Docker-in-Docker Approaches

There are two well known options to run Docker inside a container approach:

• Running the Docker daemon inside a container, using Docker’s DinD container image.
• Running only the Docker CLI in a container, and connecting it to the Docker daemon on the host. This approach has been nicknamed Docker-out-of-Dockern(DooD).

Docker-in-Docker (DinD): In the DinD approach, the Docker daemon runs inside a container and any (child) containers it creates exist inside said container (i.e., child containers are nested inside the parent container).

Docker provides a DinD container image that comes with a Docker daemon inside of it.

It’s very easy to set up, but there’s a catch: it requires that the Docker daemon container be configured as a “privileged” container, as shown below.

In the DinD approach, the Docker daemon runs inside a container and any (child) containers it creates exist inside said container (i.e., child containers are nested inside the parent container).

Docker provides a DinD container image that comes with a Docker daemon inside of it.It’s very easy to set up, but there’s a catch: it requires that the Docker daemon container be configured as a “privileged” container, as shown below.

Running a privileged container reduces isolation between the container and the underlying host and creates security risks, because the init process inside the container runs with the same privileges as the root user on the host. See here and here for detailed explanations on the drawbacks.

It may be a viable (though risky) solution in trusted environments, but it’s not a viable solution in environments where you don’t trust the workloads running inside the DinD container. For this reason, use of DinD is generally not recommended by Docker (even though it’s officially supported).

Docker-out-of-Docker (DooD): In the DooD approach, only the Docker CLI runs in a container and connects to the Docker daemon on the host. The connection is done by mounting the host’s Docker’s socket into the container that runs the Docker CLI. For example: $ docker run -it -v /var/run/docker.sock:/var/run/docker.sock docker

In this approach, containers created from within the Docker CLI container are actually sibling containers (spawned by the Docker daemon in the host). There is no Docker daemon inside a container and thus no container nesting. It has been nicknamed Docker-out-of-Docker (DooD).