I heard that the 1.3.0 comes with new flags for running docker in docker without the privileged mode (http://jaxenter.com/whats-new-docker-1-3-111657.html) but I couldn't find anything more than that, any idea on what to do?

Is there a simple way to do the following:

• Given an outer dind instance
• Execute a container that EXPOSEs port 4444
• Access the inner container's port 4444 from outside the dind container

I can think of crude ways to do it, like:

• Restart the whole dind with 4444 now exposed
• Initially create my dind instance with all ports EXPOSEd

... and maybe there's some iptables magic you can do (seems subversive to docker itself).

Is there a simple way to do this that I'm missing?

Run inside dind, any docker build command that includes compiling packages from source with the -j option to paralellize compilation fails randomly with the error:

    mkdir: can't create directory 'some/name': No such file or directory

A small test case that fails quickly on the setup I used – 32 cores x86_64 Linux 3.13.0-45-generic Ubuntu 14.04.2, Docker 1.5.0 – is available here:

https://gist.github.com/DanielMahu/6e7104c2168910363176

I used dind to build a recursive bootstrap that lets you run any given container indindindindind at arbitrary depth. Thought you might like it.

https://github.com/kojiromike/inception

Given moby/moby#15596, is it worth either pointing to the latest https://raw.githubusercontent.com/docker/docker/master/hack/dind or just deleting this project entirely?

If you attach to a container you started inside a DIND, 'CTRL+p, CTRL+q' will not detach from this container but detach you from the DIND container. Anyway to detach?

I've tried it with Docker 1.7-rc2.

I can docker run new containers.

But I can docker run --privileged new containers. I get a cryptic:

INFO[0013] POST /v1.19/containers/3836307a2eccb183906dc9591eafe328af980069448890964c3a1dbad5516e31/start 
operation not permitted
WARN[0013] exit status 1                                
ERRO[0013] Handler for POST /containers/{name:.*}/start returned error: Cannot start container 3836307a2eccb183906dc9591eafe328af980069448890964c3a1dbad5516e31: [8] System error: operation not permitted 
ERRO[0013] HTTP Error                                    err=Cannot start container 3836307a2eccb183906dc9591eafe328af980069448890964c3a1dbad5516e31: [8] System error: operation not permitted statusCode=500
Error response from daemon: Cannot start container 3836307a2eccb183906dc9591eafe328af980069448890964c3a1dbad5516e31: [8] System error: operation not permitted

The docs say:

There is only one requirement: your Docker version should support the --privileged flag.

But trying to run the dind image I get:

ERRO[0000] [graphdriver] prior storage driver "btrfs" failed: prerequisites for driver not satisfied (wrong filesystem?) 
FATA[0000] Error starting daemon: error initializing graphdriver: prerequisites for driver not satisfied (wrong filesystem?) 

So I guess there is a second requirement?

I'm running on an Ubuntu host machine.
FATA[0000] Post http:///var/run/docker.sock/v1.16/containers/create: dial unix /var/run/docker.sock: no such file or directory. Are you trying to connect to a TLS-enabled daemon without TLS?

I keep getting that issue, regardless of which container I try to run.
specifically:
root@Dev01:~# docker run --privileged -t -i jpetazzo/dind /bin/bash
root@0986d69267de:/# docker run -t -i jpetazzo/dind /bin/bash
FATA[0000] Post http:///var/run/docker.sock/v1.16/containers/create: dial unix /var/run/docker.sock: no such file or directory. Are you trying to connect to a TLS-enabled daemon without TLS?

One of the downsides of dind is that the inner host pulls images even if the outer host already has those images. I'm totally softballing this question, but to get the conversation started, have you considered ways to cache the images fetched by one inner docker host so that they can be used without real bandwidth pulls by another inner host?

I don't know what I'm doing wrong, but I can't get docker-in-docker working.

System:

• Docker 0.6.2
• LXC 0.7.5 (also tried 1.0.0-alpha1)
• Vagrant 1.3.1, Vagrantfile: https://github.com/dotcloud/docker/blob/master/Vagrantfile
• Virtualbox 4.2.18
• OS X 10.8.4

AppArmor lxc-default profile is in complain mode. Running with AppArmor disabled or running docker with -lxc-conf="lxc.aa_profile=unconfined" also results in the same outcome.

Here's a typical run:

vagrant@precise64:~$ sudo docker run -privileged -t -i dind
/proc/self/fd /
/
root@d95ad89be08c:/# Loading containers: done.
2013/09/22 13:50:47 WARNING: Your kernel does not support cgroup swap limit.
2013/09/22 13:50:47 Listening for HTTP on /var/run/docker.sock (unix)

root@d95ad89be08c:/# ps ax
  PID TTY      STAT   TIME COMMAND
    1 ?        S      0:00 /bin/sh -c wrapdocker
    9 ?        S      0:00 bash
   42 ?        Sl     0:00 docker -d
   68 ?        R+     0:00 ps ax
root@d95ad89be08c:/# docker images
2013/09/22 13:51:13 GET /v1.5/images/json
REPOSITORY          TAG                 ID                  CREATED             SIZE
root@d95ad89be08c:/# docker run ubuntu ls
2013/09/22 13:51:24 POST /v1.5/containers/create
Unable to find image 'ubuntu' (tag: latest) locally
2013/09/22 13:51:24 POST /v1.5/images/create?fromImage=ubuntu&tag=
Pulling repository ubuntu
2013/09/22 13:53:24 Get https://index.docker.io/v1/images/ubuntu/ancestry: lookup index.docker.io. on 10.0.2.3:53: no answer from server
root@d95ad89be08c:/# mount
root@d95ad89be08c:/# df
df: cannot read table of mounted file systems

The following, possibly interesting lines are in the output of dmesg:

