1-ce API version: 1.27 (minimum version 1.12) Go version: go1.7.5 Git commit: c6d412e Built: Tue Mar 28 00:40:02 2017 OS/Arch: linux/amd64 Experimental: false
$ docker run --rm --link some-docker:docker docker info Containers: 0 Running: 0 Paused: 0 Stopped: 0 Images: 0 Server Version: 17.03.1-ce Storage Driver: vfs Logging Driver: json-file Cgroup Driver: cgroupfs Plugins: Volume: local Network: bridge host macvlan null overlay Swarm: inactive Runtimes: runc Default Runtime: runc Init Binary: docker-init containerd version: 4ab9917febca54791c5f071a9d1f404867857fcc runc version: 54296cf40ad8143b62dbcaa1d90e520a2136ddfe init version: 949e6fa Security Options: seccomp Profile: default Kernel Version: 4.4.63-gentoo Operating System: Alpine Linux v3.5 (containerized) OSType: linux Architecture: x86_64 CPUs: 8 Total Memory: 31.4 GiB Name: 393376fdc461 ID: FDP3:4GDT:L2WP:D4CC:UAW5:RHNA:4Z4G:WQYY:YWBE:7RER:LV7E:USY5 Docker Root Dir: /var/lib/docker Debug Mode (client): false Debug Mode (server): false Registry: https://index.docker.io/v1/ WARNING: bridge-nf-call-iptables is disabled WARNING: bridge-nf-call-ip6tables is disabled Experimental: false Insecure Registries: 127.0.0.0/8 Live Restore Enabled: false
$ docker run --rm -v /var/run/docker.sock:/var/run/docker.sock docker version Client: Version: 17.05.0-ce API version: 1.28 (downgraded from 1.29) Go version: go1.7.5 Git commit: 89658be Built: Fri May 5 15:36:11 2017 OS/Arch: linux/amd64 Server: Version: 17.04.0-ce API version: 1.28 (minimum version 1.12) Go version: go1.8 Git commit: 4845c56 Built: Thu Apr 27 07:51:43 2017 OS/Arch: linux/amd64 Experimental: false
Custom daemon flags
$ docker run --privileged --name some-overlay-docker -d docker:dind --storage-driver=overlay
Where to Store Data
Important note: There are several ways to store data used by applications that run in Docker containers. We encourage users of the
docker images to familiarize themselves with the options available, including:
- Let Docker manage the storage of your data by writing to disk on the host system using its own internal volume management. This is the default and is easy and fairly transparent to the user. The downside is that the files may be hard to locate for tools and applications that run directly on the host system, i.e. outside containers.
- Create a data directory on the host system (outside the container) and mount this to a directory visible from inside the container. This places the files in a known location on the host system, and makes it easy for tools and applications on the host system to access the files. The downside is that the user needs to make sure that the directory exists, and that e.g. directory permissions and other security mechanisms on the host system are set up correctly.
The Docker documentation is a good starting point for understanding the different storage options and variations, and there are multiple blogs and forum postings that discuss and give advice in this area. We will simply show the basic procedure here for the latter option above:
- Create a data directory on a suitable volume on your host system, e.g.
dockercontainer like this:
$ docker run --privileged --name some-docker -v /my/own/var-lib-docker:/var/lib/docker -d docker:dind
-v /my/own/var-lib-docker:/var/lib/docker part of the command mounts the
/my/own/var-lib-docker directory from the underlying host system as
/var/lib/docker inside the container, where Docker by default will write its data files.
View license information for the software contained in this image.
As with all Docker images, these likely also contain other software which may be under other licenses (such as Bash, etc from the base distribution, along with any direct or indirect dependencies of the primary software being contained).
Some additional license information which was able to be auto-detected might be found in the
As for any pre-built image usage, it is the image user’s responsibility to ensure that any use of this image complies with any relevant licenses for all software contained within.library, sample, docker