Running Docker Inside Docker: Three Practical Methods and How‑to Guide

In this tutorial we introduce three different methods for running Docker inside Docker and discuss their typical use cases such as CI pipelines, dynamic Jenkins agents, sandbox environments, and local experimentation.

Docker‑in‑Docker Use Cases

CI pipelines where you need to build and push Docker images after a successful code build.

Dynamic Jenkins Docker agents for CI/CD workflows.

Sandbox environments for testing.

Local development workstations for experimental purposes.

Method 1: Mounting /var/run/docker.sock (Docker‑on‑Docker)

The Unix socket /var/run/docker.sock allows processes on the same host to communicate with the Docker daemon. By mounting this socket into a container you can run Docker commands from inside the container.

curl --unix-socket /var/run/docker.sock http://localhost/version

Run Docker with the socket mounted as a volume:

docker run -v /var/run/docker.sock:/var/run/docker.sock \
-ti docker-image

Note: Giving a container access to docker.sock grants it privileged control over the Docker daemon, so use it with caution.

Test the setup with the official Docker image that contains the Docker binary:

docker run -v /var/run/docker.sock:/var/run/docker.sock -ti docker

Inside the container you can pull an image, list images, and build a new image using a Dockerfile:

docker pull ubuntu

docker images

mkdir test && cd test
vi Dockerfile

FROM ubuntu:18.04
LABEL maintainer="Bibin Wilson
"
RUN apt-get update && \
    apt-get -qy full-upgrade && \
    apt-get install -qy curl && \
    curl -sSL https://get.docker.com/ | sh

docker build -t test-image .

Method 2: Docker‑in‑Docker (dind)

This method creates a nested Docker daemon inside a container using the official docker:dind image. It requires the container to run in privileged mode.

Note: The container must be started with --privileged .

docker run --privileged -d --name dind-test docker:dind

docker exec -it dind-test /bin/sh

After entering the dind container you can repeat the same steps as in Method 1 to pull images and build Dockerfiles.

Method 3: Using Sysbox Runtime

To avoid privileged mode, the Sysbox runtime from Nestybox allows containers to run systemd, Docker, and Kubernetes without elevated host privileges.

docker run --runtime=sysbox-runc --name sysbox-dind -d docker:dind

docker exec -it sysbox-dind /bin/sh

From the Sysbox container you can build images with a Dockerfile just like the previous methods.

Key Considerations

Use Docker‑in‑Docker only when necessary and test thoroughly before adopting it in production.

Obtain security approval before running containers in privileged mode.

Be aware of additional challenges when using Docker‑in‑Docker with Kubernetes.

If you plan to use Sysbox, ensure it has been vetted and approved by your architecture/security team.

FAQ

Is running Docker inside Docker safe?

Both the docker.sock mount and the dind approach give the container full privileges over the Docker daemon, which poses security risks.

How to run Docker inside Docker on Jenkins?

Configure a dynamic Docker agent in Jenkins, mount docker.sock into the agent container, and execute Docker commands from within the agent.