[  424.362321] type=1400 audit(1379857847.885:19): apparmor="ALLOWED" operation="mount" info="failed type match" error=-13 parent=4340 profile="lxc-container-default" name="/sys/fs/cgroup/hugetlb/" pid=4346 comm="mount" fstype="cgroup" srcname="cgroup" flags="rw"
[  424.366048] type=1400 audit(1379857847.889:20): apparmor="ALLOWED" operation="mount" info="failed type match" error=-13 parent=4340 profile="lxc-container-default" name="/sys/fs/cgroup/perf_event/" pid=4349 comm="mount" fstype="cgroup" srcname="cgroup" flags="rw"
[  424.369842] type=1400 audit(1379857847.893:21): apparmor="ALLOWED" operation="mount" info="failed type match" error=-13 parent=4340 profile="lxc-container-default" name="/sys/fs/cgroup/blkio/" pid=4352 comm="mount" fstype="cgroup" srcname="cgroup" flags="rw"
[  424.373522] type=1400 audit(1379857847.897:22): apparmor="ALLOWED" operation="mount" info="failed type match" error=-13 parent=4340 profile="lxc-container-default" name="/sys/fs/cgroup/freezer/" pid=4355 comm="mount" fstype="cgroup" srcname="cgroup" flags="rw"
[  424.377223] type=1400 audit(1379857847.901:23): apparmor="ALLOWED" operation="mount" info="failed type match" error=-13 parent=4340 profile="lxc-container-default" name="/sys/fs/cgroup/devices/" pid=4358 comm="mount" fstype="cgroup" srcname="cgroup" flags="rw"
[  424.380958] type=1400 audit(1379857847.905:24): apparmor="ALLOWED" operation="mount" info="failed type match" error=-13 parent=4340 profile="lxc-container-default" name="/sys/fs/cgroup/memory/" pid=4361 comm="mount" fstype="cgroup" srcname="cgroup" flags="rw"
[  424.384752] type=1400 audit(1379857847.909:25): apparmor="ALLOWED" operation="mount" info="failed type match" error=-13 parent=4340 profile="lxc-container-default" name="/sys/fs/cgroup/cpuacct/" pid=4364 comm="mount" fstype="cgroup" srcname="cgroup" flags="rw"
[  424.388078] type=1400 audit(1379857847.913:26): apparmor="ALLOWED" operation="mount" info="failed type match" error=-13 parent=4340 profile="lxc-container-default" name="/sys/fs/cgroup/cpu/" pid=4367 comm="mount" fstype="cgroup" srcname="cgroup" flags="rw"
[  424.391744] type=1400 audit(1379857847.913:27): apparmor="ALLOWED" operation="mount" info="failed type match" error=-13 parent=4340 profile="lxc-container-default" name="/sys/fs/cgroup/cpuset/" pid=4370 comm="mount" fstype="cgroup" srcname="cgroup" flags="rw"
[  439.328133] docker0: port 1(veth9VM5wv) entered forwarding state
[  619.291837] docker0: port 1(veth9VM5wv) entered disabled state
[  619.292940] device veth9VM5wv left promiscuous mode
[  619.292949] docker0: port 1(veth9VM5wv) entered disabled state
[  636.812670] device vethGZTrpI entered promiscuous mode
[  636.812756] IPv6: ADDRCONF(NETDEV_UP): vethGZTrpI: link is not ready
[  636.870017] IPv6: ADDRCONF(NETDEV_CHANGE): vethGZTrpI: link becomes ready
[  636.870083] docker0: port 1(vethGZTrpI) entered forwarding state
[  636.870094] docker0: port 1(vethGZTrpI) entered forwarding state
[  651.872117] docker0: port 1(vethGZTrpI) entered forwarding state

Docker provides fine grained capabilities that can be enabled when launching the container. The current recommended way to launch the outer container within which dind executes is by passing the --privileged flag.

The recommended way should be to run it using --cap-add by providing a minimal set of permissions to the outer container instance such that a networked dind instance can be started. Volume addition should also require additional flags. Extra capabilities if any need to be provided based on the needs of the specific app that we intend to run as dind

Hi There,

I have tried create a container that has dind and sshd for jenkins slave. I have tried to do this 3 different ways.

1> Create a container from the jpetazzo/dind.

{code}
Please find buildfile below.

Based on Ubuntu

Set the base image to Ubuntu

FROM jpetazzo/dind

File Author / Maintainer

MAINTAINER Johnathan Phan

Enviroment setup

############ BEGIN INSTALLATION

Update system

RUN apt-get update

Install a basic SSH and docker server

RUN apt-get install -y openjdk-7-jdk openssh-server
RUN sed -i 's|session required pam_loginuid.so|session optional pam_loginuid.so|g' /etc/pam.d/sshd
RUN mkdir -p /var/run/sshd
RUN adduser --quiet jenkins
RUN echo "jenkins:jenkins" | chpasswd
RUN usermod -a -G 0 jenkins
ADD scripts/jenkins-slave-startup.sh /
RUN chmod +x jenkins-slave-startup.sh

Standard SSH port

EXPOSE 22
{code}

2> Tried to use https://registry.hub.docker.com/u/tehranian/dind-jenkins-slave/dockerfile/ directly.

3> Tried to create my own container with build file merging commands and files from bother jpetazzo/dind and evarga/jenkins-slave.

I get continous issues concerning running docker in docker with another service.

For example in the first example where I extend dind. I get the following error inside the container.

INFO[0000] +job serveapi(unix:///var/run/docker.sock)
INFO[0000] Listening for HTTP on unix (/var/run/docker.sock)
WARN[0000] WARNING: Udev sync is not supported. This will lead to unexpected behavior, data loss and errors
ERRO[0000] There are no more loopback devices available.
FATA[0000] loopback mounting failed

I don't know why this does'nt work.

Can someone help me?

I have a vagrant machine. Trying to run:
docker run -privileged -d -p 1234 -e PORT=1234 jpetazzo/dind

I then try docker version and I see

Couldn't connect to Docker daemon at http+unix://var/run/docker.sock - is it running?               │        ../docker-heka/
                                                                                                    │        ../mariadb/
If it's at a non-standard location, specify the URL with the DOCKER_HOST environment variable.    ```

This is the error I get when trying to start a container inside the container:

lxc-start: no ns_cgroup option specified
lxc-start: failed to spawn 'fca9766c5f81a27e555dfe72d07b63464d48b953862640a84a7c3c0162188c49'
lxc-start: No such file or directory - failed to remove cgroup '/sys/fs/cgroup/systemd/system.slice/docker.service/lxc/fca9766c5f81a27e555dfe72d07b63464d48b953862640a84a7c3c0162188c49'

Complete output here.

