Docker Community Forums

Share and learn in the Docker community.

Docker-in-docker vs mounting /var/run/docker.sock


(Sgillespie) #1

I’m interested in a quick security rundown of those two options. I know they are both bad, but which is worse?

Functionally, I’d say a dind container is much easier in my case (running docker builds from CI).

It seems to me that dind would give me slightly better isolation, but I’m not sure exactly what --privileged bypasses. Thoughs?


Unable to run Docker from inside Docker
(Jeff Anderson) #2

docker-in-docker has some stability issues.

--privileged basically makes root in your container be full root on the host. it can manage kernel params, it has all capabilities, etc.

See https://jpetazzo.github.io/2015/09/03/do-not-use-docker-in-docker-for-ci/ for more information.

I, personally, don’t have a problem with using the docker socket to run processes on a host. I’ve scripted commands to be run on hosts using ssh or chef for years. As long as I take the same precautions and considerations as I do for any other root level scripting, I don’t think it’s a terrible idea.

I am more inclined to set up TLS and use a remote docker host in my scripting rather than mount the docker socket. That lets my dockerized processes manage some other docker host that might be in a DMZ or have other security measures taken.

In some cases, such as when running jwilder/nginx-proxy, you have to have something that can talk to docker to get the events stream. I like running my processes containerized, so running docker-gen in a container seems like a natural fit. Using their “Separate Containers” approach is sane.


(Sgillespie) #3

This is exactly what I was looking for.

That lets my dockerized processes manage some other docker host that might be in a DMZ or have other security
measures taken.

I’m not sure I understand the rationale here. It sounds like you’re saying it’s okay to use a remote docker host if the server is secure enough. Did I read that right?