Reputation: 9685
nested docker setup: child exposes parent
I' have the following docker setup:
Ubuntu server
-> running Jenkins (started with docker-compose)
-> running a pipeline which starts a node-alpine image
-> which then calls a new docker-compose up (needed for tests)
If I call docker ps from the node-alpine container, I see all the containers from the ubuntu server. I would have expected to only see the newly started containers.
Is this an indication that my setup is flawed? Or just the way docker works?
Upvotes: 1
Views: 128
Answers (1)
Reputation: 160000
That's just the way Docker works. There's no such thing as a hierarchy of containers.
Typically with setups like this you give an orchestrator (like Jenkins) access to the host's Docker socket. That means containers launched from Jenkins are indistinguishable from containers launched directly from the host, and it means that Jenkins can do anything with Docker that you could have done from the host.
Remember that access to the Docker socket means reading and modifying arbitrary files as root on the host, along with starting, stopping, deleting, and replacing other containers. In this setup you might re-evaluate how much you really need that lowest level container to start further containers, since it is a significant security exposure.
Upvotes: 2
Related Questions
- run docker in jenkins container (docker in docker)
- Is it ok to run docker from inside docker?
- Docker in Docker - Jenkins Docker Pipeline - how to connect to outside Service
- Docker in Docker separate container storage
- Running docker containers as Jenkins Slave
- How to use docker from inside Jenkins docker container
- Jenkins inside a Docker container
- Docker and jenkins
- How to run Docker inside Jenkins which is running as container
- How to run a Docker host inside a Docker container?