Any idea? Is it a problem with systemd?

When using non aufs file systems. For example : http://blog.cloud66.com/docker-with-overlayfs-first-impression/

Docker does not depend on LXC since quite some time now. Any particular reason this is still being included? :)

http://www.infoq.com/news/2014/03/docker_0_9

I think that working with Docker in Docker would be much easier if docker logs would stream logs of inner containers with a different colors each.

This could look like this (the gif comes from our blog post)

A PR follows.

I develop 'app' on an OSX laptop ('host') that runs a docker-daemon inside VirtualBox ('dev') (created via docker-machine). As my ci/cd utility ('rouster') grows, so do its dependencies. To encapsulate them, I've created an image ('rind'), which inherits from dind.

Happily, I can mount ~/src from host to rind and mount it again from rind to app and it works.

Presently, I use both eval $(docker-machine env dev) && rind deploy and $(docker-machine env prod) && rind deploy.

Uncertain that prod should run dind, I repointed rind's client at dev's daemon by setting env_vars ( DOCKER_CERT_PATH, DOCKER_TLS_VERIFY, DOCKER_HOST, and DOCKER_MACHINE_NAME).

Sadly, app now sees the mounted volumes, but they have no contents.

Thank you for these terrific tools and for any advice you may have.

I'm try to run a docker inside of a docker and I keep getting this error. I get it when I run docker run --privileged -it jpetazzo/dind once I'm inside of the first docker image.

[3c639086] -job create() = OK (0)
2014/07/09 17:45:52 POST /v1.12/containers/f135172206cff96ff011fdecfca56d626b63678989c813e999ec0bb852ab97a0/attach?stderr=1&stdin=1&stdout=1&stream=1

[3c639086] +job container_inspect(f135172206cff96ff011fdecfca56d626b63678989c813e999ec0bb852ab97a0)
[3c639086] -job container_inspect(f135172206cff96ff011fdecfca56d626b63678989c813e999ec0bb852ab97a0) = OK (0)
[3c639086] +job attach(f135172206cff96ff011fdecfca56d626b63678989c813e999ec0bb852ab97a0)
2014/07/09 17:45:52 POST /v1.12/containers/f135172206cff96ff011fdecfca56d626b63678989c813e999ec0bb852ab97a0/start

[3c639086] +job start(f135172206cff96ff011fdecfca56d626b63678989c813e999ec0bb852ab97a0)
[3c639086] +job allocate_interface(f135172206cff96ff011fdecfca56d626b63678989c813e999ec0bb852ab97a0)
[3c639086] -job allocate_interface(f135172206cff96ff011fdecfca56d626b63678989c813e999ec0bb852ab97a0) = OK (0)

[3c639086] -job start(f135172206cff96ff011fdecfca56d626b63678989c813e999ec0bb852ab97a0) = OK (0)
2014/07/09 17:45:52 POST /v1.12/containers/f135172206cff96ff011fdecfca56d626b63678989c813e999ec0bb852ab97a0/resize?h=40&w=168

[3c639086] +job resize(f135172206cff96ff011fdecfca56d626b63678989c813e999ec0bb852ab97a0, 40, 168)
[3c639086] -job resize(f135172206cff96ff011fdecfca56d626b63678989c813e999ec0bb852ab97a0, 40, 168) = OK (0)
2014/07/09 17:45:52 setup mount namespace create /var/lib/docker/devicemapper/mnt/f135172206cff96ff011fdecfca56d626b63678989c813e999ec0bb852ab97a0/rootfs/dev/console open /var/lib/docker/devicemapper/mnt/f135172206cff96ff011fdecfca56d626b63678989c813e999ec0bb852ab97a0/rootfs/dev/console: input/output error

[3c639086] +job release_interface(f135172206cff96ff011fdecfca56d626b63678989c813e999ec0bb852ab97a0)
[3c639086] -job release_interface(f135172206cff96ff011fdecfca56d626b63678989c813e999ec0bb852ab97a0) = OK (0)
[error] container.go:525 f135172206cff96ff011fdecfca56d626b63678989c813e999ec0bb852ab97a0: Error closing terminal: invalid argument
[3c639086] -job attach(f135172206cff96ff011fdecfca56d626b63678989c813e999ec0bb852ab97a0) = OK (0)
2014/07/09 17:45:52 GET /v1.12/containers/f135172206cff96ff011fdecfca56d626b63678989c813e999ec0bb852ab97a0/json

[3c639086] +job container_inspect(f135172206cff96ff011fdecfca56d626b63678989c813e999ec0bb852ab97a0)
[3c639086] -job container_inspect(f135172206cff96ff011fdecfca56d626b63678989c813e999ec0bb852ab97a0) = OK (0)

For reference, I'm running linux mint with kernel 3.15.3-031503-generic

DISTRIB_ID=LinuxMint
DISTRIB_RELEASE=14
DISTRIB_CODENAME=nadia
DISTRIB_DESCRIPTION="Linux Mint 14 Nadia"
NAME="Ubuntu"
VERSION="12.10, Quantal Quetzal"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu quantal (12.10)"
VERSION_ID="12.10"

Edit: Also Docker 1.1.0 build 79812e3

I've been testing your "dind" image, and I have found out that I cannot modify the nameserver. This prevents me from being able to pull down images from a private docker registry on our local network. I've used the "--dns" command on the run or pull command in docker, and it appears to have no effect. I've copied a version of /etc/default/docker into the image with our local DNS addresses also to no avail. I was also unable to modify the /etc/resolv.conf on the baseimage.

Now, I have no problem pulling from the the main docker central registry, and I can ping hosts on the internet. Just nothing local.

