DinD在docker容器跑docker

DinD 也就是 Docker-in-Docker，容器里单独跑一个 dockerd，它有自己的 /var/lib/docker、自己的镜像、容器、网络、volume。宿主机 Docker 只看到一个 dind 容器，看不到里面创建的子容器

1
services:
2
  dev:
3
    image: ubuntu:24.04
4
    container_name: dev-env
5
    command: sleep infinity
6
    working_dir: /workspace
7
    volumes:
8
      - .:/workspace
9
    environment:
10
      DOCKER_HOST: tcp://docker:2375
11
    depends_on:
12
      - docker
13

14
  docker:
15
    image: docker:dind
16
    container_name: dev-docker
17
    privileged: true
18
    environment:
19
      DOCKER_TLS_CERTDIR: ""
20
    volumes:
21
      - dind-data:/var/lib/docker
22

23
volumes:
24
  dind-data:

进入容器运行

1
apt update
2
apt install -y docker.io docker-compose-plugin
3

4
docker ps
5
docker run --rm hello-world

docker 通常需要 privileged: true，隔离的是 Docker daemon 数据和对象，不是完整虚拟机级隔离；底层 kernel 仍然是宿主机 kernel。Docker 官方文档也说明容器默认有一定隔离

最佳#

示例目录#

1
dev-dind/
2
├── docker-compose.yml
3
├── Dockerfile
4
└── ssh/
5
    └── authorized_keys

生成ssh密钥对#

1
ssh-keygen -t ed25519 -C "dev-container"

复制密钥#

1
mkdir -p ssh
2
cp ~/.ssh/id_ed25519.pub ssh/authorized_keys

创建dockerfile与docker-compose.yml#

1
FROM docker:27-cli AS docker-cli
2

3
FROM ubuntu:24.04
4

5
ENV DEBIAN_FRONTEND=noninteractive
6

7
ENV DOCKER_HOST=tcp://dind:2375
8

9
RUN echo 'export DOCKER_HOST=tcp://dind:2375' > /etc/profile.d/docker-host.sh \
10
    && echo 'export DOCKER_HOST=tcp://dind:2375' >> /home/dev/.bashrc \
11
    && echo 'export DOCKER_HOST=tcp://dind:2375' >> /root/.bashrc
12

13
RUN apt-get update \
14
    && apt-get install -y --no-install-recommends \
15
        openssh-server \
16
        bash \
17
        git \
18
        curl \
19
        nano \
20
        vim \
21
        openjdk-21-jdk \
22
        sudo \
23
        ca-certificates \
24
    && rm -rf /var/lib/apt/lists/*
25

26
COPY --from=docker-cli /usr/local/bin/docker /usr/local/bin/docker
27
COPY --from=docker-cli /usr/local/libexec/docker/cli-plugins/docker-compose /usr/local/libexec/docker/cli-plugins/docker-compose
28

29
RUN chmod +x /usr/local/bin/docker \
30
    && chmod +x /usr/local/libexec/docker/cli-plugins/docker-compose
31

32
RUN useradd -m -s /bin/bash dev \
33
    && echo "dev ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers
34

35
RUN mkdir -p /run/sshd \
36
    && mkdir -p /home/dev/.ssh \
37
    && chown -R dev:dev /home/dev/.ssh \
38
    && chmod 700 /home/dev/.ssh
39

40
RUN ssh-keygen -A
41

42
RUN sed -i 's/#PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config \
43
    && sed -i 's/#PermitRootLogin prohibit-password/PermitRootLogin no/' /etc/ssh/sshd_config \
44
    && echo "PubkeyAuthentication yes" >> /etc/ssh/sshd_config
45

46
WORKDIR /workspace
47

48
CMD ["/usr/sbin/sshd", "-D", "-e"]

这里自行决定要不要java

1
services:
2
  dev:
3
    build: .
4
    container_name: dev-ssh
5
    ports:
6
      - "2222:22"
7
    volumes:
8
      - .:/workspace
9
      - ./ssh/authorized_keys:/home/dev/.ssh/authorized_keys:ro
10
    environment:
11
      DOCKER_HOST: tcp://dind:2375
12
    depends_on:
13
      - dind
14
    networks:
15
      - devnet
16

17
  dind:
18
    image: docker:27-dind
19
    container_name: dev-dind
20
    privileged: true
21
    environment:
22
      DOCKER_TLS_CERTDIR: ""
23
    volumes:
24
      - dind-data:/var/lib/docker
25
    networks:
26
      - devnet
27

28
volumes:
29
  dind-data:
30

31
networks:
32
  devnet:

1
docker compose up -d --build
2
ssh dev@127.0.0.1 -p 2222