Docker build agent must itself create a docker image


I have somehow a tricky situation. We use Teamcity in our company and have our TC-Agents running in Docker container. This is very convenient to run several independent agents on one host without conflicting each other.
BUT now I have the requirement, that our agent should pack the result of the build into a docker image. For that, I need the docker client to run docker build. So, my first though was, to install docker inside docker, but actually this doesn’t sound like a very good idea.
Do I have any other options? Is it possible, to run the docker build via remote api so that I just access my outer docker daemon?


Docker in Docker is usually not a great solution for this kind of stuff, but doable. It’s more approachable than it used to be.

The most common hack to do this is to bind mount the docker socket and/or binary (e.g. docker run -v /var/run/docker.sock:/var/run/docker.sock -v $(which docker):/bin/docker) but be aware that this gives full root access to the host inside the container.

1 Like

You also can make docker listen on a tcp port and access it from a container via tcp. But it has the same security issues as binding of unix socket.

1 Like


I like both variants.
Security is not that much of a deal in that case, because it’s a standalone build-server.

@nathanleclaire: The following error appears when docker is accessed within the container:
docker: error while loading shared libraries: cannot open shared object file: No such file or directory

I ran docker run -it -v /var/run/docker.sock:/var/run/docker.sock -v $(which docker):/bin/docker debian bash

@garagatyi: Hm, also interesting, but how do you access docker then from within the container (I mean via which program)?

Don’t use docker run -v to try to inject the Docker binary into the container; just use your normal Linux distribution tools (apt-get, yum, apk) to install it.

I know you say “security isn’t a big deal”, but opening up network access to the Docker daemon is giving unrestricted unauthenticated root access to your host system. I’d never even consider this.

Port to docker daemon doesn’t have to be open to the Internet. It can be exposed to docker containers only.

docker -H tcp://x.x.x.x:2375 run …
But usage of socket is probably better from both security and usability standpoints

So you’re OK with anyone (even unprivileged users) who manages to execute a simple HTTP request within that network rooting the machine? Exposing Docker on TCP unencrypted is very, very vulnerable and bad practice.

ah yeah, old habit, i forgot the standard docker distribution is dynamically compiled these days. there are also static binaries available for download directly Install Docker Engine from binaries | Docker Docs

1 Like

I understand the drawbacks. But I already said that it is even less secure than usage of socket.

docker run --rm -it -v /var/run/docker.sock:/var/run/docker.sock debian:8 bash
than downloading the docker libs
just works perfectly fine.
That’s exactly I was looking for.

About the security issues: Sure, the container has access to the host. But in my case, the host has nothing installed except docker. It is a dedicated machine just running the build agents in docker containers. I think that the risk isn’t that big in this case.
For other scenarios that would be no option, I agree with that.