Trying this out with 0.8:

docker daemon starts ok, and docker version works ;

but when I try
docker pull ubuntu:

2014/02/06 06:34:37 POST /v1.9/images/create?fromImage=ubuntu&tag=
[/var/lib/docker|65587286] +job pull(ubuntu, )
Pulling repository ubuntu
Get https://index.docker.io/v1/repositories/ubuntu/images: x509: certificate signed by unknown authority[/var/lib/docker|65587286] -job pull(ubuntu, ) = ERR (1)
2014/02/06 06:34:37 pull: Get https://index.docker.io/v1/repositories/ubuntu/images: x509: certificate signed by unknown authority

Hi!

I have a boot2docker vm which contains a docker vm in which I'm running a privileged dind container. What I'm trying to figure out is how I would access say port 80 in the lowest part of the docker daemon...

So visually:
Host -> boot2docker (192.168.99.100) -> docker (:2376) -> dind (:4444 exposed as :32772) -> nginx (:80)

How would I expose nginx:80?

Thanks in advance!

Hi,

I like the idea of dind and would like to try it out. Can someone help me on the following errors ?

[root@localhost ~]# docker run -privileged jpetazzo/dind
Warning: '-privileged' is deprecated, it will be replaced by '--privileged' soon. See usage.
mkdir: cannot create directory '/sys/fs/cgroup': No such file or directory
mount: mount point /sys/fs/cgroup does not exist
Could not make a tmpfs mount. Did you use -privileged?

[root@localhost ~]# docker --version
Docker version 0.11.1, build fb99f99/0.11.1

First I'd like to give thanks as this repo gave me a big head start in getting Docker inside Docker to work. I have successfully used this Docker file as a basis to build my own image which runs a container inside itself, as long as I'm initiating the container manually with:

docker run -d --privileged <personal_dind_image>

I'm attempting to use the Jenkins Docker plugin to spawn on-demand slaves for integration tests against my Chef cookbooks using test-kitchen and docker as the test-kitchen driver. Again, if I manually start the container, ssh into it as the jenkins user, clone the appropriate git repo into the container and run my tests it performs flawlessly everytime. However, in an attempt to automate this process with Jenkins and the Docker plugin - the test fail telling me, "level="fatal" msg="Post http:///var/run/docker.sock/v1.17/build?dockerfile=Dockerfile&rm=1&t=: dial unix /var/run/docker.sock: no such file or directory". I'm certain the "Run container privilaged" option is checked in the Jenkins plugin, the slave container is created with Privilage=true, and have been reduced to guessing this is an issue of the docker daemon inside my dind container not having enough time to start up before test-kitchen starts but I'm not certain that is the case. I've tried hacking at the Jenkins configuration telling it 'sleep' for a given amount of seconds but no luck:

Building remotely on 626873aa30bf@dockerhost (jenkins_slave_label) in workspace /var/lib/jenkins/workspace/project-cookbook
Cloning the remote Git repository
Cloning repository [email protected]
 > git init /var/lib/jenkins/workspace/project-cookbook # timeout=10
Fetching upstream changes from [email protected]
 > git --version # timeout=10
 > git -c core.askpass=true fetch --tags --progress 
[email protected] +refs/heads/*:refs/remotes/origin/*
 > git config remote.origin.url [email protected]# timeout=10
 > git config --add remote.origin.fetch +refs/heads/*:refs/remotes/origin/* # timeout=10
 > git config remote.origin.url [email protected] # timeout=10
Fetching upstream changes from [email protected]
 > git -c core.askpass=true fetch --tags --progress 
[email protected] +refs/heads/*:refs/remotes/origin/*
 > git rev-parse refs/remotes/origin/master^{commit} # timeout=10
 > git rev-parse refs/remotes/origin/origin/master^{commit} # timeout=10
Checking out Revision e8516ca3ddf1886469332642d37a31fcb8dd2f0c (refs/remotes/origin/master)
 > git config core.sparsecheckout # timeout=10
 > git checkout -f e8516ca3ddf1886469332642d37a31fcb8dd2f0c
 > git rev-list e8516ca3ddf1886469332642d37a31fcb8dd2f0c # timeout=10
[project-cookbook] $ /bin/sh -xe /tmp/hudson5357411377460816584.sh
+ sleep 5
+ kitchen test
-----> Starting Kitchen (v1.3.1)
-----> Cleaning up any prior instances of <server-centos>
-----> Destroying <server-centos>...
       Finished destroying <server-centos> (0m0.00s).
-----> Testing <server-centos>
-----> Creating <server-centos>...
       Sending build context to Docker daemon 
       time="2015-04-02T02:14:37Z" level="fatal" msg="Post http:///var/run/docker.sock/v1.17/build?dockerfile=Dockerfile&rm=1&t=: dial unix /var/run/docker.sock: no such file or directory" 
>>>>>> ------Exception-------
>>>>>> Class: Kitchen::ActionFailed
>>>>>> Message: Failed to complete #create action: [Expected process to exit with [0], but received '1'
---- Begin output of docker -H unix:///var/run/docker.sock build - ----
STDOUT: Sending build context to Docker daemon
STDERR: time="2015-04-02T02:14:37Z" level="fatal" msg="Post http:///var/run/docker.sock/v1.17/build?dockerfile=Dockerfile&rm=1&t=: dial unix /var/run/docker.sock: no such file or directory"
---- End output of docker -H unix:///var/run/docker.sock build - ----
Ran docker -H unix:///var/run/docker.sock build - returned 1]
>>>>>> ----------------------
>>>>>> Please see .kitchen/logs/kitchen.log for more details
>>>>>> Also try running `kitchen diagnose --all` for configuration
Build step 'Execute shell' marked build as failure
Finished: FAILURE

I do see the same error regardless of which docker command I provide in the Jenkins build configuration. I've been grinding on this issue for a solid day now and cannot determine why the Docker daemon is not available when automating this process with Jenkins. Any thoughts?

Docker host is ubuntu 14.04.1, dind image is ubuntu 14.04.1 based, and I'm using Docker client/server 1.5.0.

Trying to run some experiments with DinD for fun.

