Hey everyone! I'm trying to figure out how to run Docker in unprivileged pods, especially for use cases like GitHub Actions or self-hosted GitLab runners. So far, I haven't found a way to let users execute Docker commands or Docker Compose without needing a privileged pod, even when experimenting with rootless Docker images. Am I missing something here, or is this just really tricky to accomplish?
4 Answers
I've had success using Google Cloud Build, which essentially sets up an on-demand VM for running your containers. I managed to get Docker-in-Docker working with the usual flags. I’m pretty sure AWS or Azure offer similar services.
Unfortunately, running Docker inside an unprivileged pod isn't really feasible. A more effective approach would be to use tools like Kaniko, BuildKit (which supports rootless), or Buildah instead. If you're set on using Docker, you might need to consider a remote builder or a privileged Docker-in-Docker (DinD) node that’s adequately isolated. For using Docker Compose, it's usually smarter to launch pods or services directly in Kubernetes or utilize tools like kind/k3d.
A couple of years ago, I set up rootless Podman in a sidecar container. I then connected Docker to it using the remote connection by setting DOCKER_HOST to tcp://pod-name. You might want to check if the new rootless Docker-in-Docker image supports it now, but keep in mind that you'll likely need to adjust some volume settings for rootless mode.
Have you checked out GitHub Arc? It's a neat solution that might solve your issue. You can find it [here](https://github.com/actions/actions-runner-controller).
Yeah, I've looked into it! However, I noticed it tends to run a Docker-in-Docker privileged container.