Hi gurus,

I want use docker build/push command to manage docker images (into our private registry) inside a docker container, by which I will gain a lot of flexibilities.

My host os is coreos and the base image is ubuntu. But I found inside the docker container, /usr/bin/docker is not available. I guess it was designed intentionally.

Is my request valid? DO I have a alternative way to achieve the same function?

Regards
wangyumi

I’m not sure about CoreOS but normally you can manage your host containers from within a container by mounting the Docker socket.

Such as

docker run -it -v /var/run/docker.sock:/var/run/docker.sock ubuntu:latest sh -c "apt-get update ; apt-get install docker.io -y ; bash"

or

https://registry.hub.docker.com/u/abh1nav/dockerui/

Thanks for your quick response.

Any ideas about how to quick “enable” docker in a docker image by Dockerfile?

Regards,
wangyumi

Within a Dockerfile I think you can only create a data volume. You need to manually specific which host directory or file to mount as a volume when running.

http://docs.docker.com/userguide/dockervolumes/#mount-a-host-file-as-a-data-volume

Yes, anyone with direct access to the Docker socket has root privileges on the host system. Usually not what you want.

If you’re running on Linux, you don’t have to directly install Docker in the container at all. You can bind mount the docker binary (usually at /usr/bin/docker) directly. Note that bind mounting the socket does not give you a totally new Docker, but rather access to the existing Docker daemon from inside the container. If you want to bake in the Docker binary to an image you could always make one called laoyumi/docker or something and then to “quickly” get access to it in another image you just start the Dockerfile with from laoyumi/docker.

There is Docker in Docker but it’s a little heavyweight if all you want to do is “some docker-ey stuff in containers that doesn’t need to be that isolated”.

Hi,
I wrote a Dockerfile like:
…
RUN apt-get -yqq update
VOLUME ["/var/run/docker.sock"]
RUN apt-get -yqq install docker.io

Subsequently, I build the image and run a container and attach it.

When I was trying to build a docker image inside the container, I got following error:
root@fd8d47323d89:/Dockerimages/sample/2014-11-05 10:59:18.431193458 +0000 UTC# docker build .
2014/11/05 11:11:05 Cannot connect to the Docker daemon. Is ‘docker -d’ running on this host?

How can I let a docker client inside a docker container connects the docker daemon on the host os?

Regards,
wangyumi

Hi wangyumi, the commands you wrote are working!
Here is my Dockerfile (the parent is on docker hub, so you can try it out):

FROM bdruemen/jenkins-uid-from-volume
RUN apt-get -yqq update && apt-get -yqq install docker.io && usermod -g docker jenkins
VOLUME /var/run/docker.sock
ENTRYPOINT groupmod -g $(stat -c “%g” /var/run/docker.sock) docker && usermod -u $(stat -c “%u” /var/jenkins_home) jenkins && gosu jenkins /bin/tini – /usr/local/bin/jenkins.sh

docker build .
docker run -d -v /var/run/docker.sock:/var/run/docker.sock (IMAGE)
docker exec -u jenkins (CONTAINER) bash
jenkins@8da12737527b:/$ docker images
(shows a list)

Just create a volume map for both the docker executable, and the docker socket descriptor…

docker run -it -v /var/run/docker.sock:/var/run/docker.sock -v /usr/bin/docker:/usr/bin/docker ubuntu:latest bash

In your case, your image, and the command to run are up to you, but mapping those two pieces are enough to interact with the docker executable.

Hi Michael,

I try your proposal but without success. Into container I’ve this message:

root$ docker exec -it Jenkins /bin/bash
bash-4.3$ docker ps
bash: /usr/bin/docker: No such file or directory
bash-4.3$ which docker
/usr/bin/docker
bash-4.3$

Any idea ? My root docker is on Alpine Linux/ Maybe it have so impacts.

EDIT:
same problem with unbuntu

root$ docker run -it -v /var/run/docker.sock:/var/run/docker.sock -v /usr/bin/docker:/usr/bin/docker ubuntu:latest bash
Unable to find image ‘ubuntu:latest’ locally
latest: Pulling from library/ubuntu
b6f892c0043b: Pull complete
55010f332b04: Pull complete
2955fb827c94: Pull complete
3deef3fcbd30: Pull complete
cf9722e506aa: Pull complete
Digest: sha256:382452f82a8bbd34443b2c727650af46aced0f94a44463c62a9848133ecb1aa8
Status: Downloaded newer image for ubuntu:latest
root@57fb8536d5b1:/#
root@57fb8536d5b1:/#
root@57fb8536d5b1:/# docker ps
docker: error while loading shared libraries: libltdl.so.7: cannot open shared object file: No such file or directory
root@57fb8536d5b1:/#

JM.

same problem for me, with Alpine Linux

The solution for me was to chmod /var/run/docker.sock with correct rightd considering that user/group inside container is not the user/group on the host.

yes, I do like this:

(1) In Dockerfile , just add
RUN curl -fsSLO https://get.docker.com/builds/Linux/x86_64/docker-17.03.1-ce.tgz &&
tar --strip-components=1 -xvzf docker-17.03.1-ce.tgz -C /usr/local/bin

(2) in docker run command, add
-v /var/run/docker.sock:/var/run/docker.sock \

(3) in container .bash_profile file add
chown -R dev:dev /var/run/docker.sock

dev is the user in container.

After searching a lot and trying all possible solutions, your simple comment was the savior. Thanks.

apt-get install -y libltdl7 solves the above issue.

Can i do this with a Windows host?

turns out you can

There are two well known ways of launching Docker containers from inside a Docker container: Docker-in-Docker (DinD) and Docker-out-of-Docker (DooD).

DinD runs the Docker daemon inside a Docker container. This means that child containers are created inside the parent container. Docker has an official image for it in Docker Hub (search for “dind”). It’s easy to setup but has a caveat: the outer container must be a privileged container, which means it’s not secure. Depending on your security requirements it may not be a viable solution.

DooD is the solution where you run the Docker CLI inside a container, and connect it to the host’s Docker by virtue of mount the /var/run/docker.sock into the container. It’s easy to setup too, but has some drawbacks that stem from the fact that the container is launched from a different context that where it actually runs (i.e., it’s launched from within a parent container, but runs as a sibling of that parent container). Again, depending on your scenario those drawbacks may void use of this solution.

I wrote a blog on DinD vs DooD here.

I am the founder of Nestybox, and we have developed a solution that runs Docker-in-Docker without using privileged containers, with total isolation between the Docker in the container and the Docker on the host. The solution is in an experimental stage, and we are looking for early adopters. In fact, our goal is to enable Docker containers to run any workloads (apps or system-level workloads such as Docker), much like a VM does.

Messed up the link to the DinD vs DooD post: it’s here

may i know what is the right or chmod number you set? thank you in advance.

I was looking for container IP with docker inspect command,
I am running containers with docker-compose. I had mounted the /var/run/docker.sock in docker-compose’s volumes section, after I was able run docker command with python scripts.