Running into a layer limit issue that is less than 127 in depth for sure. But getting complains about it reaching the layer limit during a build.

anyway to make it possible to save or preload the dind with other docker images and containers?

When I attempt to commit a dind container with preloaded docker images and containers, the commit goes through but new containers off of the commit will have lost all of it's docker related images/containers.

I assume this is related to having to mount /var/lib/docker but is there any way around this?

I'm using DIND to do isolated docker image builds, and I'm always seeing the following issue when the container exits.

Error response from daemon: Cannot destroy container 272993725fb65d437a8bb52e66b4b54df9061d8f523d415186ed63073d2f3fb2: Driver btrfs failed to remove root filesystem 272993725fb65d437a8bb52e66b4b54df9061d8f523d415186ed63073d2f3fb2: Failed to destroy btrfs snapshot: directory not empty

The result is a container that I can't seem to destroy. Any ideas how I can avoid this?

When I open a console in the dind container, the docker daemon outputs a lot of debug information. This obscures the output by the commands run by me. For example pulling an image causes the following output:

2014/01/27 20:16:30 POST /v1.8/images/create?fromImage=index%2Fapache2_staging&tag=
Pulling repository index.../apache2_staging

<snip>

19bc6a29178b: Pulling dependent layers 
[error] server.go:873 Image (id: 8dbd9e392a964056420e5d58ca5cc376ef18e2de93b5cc90e868a1bbc8318c1c) pull is already running, skipping: pull layer:8dbd9e392a964056420e5d58ca5cc376ef18e2de93b5cc90e868a1bbc8318c1c is already5cdffba04912: Pulling dependent layers 
[error] server.go:873 Image (id: 8dbd9e392a964056420e5d58ca5cc376ef18e2de93b5cc90e868a1bbc8318c1c) pull is already running, skipping: pull layer:8dbd9e392a964056420e5d58ca5cc376ef18e2de93b5cc90e868a1bbc8318c1c is already48af28b4a9c0: Pulling dependent layers 

Is there a way to turn of this debugging output?

When I try to use this with boot to docker - it doesn't seem to detach - it is like it is getting a $PORT passed in? so it won't run the subsequent command.

Removing images and containers within dind doesn't allow the host operating system to reclaim disk space.

Linking issue moby/moby#7285 from docker/docker as it is related to jpetazzo/dind

Would it be possibly to start versioning this project (with git tags, and etc)?

The purpose being that i am not using the Dockerfile of this project directly. I am however, using wrapdocker. In typical dependency fashion, it would be really nice if i were able to ensure stability of wrapdocker by referring to a single version. As well as know that future versions do/do-not have an API change (semver).

As another point, i'd like to introduce a couple small changes to wrapdocker that would change the API (i'm not confident that they would be merged haha), but again, without versioning that feels super wrong to do to people.

So, thoughts? Perhaps this repo is not the best place to version something like wrapdocker, and if so, any thoughts on what might be better?

I would appreciate any help with the following result obtained with the supplied directions:

...
sudo docker run -privileged -t -i dind
2013/08/30 17:12:14 POST /v1.4/containers/create
2013/08/30 17:12:14 POST /v1.4/containers/1e73ecece145/start
2013/08/30 17:12:14 POST /v1.4/containers/1e73ecece145/resize?h=36&w=122
2013/08/30 17:12:14 POST /v1.4/containers/1e73ecece145/attach?logs=1&stderr=1&stdin=1&stdout=1&stream=1
mount: block device cgroup is write-protected, mounting read-only
mount: cannot mount block device cgroup read-only
mount: block device cgroup is write-protected, mounting read-only
mount: cannot mount block device cgroup read-only
mount: block device cgroup is write-protected, mounting read-only
mount: cannot mount block device cgroup read-only
mount: block device cgroup is write-protected, mounting read-only
mount: cannot mount block device cgroup read-only
mount: block device cgroup is write-protected, mounting read-only
mount: cannot mount block device cgroup read-only
mount: block device cgroup is write-protected, mounting read-only
mount: cannot mount block device cgroup read-only
mount: block device cgroup is write-protected, mounting read-only
mount: cannot mount block device cgroup read-only
/proc/self/fd /
/
root@1e73ecece145:/# 2013/08/30 21:12:14 WARNING: cgroup mountpoint not found for memory
2013/08/30 21:12:14 Listening for HTTP on /var/run/docker.sock (unix)
...

I'm assuming that this is not expected behavior and will prevent pulling down other images, etc.

Let me know if you need additional information to troubleshoot.

Thanks!

Steve

Neat trick BTW!

I've attached my variant Dockerfile that installs Docker from the APT repo.

FROM ubuntu
MAINTAINER [email protected]
RUN echo deb http://archive.ubuntu.com/ubuntu precise universe > /etc/apt/sources.list.d/universe.list
RUN echo deb https://get.docker.io/ubuntu docker main > /etc/apt/sources.list.d/docker.list
RUN apt-get install -qqy apt-transport-https curl
RUN curl https://get.docker.io/gpg | apt-key add -
RUN apt-get update -qq
RUN dpkg-divert --local --rename --add /sbin/initctl && ln -s /bin/true /sbin/initctl
RUN apt-get install -qqy iptables ca-certificates lxc lxc-docker
VOLUME /var/lib/docker
CMD /bin/bash

Note the fake out of Upstart to get the packages installed.

Hope it's useful to someone.

