Docker-in-docker vs mounting /var/run/docker.sock

I’m interested in a quick security rundown of those two options. I know they are both bad, but which is worse?

Functionally, I’d say a dind container is much easier in my case (running docker builds from CI).

It seems to me that dind would give me slightly better isolation, but I’m not sure exactly what --privileged bypasses. Thoughs?

docker-in-docker has some stability issues.

--privileged basically makes root in your container be full root on the host. it can manage kernel params, it has all capabilities, etc.

See https://jpetazzo.github.io/2015/09/03/do-not-use-docker-in-docker-for-ci/ for more information.

I, personally, don’t have a problem with using the docker socket to run processes on a host. I’ve scripted commands to be run on hosts using ssh or chef for years. As long as I take the same precautions and considerations as I do for any other root level scripting, I don’t think it’s a terrible idea.

I am more inclined to set up TLS and use a remote docker host in my scripting rather than mount the docker socket. That lets my dockerized processes manage some other docker host that might be in a DMZ or have other security measures taken.

In some cases, such as when running jwilder/nginx-proxy, you have to have something that can talk to docker to get the events stream. I like running my processes containerized, so running docker-gen in a container seems like a natural fit. Using their “Separate Containers” approach is sane.

1 Like

This is exactly what I was looking for.

That lets my dockerized processes manage some other docker host that might be in a DMZ or have other security
measures taken.

I’m not sure I understand the rationale here. It sounds like you’re saying it’s okay to use a remote docker host if the server is secure enough. Did I read that right?

I am the founder of Nestybox and we’ve developed a solution that allows running Docker-in-Docker without using privileged containers. It’s still experimental, but we are looking for early adopters. If you want to run Docker-in-Docker securely, with total isolation between the Docker in the container and the Docker on the host, check it out at www.nestybox.com.