如何在 docker 容器中 install/start docker 引擎服务

how to install/start docker engine service inside a docker container

我正在 运行ning jenkins 脱离官方 docker jenkins 容器。我有以下 dockerfile 按照 https://docs.docker.com/engine/installation/linux/debian/

的说明
FROM jenkins:2.32.1

# install docker inside this container
USER root
    # Install Docker inside Jenkins
    RUN apt-get update
    RUN apt-get purge "docker.io*"
    RUN apt-get update
    RUN apt-get install -y apt-transport-https ca-certificates gnupg2
    RUN apt-key adv \
       --keyserver hkp://ha.pool.sks-keyservers.net:80 \
       --recv-keys 58118E89F3A912897C070ADBF76221572C52609D
    RUN echo "deb https://apt.dockerproject.org/repo debian-jessie main" > /etc/apt/sources.list.d/docker.list
    RUN apt-get update
    RUN apt-cache policy docker-engine
    RUN apt-get update
    RUN apt-get install -y docker-engine
    RUN gpasswd -a jenkins docker
    USER jenkins

然后我执行以下操作:

这是我得到的:

root@1e0f4b325d58:/# sudo service docker start
mount: permission denied
rmdir: failed to remove ‘cpu’: Read-only file system
mount: permission denied
rmdir: failed to remove ‘cpuacct’: Read-only file system
mount: permission denied
rmdir: failed to remove ‘net_cls’: Read-only file system
mount: permission denied
rmdir: failed to remove ‘net_prio’: Read-only file system
/etc/init.d/docker: 96: ulimit: error setting limit (Operation not permitted)

如果你想运行docker在docker里面,你需要运行容器作为特权容器。

所以 something like this (1) 是必需的:

docker run --privileged your_image:tag

您还需要小心使用 iptables 和 App Armour,但经过一些修补后它就可以工作了。


另一种方法是允许访问容器内的 docker 守护程序,like so (2):

docker run -v /var/run/docker.sock:/var/run/docker.sock your_image:tag

参考:

1 https://blog.docker.com/2013/09/docker-can-now-run-within-docker/

2 https://jpetazzo.github.io/2015/09/03/do-not-use-docker-in-docker-for-ci/