Steps using OSX Maverick, Vagrant
1-Install Docker Vagrant file

git clone https://github.com/dotcloud/docker.git
cd docker
vagrant up
vagrant ssh

2-Install dind

sudo -i
apt-get install -y git
git clone https://github.com/jpetazzo/dind.git

3-Build and Run Dind

docker build -t dind .
docker run -privileged -lxc-conf="lxc.aa_profile=unconfined" -t -i dind

4-At this point ping google.com does not work

ping google.com
ping: unknown host

But pinging google's ip works

ping 74.125.22.102
PING 74.125.22.102 (74.125.22.102): 48 data bytes
56 bytes from 74.125.22.102: icmp_seq=0 ttl=61 time=32.766 ms

5-My /etc/resolv.conf

cat /etc/resolv.conf 
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
#     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
nameserver 10.0.2.3

6-My NAT rules

iptables -t nat -nxvL
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source               destination         
       0        0 DOCKER     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type LOCAL

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 3 packets, 188 bytes)
    pkts      bytes target     prot opt in     out     source               destination         
       0        0 DOCKER     all  --  *      *       0.0.0.0/0           !127.0.0.0/8          ADDRTYPE match dst-type LOCAL

Chain POSTROUTING (policy ACCEPT 3 packets, 188 bytes)
    pkts      bytes target     prot opt in     out     source               destination         
       0        0 MASQUERADE  all  --  *      *       10.0.0.0/16         !10.0.0.0/16         

Chain DOCKER (2 references)
    pkts      bytes target     prot opt in     out     source               destination       

I've been trying for weeks to get Openstack + Docker to work.
With the recent Havana release I'm very close.
But this DNS problem is a showstopper.
Please help.

Hi,

I am trying to make a jenkins-dind to upload to the index. I follow the instructions exactly but the docker.sock is not getting created.

root@Ubuntu-1204-precise-64-minimal /home/ubuntu/dind # docker version
Client version: 0.7.1
Go version (client): go1.2
Git commit (client): 88df052
Server version: 0.7.1
Git commit (server): 88df052
Go version (server): go1.2
Last stable version: 0.7.2, please update docker

root@Ubuntu-1204-precise-64-minimal /home/ubuntu/dind # docker build -t scivm/dind .
Uploading context 184.3 kB
Step 1 : FROM ubuntu
---> 8dbd9e392a96
Step 2 : MAINTAINER [email protected]
---> Using cache
---> 373d7c066077
Step 3 : RUN echo deb http://archive.ubuntu.com/ubuntu precise universe > /etc/apt/sources.list.d/universe.list
---> Using cache
---> dd65f8a1d877
Step 4 : RUN apt-get update -qq
---> Using cache
---> 5e17bb9c4279
Step 5 : RUN apt-get install -qqy iptables ca-certificates lxc
---> Using cache
---> 29a5471eb81a
Step 6 : ADD https://get.docker.io/builds/Linux/x86_64/docker-latest /usr/local/bin/docker
---> 4426e39b7944
Step 7 : ADD ./wrapdocker /usr/local/bin/wrapdocker
---> e90c3d7effed
Step 8 : RUN chmod +x /usr/local/bin/docker /usr/local/bin/wrapdocker
---> Running in c5fff8574bca
---> 93eb2c73486f
Step 9 : VOLUME /var/lib/docker
---> Running in 5a2f7c89b9f3
---> 7148c1a14f6d
Step 10 : CMD wrapdocker
---> Running in 5626821d6b9e
---> fa91b4364cd8
Successfully built fa91b4364cd8

root@Ubuntu-1204-precise-64-minimal /home/ubuntu/dind # docker run -privileged -d -p 4444 -e PORT=4444 scivm/dind
3bebcdc34acca90157bc968c3aadd2fcb1b1f5b3d61e430c81683aabc0a160c9
root@Ubuntu-1204-precise-64-minimal /home/ubuntu/dind # lxc-attach -n 3bebcdc34acca90157bc968c3aadd2fcb1b1f5b3d61e430c81683aabc0a160c9
root@3bebcdc34acc:/# docker ps
2013/12/24 20:34:38 dial unix /var/run/docker.sock: no such file or directory
root@3bebcdc34acc:/# ls -la /var/run/
total 24
drwxr-xr-x 4 root root 4096 Dec 24 20:34 .
drwxr-xr-x 62 root root 4096 Dec 24 20:34 ..
-rw-r--r-- 1 root root 1 Dec 24 20:34 docker.pid
-rw-r--r-- 1 root root 0 Apr 11 2013 init.upgraded
drwxrwxrwt 2 root root 4096 Apr 11 2013 lock
-rw-r--r-- 1 root root 109 Apr 11 2013 motd
drwxr-xr-x 2 root root 4096 Apr 11 2013 network
-rw-rw-r-- 1 root utmp 0 Apr 11 2013 utmp

Starting in the foreground works ok:

root@Ubuntu-1204-precise-64-minimal /home/ubuntu/dind # docker run -privileged -t -i scivm/dind
root@111b5aace52b:/# [/var/lib/docker|b33387bf] +job initapi()
[/var/lib/docker|b33387bf.initapi()] Creating server
Loading containers: done.
2013/12/24 20:37:16 WARNING: Your kernel does not support cgroup swap limit.
[/var/lib/docker|b33387bf.initapi()] Creating pidfile
[/var/lib/docker|b33387bf.initapi()] Setting up signal traps
[/var/lib/docker|b33387bf] Register(export) (handlers=map[initapi:0x4a20b0 version:0x4bdaf0])
[/var/lib/docker|b33387bf] Register(create) (handlers=map[initapi:0x4a20b0 version:0x4bdaf0 export:0x4c3250])
[/var/lib/docker|b33387bf] Register(stop) (handlers=map[initapi:0x4a20b0 version:0x4bdaf0 export:0x4c3250 create:0x4c3290])
[/var/lib/docker|b33387bf] Register(start) (handlers=map[initapi:0x4a20b0 version:0x4bdaf0 export:0x4c3250 create:0x4c3290 stop:0x4c32d0])
[/var/lib/docker|b33387bf] Register(kill) (handlers=map[initapi:0x4a20b0 version:0x4bdaf0 export:0x4c3250 create:0x4c3290 stop:0x4c32d0 start:0x4c3310])
[/var/lib/docker|b33387bf] Register(serveapi) (handlers=map[initapi:0x4a20b0 version:0x4bdaf0 export:0x4c3250 create:0x4c3290 stop:0x4c32d0 start:0x4c3310 kill:0x4c3350])
[/var/lib/docker|b33387bf] Register(wait) (handlers=map[initapi:0x4a20b0 version:0x4bdaf0 export:0x4c3250 create:0x4c3290 stop:0x4c32d0 start:0x4c3310 kill:0x4c3350 serveapi:0x4c3390])
[/var/lib/docker|b33387bf] Register(tag) (handlers=map[initapi:0x4a20b0 version:0x4bdaf0 export:0x4c3250 create:0x4c3290 stop:0x4c32d0 start:0x4c3310 kill:0x4c3350 serveapi:0x4c3390 wait:0x4c33d0])
[/var/lib/docker|b33387bf] Register(resize) (handlers=map[initapi:0x4a20b0 version:0x4bdaf0 export:0x4c3250 create:0x4c3290 stop:0x4c32d0 start:0x4c3310 kill:0x4c3350 tag:0x4c3410 serveapi:0x4c3390 wait:0x4c33d0])
[/var/lib/docker|b33387bf] Register(commit) (handlers=map[serveapi:0x4c3390 wait:0x4c33d0 initapi:0x4a20b0 version:0x4bdaf0 export:0x4c3250 create:0x4c3290 stop:0x4c32d0 start:0x4c3310 kill:0x4c3350 tag:0x4c3410 resize:0x4c3450])
[/var/lib/docker|b33387bf] Register(info) (handlers=map[serveapi:0x4c3390 wait:0x4c33d0 commit:0x4c3490 initapi:0x4a20b0 version:0x4bdaf0 export:0x4c3250 create:0x4c3290 stop:0x4c32d0 start:0x4c3310 kill:0x4c3350 tag:0x4c3410 resize:0x4c3450])
[/var/lib/docker|b33387bf] -job initapi() = OK (0)
[/var/lib/docker|b33387bf] +job serveapi(unix:///var/run/docker.sock)
2013/12/24 20:37:16 Listening for HTTP on /var/run/docker.sock (unix)

