Docker-in-docker vs mounting /var/run/docker.sock

programmerq · April 20, 2016, 4:43pm

docker-in-docker has some stability issues.

--privileged basically makes root in your container be full root on the host. it can manage kernel params, it has all capabilities, etc.

See https://jpetazzo.github.io/2015/09/03/do-not-use-docker-in-docker-for-ci/ for more information.

I, personally, don’t have a problem with using the docker socket to run processes on a host. I’ve scripted commands to be run on hosts using ssh or chef for years. As long as I take the same precautions and considerations as I do for any other root level scripting, I don’t think it’s a terrible idea.

I am more inclined to set up TLS and use a remote docker host in my scripting rather than mount the docker socket. That lets my dockerized processes manage some other docker host that might be in a DMZ or have other security measures taken.

In some cases, such as when running jwilder/nginx-proxy, you have to have something that can talk to docker to get the events stream. I like running my processes containerized, so running docker-gen in a container seems like a natural fit. Using their “Separate Containers” approach is sane.

Topic		Replies	Views
Is that possibile use the docker in docker without mounting the Docker socket from host machine into the container using Ubuntu 22.04 base image General docker , ubuntu	3	1886	January 22, 2024
How do I run docker from inside docker? General	5	3757	February 16, 2015
The practice of mounting a hosts / into a container General security	2	2106	September 30, 2021
Can't access docker socket with `docker exec` General docker	1	1055	September 28, 2018
Docker multi tenant security General security	3	2750	January 26, 2018

Docker-in-docker vs mounting /var/run/docker.sock

Related topics