Can docker container be run inside other docker container?

Question

I'm using jupyterhub with docker spawner, and what the second does is, when userenters jupyterhub, it runs docker container for him. I'd like to contenerize jupyterhub now, and use something like this: https://hub.docker.com/r/jupyterhub/jupyterhub/ but my qustion is (I'm new to this) if jupyterhub runs inside container and it spawns user containers, do this containers run inside the first one, or on my computer separately from it?

Answer 1

Yes. You will need to create the container using privileged mode and also share the docker socket. Apart from that you will need docker client available inside the actual image:

docker run -ti --privileged -v /var/run/docker.sock:/var/run/docker.sock <your image>

Reference: https://itnext.io/docker-in-docker-521958d34efd

Answer 2

Yes this is possible, usually referred to as docker in docker or short dind and not recommended (even by the Jérôme Petazzoni who contributed the patch to make it possible. You can find a longer explanation in his blog post. )

However if you just want to be able to build and run docker containers from within another container on you host, you can make your container "docker capable":

It requires usually only two things for the docker capable container (the one from which docker is going to be used, in your case the jupyterhub container):

1. The docker socket has to be mounted in the container (example: docker run /var/run/docker.sock:/var/run/docker.sock -v <image>)
2. The docker-cli (the docker client) has to be installed in the docker container

Note that the docker capable container does not have it's own docker daemon. It'll just be able to use the hosts docker daemon, which means that there wont be another "docker layer" inside of your docker capable container and any docker container (started from the host and docker capable containers) run within the same context of you host.

This means that you wont gain any additional isolation and it can be confusing especially if you are using host mounts. Consider this example:

1. You have the folder /data on your host with the files test1.txt and test2.txt
2. Container A is a docker capable container with the folder /data and the files test3.txt and test4.txt (Container A does not have any host mounted volumes)
3. You execute docker run --name B -v /data:/data debian:stretch ls /data from within your Container A --> A new Container B is launched on your host, initiated through Container A --> The output will be test1.txt test2.txt because it will still run in the context of you host and the host mount always refers to your hosts filesystem.

Also note that having access to a container which has the docker socket mounted gives any user from the docker group in that container pretty much root access to your host even without running the docker capable container with --privileged. (Which is only needed for real dind)