More info about kernal:
root@Ubuntu-1204-precise-64-minimal /var/lib/docker/containers # uname -a
Linux Ubuntu-1204-precise-64-minimal 3.8.0-33-generic #48~precise1-Ubuntu SMP Thu Oct 24 16:28:06 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux

I'd like to use dind to support what I think might be a common flow:

1. Build some linux binaries
2. Build some docker images that include those binaries

I'd like to support development from the Mac with boot2docker. I'm stuck with either copying binaries in and out of the boot2docker VM or do dind. The fact that dind isn't an officially supported part of Docker and the script is copy/pasted/diverged from the hack/dind script in the Docker repo gives me pause.

So -- "feature request": Move this script to a canonical official place and make the Docker build process take a dependency on it. Then others can follow that pattern with confidence.

I'd like to start using dind but with no LICENSE it is a little dicey. Can you add a license to the repo?

Firstly, thanks for this. While on the surface it's good fun, it's really useful for developing against docker itself (my use case).

I have changed the wrapdocker script slightly to use -s devicemapper instead of aufs, so that I don't need to use a volume for each container (and therefore in theory have more disposable containers).

However, after I've started and stopped some number of containers (it feels like 10-15, but I haven't counted), docker refuses to start in any further containers, with the log output:

[error] attach_loopback.go:39 There are no more loopback device available.
loopback mounting failed

At this point, I can't figure out how to clean up whatever is using the loopback devices. Nothing shows up in df -a on the host machine, nor in the current (new) container. So I end up resorting to restarting the entire system.

Do I need to add something else to wrapdocker if I'm using devicemapper? Or would this be considered a bug in docker itself?

using vanilla DIND container I get
Error response from daemon: Can't set task name
when I do a docker restart of that container when trying to run a new container.
when trying to run a previous running container I see:

docker start 6d                                                                                                                                                                                   
Error response from daemon: Cannot start container 6d: Error getting container 6d0920bf85ba043eb741c5ccded976822b1cedcf6f276848f344d65d1edc3464 from driver devicemapper: open /dev/mapper/docker-202:16-524330-6d0920b
f85ba043eb741c5ccded976822b1cedcf6f276848f344d65d1edc3464: no such file or directory                                                                                                                                   
2014/08/28 21:32:52 Error: failed to start one or more containers  

host docker info && version

sudo docker -D info && sudo docker -D version
Containers: 30
Images: 184
Storage Driver: devicemapper
 Pool Name: docker-202:16-2097153-pool
 Pool Blocksize: 64 Kb
 Data file: /docker/devicemapper/devicemapper/data
 Metadata file: /docker/devicemapper/devicemapper/metadata
 Data Space Used: 5127.9 Mb
 Data Space Total: 102400.0 Mb
 Metadata Space Used: 9.1 Mb
 Metadata Space Total: 2048.0 Mb
Execution Driver: native-0.2
Kernel Version: 3.13.0-29-generic
Operating System: Ubuntu 14.04 LTS
Debug mode (server): false
Debug mode (client): true
Fds: 32
Goroutines: 75
EventsListeners: 0
Init Path: /usr/bin/docker
WARNING: No swap limit support
Client version: 1.2.0
Client API version: 1.14
Go version (client): go1.3.1
Git commit (client): fa7b24f
OS/Arch (client): linux/amd64
Server version: 1.2.0
Server API version: 1.14
Go version (server): go1.3.1
Git commit (server): fa7b24f

