可以从 docker 内部运行 docker 吗? [英] Is it ok to run docker from inside docker?
问题描述
我在 Docker 容器中运行 Jenkins.我想知道 Jenkins 容器也可以作为 Docker 主机吗?我在想的是从 Jenkins 内部为每个集成测试构建启动一个新的 docker 容器(启动数据库、消息代理等).因此,应在集成测试完成后关闭容器.是否有理由避免以这种方式从另一个 docker 容器内部运行 docker 容器?
I'm running Jenkins inside a Docker container. I wonder if it's ok for the Jenkins container to also be a Docker host? What I'm thinking about is to start a new docker container for each integration test build from inside Jenkins (to start databases, message brokers etc). The containers should thus be shutdown after the integration tests are completed. Is there a reason to avoid running docker containers from inside another docker container in this way?
推荐答案
在 Docker 中运行 Docker(也称为 dind),虽然可能,但应尽可能避免.(来源如下.)相反,您希望为主容器设置一种方式来生成兄弟容器并与之通信.
Running Docker inside Docker (a.k.a. dind), while possible, should be avoided, if at all possible. (Source provided below.) Instead, you want to set up a way for your main container to produce and communicate with sibling containers.
Jérôme Petazzoni — 使 Docker 在 Docker 容器内运行成为可能的功能的作者 —实际上写了一篇博文说不要这样做.他描述的用例与 OP 的确切用例相匹配,即 CI Docker 容器需要在其他 Docker 容器内运行作业.
Jérôme Petazzoni — the author of the feature that made it possible for Docker to run inside a Docker container — actually wrote a blog post saying not to do it. The use case he describes matches the OP's exact use case of a CI Docker container that needs to run jobs inside other Docker containers.
Petazzoni 列出了 dind 麻烦的两个原因:
Petazzoni lists two reasons why dind is troublesome:
- 它不能与 Linux 安全模块 (LSM) 很好地配合.
- 它会导致文件系统不匹配,从而导致在父容器内创建的容器出现问题.
从那篇博文中,他描述了以下替代方案,
From that blog post, he describes the following alternative,
[The] 最简单的方法是将 Docker 套接字暴露给您的 CI 容器,方法是使用 -v 标志绑定挂载它.
[The] simplest way is to just expose the Docker socket to your CI container, by bind-mounting it with the
-vflag.
简单地说,当你启动你的 CI 容器(Jenkins 或其他)时,与其用 Docker-in-Docker 一起破解一些东西,不如从以下开始:
Simply put, when you start your CI container (Jenkins or other), instead of hacking something together with Docker-in-Docker, start it with:
docker run -v /var/run/docker.sock:/var/run/docker.sock ...
现在这个容器可以访问 Docker 套接字,因此可以启动容器.除了不是启动子"容器,而是启动兄弟"容器.
Now this container will have access to the Docker socket, and will therefore be able to start containers. Except that instead of starting "child" containers, it will start "sibling" containers.
这篇关于可以从 docker 内部运行 docker 吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
