Docker in Docker - Mounting the Docker Socket

I came across the case where I wanted an app running in a docker container to start other docker containers. I found two ways to do this:

  1. mount the docker socket into the container that wants to start further docker containers via

    /var/run/docker.sock:/var/run/docker.sock

  2. really install docker inside another docker container which seems to be the way more complicated way.

So I went with solution 1, which worked great. Today I realized that solution 1 also includes a very major security-risk which I wasn't aware of:

# inside your container, start another container with / mounted to /test
root@b55991bee8df:/tmp# docker run -it --rm -v /:/test rweng/fv bash

# now in the new container, check out /test
root@9e3b8daee88e:/app# ls /test/
Users  bin  dev  etc  home  init  lib  lib64  linuxrc  mnt  opt  proc  root  run  sbin  sys  tmp  usr  var

As you can see, due to the fact that the command is actually run outside the container you can start another container with the whole host mounted. I switched to using the docker:1.8-dind image.