container info && version

docker -D info && docker -D version                                                                                                                                                               
Containers: 1                                                                                                                                                                                                          
Images: 7                                                                                                                                                                                                              
Storage Driver: devicemapper                                                                                                                                                                                           
 Pool Name: docker-202:16-524330-pool                                                                                                                                                                                  
 Data file: /var/lib/docker/devicemapper/devicemapper/data                                                                                                                                                             
 Metadata file: /var/lib/docker/devicemapper/devicemapper/metadata                                                                                                                                                     
 Data Space Used: 560.0 Mb                                                                                                                                                                                             
 Data Space Total: 102400.0 Mb                                                                                                                                                                                         
 Metadata Space Used: 1.1 Mb                                                                                                                                                                                           
 Metadata Space Total: 2048.0 Mb                                                                                                                                                                                       
Execution Driver: native-0.2                                                                                                                                                                                           
Kernel Version: 3.13.0-29-generic                                                                                                                                                                                      
Debug mode (server): false                                                                                                                                                                                             
Debug mode (client): true                                                                                                                                                                                              
Fds: 11                                                                                                                                                                                                                
Goroutines: 9                                                                                                                                                                                                          
EventsListeners: 0                                                                                                                                                                                                     
Init Path: /usr/bin/docker                                                                                                                                                                                             
WARNING: No swap limit support                                                                                                                                                                                         
Client version: 1.0.1                                                                                                                                                                                                  
Client API version: 1.12                                                                                                                                                                                               
Go version (client): go1.2.1                                                                                                                                                                                           
Git commit (client): 990021a                                                                                                                                                                                           
Server version: 1.0.1                                                                                                                                                                                                  
Server API version: 1.12                                                                                                                                                                                               
Go version (server): go1.2.1                                                                                                                                                                                           
Git commit (server): 990021a  

not sure where to start digging here, any advice is welcome

hi, i am trying to build a kubernetes cluster inside of docker using fig. i tryed to use the wrapdocker script.
sometimes after starting docker the minion or the master can run docker, sometimes not.

any ideas?

https://github.com/timglabisch/docker-fig-kubernetes

I was having some issues running docker, specifically with the new --privileged flag. I had to update docker on the machine and these steps did the trick: http://askubuntu.com/questions/472412/how-do-i-upgrade-docker to get a more recent version.

I am not sure if this is the correct way to update so I will leave it up to you, but wanted to point it out.

I figure if I had this running in the cloud somewhere, I could make it my main development environment and spin up as many inner dockers as needed for all my projects.

Do you know of any hosting providers where this would work? Sounds like --privileged is not something someone like digital ocean would normally enable on their docker containers.

Running dind in CentOS 6.5 in CentOS:6 containers

Kernel: 2.6.32-504.1.3.el6.x86_64

docker version

Client version: 1.2.0
Client API version: 1.14
Go version (client): go1.3.3
Git commit (client): fa7b24f/1.2.0
OS/Arch (client): linux/amd64
Server version: 1.2.0
Server API version: 1.14
Go version (server): go1.3.3
Git commit (server): fa7b24f/1.2.0

-This is the message running debug with Docker in Docker
[debug] driver.go:295 Creating bridge docker0 with network 10.0.2.1/16
[debug] driver.go:325 setting bridge mac address = false
errno 524
[2b156c68] -job init_networkdriver() = ERR (1)
2013/03/07 20:19:11 errno 524

-In /var/log/messages I'm receiving a:
"cant create group Docker0/Birdge"

-I tried 2.6.431 as well, but got panics like below
<4>Call Trace:
<4> [] sysfs_create_group+0x13/0x20
<4> [] br_sysfs_addbr+0x32/0x100 [bridge]
<4> [] br_add_bridge+0x1c8/0x1e0 [bridge]
<4> [] br_ioctl_deviceless_stub+0x248/0x270 [bridge]
<4> [] ? kmem_cache_alloc_trace+0x1a3/0x1b0
<4> [] sock_ioctl+0xfa/0x280
<4> [] vfs_ioctl+0x22/0xa0
<4> [] do_vfs_ioctl+0x84/0x580
<4> [] sys_ioctl+0x81/0xa0
<4> [] ? __audit_syscall_exit+0x25e/0x290
<4> [] system_call_fastpath+0x16/0x1b
<4>Code: 8b 04 24 48 85 c0 74 27 41 83 c7 01 8b 55 bc 85 d2 74 b1 48 8b 30 48 89 df e8 f6 be ff ff eb a4 48 83 7f 30 00 0f 85 49 ff ff ff <0f> 0b eb fe 48 8b 5d c8 31 d2 48 85 db 74 18 f0 ff 0b 0f 94 c0
<1>RIP [] internal_create_group+0xf7/0x1a0

I upgraded to 3.17 and there was no issues, however I am trying to install a kernel module on the same dind privileged container that needs 2.6.X. So i upgraded to 2.6.32-504.1.3.el6.x86_64 which gives me the errors at the top of this issue. I am guessing this may be because the 2.6 kernel doesnt support creating the Docker0 bridge on the veth device in the bridged dind container, but didint know if there was a work around or if anyone saw this before. If that's the case though we can close this fairly quickly

thanks,
r

Now that Docker supports --cap-add and --cap-drop, it would be good to know which security settings to use with dind in case you wanted to make a public-facing docker instance.

Dealing with CAP_NET_SYSADMIN is going to be tricky.

Ideally when you extend from the dind you'd like to execute your own command.

I've tried something like the following with no luck:

docker run -i -t --privileged jpetazzo/dind "wrapdocker && mycommandhere"

Ideas?

Given this image is ran as the following:

docker run --privileged --name docker -d -p 2375 -e PORT=2375 jpetazzo/dind

And another image is ran:

• linked to the dind image
• with Docker is installed
• with DOCKER_HOST set to the dind image IP and port
• with a volume from a folder including a Dockerfile
• the Dockerfile has the VOLUME instruction like the following: VOLUME .:/app/

When I run docker build -t zedtux/test .
And I open a bash session within the zedtux/test image and list the files from /app/
Then I see an empty folder

FYI using the ADD instruction instead of the VOLUME is working perfectly.

Do you know if volumes are supported in the dind image ?
Could it be that this Docker issue is the reason of my issue ?

This feels like closely related to issue 3280

I am trying to run DinD on CentOS 6.5 VM + Docker Version 1.3.2 running in virtualbox on a mac.
Using /fedora example I was able to build dind image. The only change I had to make was replacing CGROUP=/sys/fs/cgroup with CGROUP=/cgroup in wrapdocker.

When I try to start dind it freezes the host VM. Just before the freeze I see that mkfs.ext4 is using 100% cpu.

docker run --privileged -t -i -e DOCKER_DAEMON_ARGS="-D" dind

Here's the console log with last few lines before VM freezes. The only way to recover is shutdown and start.