Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Can I run Docker-in-Docker without using the --privileged flag

I'd like to use Docker-in-Docker however the --privileged gives blanket access to devices. Is there a way to run this using a combination of volumes and cap-add etc. instead?

like image 799
Michael Barton Avatar asked Apr 13 '15 18:04

Michael Barton


2 Answers

Unfortunately no, you must use the --privileged flag to run Docker in Docker, you can take a look at the official announcement where they state this is one of the many purposes of the --privileged flag.

Basically, you need more access to the host system devices to run docker than you get when running without --privileged.

like image 66
Michael Avatar answered Sep 26 '22 23:09

Michael


Yes, you can run docker in docker without the --privileged flag. It involves mounting the docker socket to the container like so:

   docker run -it -v /var/run/docker.sock:/var/run/docker.sock \
               -v $(which docker):/bin/docker \
               alpine docker ps -a

That is going mount the docker socket and executable into the container and run docker ps -a within the alpine container. Jérôme Petazzoni, who authored the the dind example and did a lot of the work on the --privileged flag had this to say about docker in docker:

https://jpetazzo.github.io/2015/09/03/do-not-use-docker-in-docker-for-ci/

I have been using this approach for a while now and it works pretty good.

The caveat with this approach is things get funky with storage. You're better off using data volume containers or named data volumes rather than mounting directories. Since you're using the docker socket from the host, any directories you want to mount with in a child container need to be from the context of the host, not the parent container. It gets weird. I have had better luck with data volume containers.

like image 42
Ryan J. McDonough Avatar answered Sep 22 '22 23:09

Ryan J. McDonough