Running Docker Inside Docker: Three Methods and Practical Guide

In this blog I introduce three different methods for running Docker inside Docker.

Purpose of Docker‑in‑Docker

CI pipelines often need to build Docker images after a successful code build and push them to a registry.

When using Jenkins Docker dynamic agents for CI/CD, Docker‑in‑Docker is essential.

Sandbox environments.

Experimental work on a local development workstation.

Running Docker in a Docker Container

Three ways to achieve Docker‑in‑Docker:

Mount /var/run/docker.sock (the DooD method).

Use the official dind image.

Use the Nestybox Sysbox Docker runtime.

Make sure Docker is installed on the host before trying these setups.

Method 1: Using /var/run/docker.sock

/var/run/docker.sock is the default Unix socket that the Docker daemon listens on, allowing processes on the same host to communicate with Docker.

Example command to query the Docker engine version via the socket:

curl --unix-socket /var/run/docker.sock http://localhost/version

To run Docker inside a container, simply mount the Docker socket as a volume:

docker run -v /var/run/docker.sock:/var/run/docker.sock \
           -ti docker-image

Note: If a container can access docker.sock , it has elevated privileges over the Docker daemon, so be aware of the security implications.

From inside the container you can now execute Docker commands (build, push, etc.) which are actually performed by the Docker engine on the host VM.

Test the setup with the official Docker image that contains the Docker binary:

docker run -v /var/run/docker.sock:/var/run/docker.sock -ti docker

Inside the container run:

docker pull ubuntu

List images to see both the pulled Ubuntu image and any host images:

docker images

Create a test directory and a Dockerfile:

mkdir test && cd test
vi Dockerfile

Sample Dockerfile content:

FROM ubuntu:18.04
LABEL maintainer="Bibin Wilson
"
RUN apt-get update && \
    apt-get -qy full-upgrade && \
    apt-get install -qy curl && \
    curl -sSL https://get.docker.com/ | sh

Build the image:

docker build -t test-image .

Method 2: Docker‑in‑Docker (dind)

This method creates a child container inside the parent container and should only be used when you truly need nested containers and images.

Use the official Docker image tagged with dind , which includes the necessary utilities to run Docker inside Docker.

Note: The container must run in privileged mode.

Steps:

docker run --privileged -d --name dind-test docker:dind

Enter the container:

docker exec -it dind-test /bin/sh

Then perform the same build and image commands as in Method 1.

Method 3: Using Sysbox Runtime

Both Method 1 and Method 2 require privileged containers, which have security drawbacks. Nestybox’s Sysbox runtime mitigates this by allowing containers to run systemd, Docker, and Kubernetes without privileged access.

Install the Sysbox runtime following the official documentation, then start a Docker container with the Sysbox runtime flag:

docker run --runtime=sysbox-runc --name sysbox-dind -d docker:dind

Enter the container:

docker exec -it sysbox-dind /bin/sh

You can now build images with a Dockerfile as shown earlier.

Key Considerations

Use Docker‑in‑Docker only when necessary; test thoroughly before adopting it in workflows.

When running containers in privileged mode, obtain approval from your security team.

Running Docker inside Kubernetes containers presents additional challenges; refer to related blogs for details.

If you plan to use Nestybox Sysbox, ensure it has been vetted and approved by architecture/security teams.

Frequently Asked Questions

Is running Docker inside Docker safe?

Both the docker.sock and dind methods grant full privileges to the Docker daemon, making them less secure.

How to run Docker inside Docker on Jenkins?

Configure Jenkins dynamic Docker agents and mount docker.sock into the agent containers so Docker commands can be executed from within the agents.

Focus on enterprise‑grade DevOps and operational practices.