sharing docker.sock or docker in docker (dind)

Question

We're running a mesos cluster and jenkins for continuous integration workflow. Jenkins is configured with the mesos plugin.

Previously we built our docker images in mesos containers. Now we are switching to docker containers for building our docker images.

I've been searching for the advantage of building our docker images inside a docker container with dind image like this one "dind-jenkins-slave" found on docker hub.

With dind you lose the caching opportunities when sharing the docker.sock of the host. And with dind you also have to push the privileged parameter.

What is the downside of just sharing the docker.sock of the host?

Answer 1

I'm using sharing docker.sock approach. The only downside which I see is security - you could do everything what you want with the host when you could run any docker containers. But if you trust people who create jobs or could control which docker containers with which options could be run from jenkins then giving access to main docker daemon is easy solution.

Answer 2

It depends on what you're doing, really. To get our jenkins jobs truly isolated so that we can run as many as we want in parallel, we switched to DinD. If you share the host socket you still only have a single docker daemon- port conflicts, pulling/pushing multiple images from separate jobs, and one job relying on an image or build that is also being messed with by another job are all issues.

To get around the caching issue, I create the dind container and leave it around. I run

docker start -a dindslave || docker run -v ${WORKSPACE}:/data my/dindimage jenkinscommands.sh

Then jenkins just writes its commands to jenkinscommands.sh and restarts the container every time. When you remove the container you remove your cache as well, and you don't share caches between jobs if that is something you want... but you don't have to think about jobs interfering with one another or making sure they are running on the same host.