There are two well known ways of launching Docker containers from inside a Docker container: Docker-in-Docker (DinD) and Docker-out-of-Docker (DooD).
DinD runs the Docker daemon inside a Docker container. This means that child containers are created inside the parent container. Docker has an official image for it in Docker Hub (search for “dind”). It’s easy to setup but has a caveat: the outer container must be a privileged container, which means it’s not secure. Depending on your security requirements it may not be a viable solution.
DooD is the solution where you run the Docker CLI inside a container, and connect it to the host’s Docker by virtue of mount the /var/run/docker.sock into the container. It’s easy to setup too, but has some drawbacks that stem from the fact that the container is launched from a different context that where it actually runs (i.e., it’s launched from within a parent container, but runs as a sibling of that parent container). Again, depending on your scenario those drawbacks may void use of this solution.
I wrote a blog on DinD vs DooD here.
I am the founder of Nestybox, and we have developed a solution that runs Docker-in-Docker without using privileged containers, with total isolation between the Docker in the container and the Docker on the host. The solution is in an experimental stage, and we are looking for early adopters. In fact, our goal is to enable Docker containers to run any workloads (apps or system-level workloads such as Docker), much like a VM does.