
Docker can now run within Docker - jpetazzo
http://blog.docker.io/2013/09/docker-can-now-run-within-docker/
======
pearjuice
I remember running VMs in VMs when I was younger and wondered how far I could
go before my computer would implode. Infinite recursion is amazing. Let me
rephrase that; infinity is amazing.

~~~
null_ptr
How far did you get? :-)

~~~
pearjuice
After three to four iterations (cannot remember precisely) I couldn't split up
my computer its capacities any further to qualify for any decent OS its
specifications which could run another VM. Please note that this was years
ago, I suggest you should try it!

Unless you want to waste a lot of time installing the nested OS's, like I did,
I suggest using pre-installed images you can throw right in.

------
jpetazzo
This is one of the _many_ potential applications of the new "-privileged" flag
of Docker. This is very exciting, because it means that we will soon run
Docker CI within Docker itself (instead of ad-hoc VMs), among other things!

~~~
andrewmunsell
The big thing for me about the privileged flag is the ability to run VPN
software on the containers-- this way, they can talk to each other cross-
physical-machine as well as between containers on the same host.

~~~
jpetazzo
We're on the same page. That's my next hack — an OpenVPN server within Docker.
The blog post, Dockerfile, and helper scripts should be out next week :-)

~~~
andrewmunsell
Great, looking forward to seeing it.

My system uses peer to peer software to synchronize each container's public
keys and IP address/port information, as well as a mesh network VPN. This
allows me to easily join a new node to the VPN cluster (using ENV variables to
specify the port and public address to listen on, which is then used in the
Docker container creation) and still have minimal latency between any two
nodes.

I'll probably have to write up a post myself describing the system and how
Docker is used to create new containers and add it to the cluster.

~~~
gcr
Whoa. That's really cool. What do you use that for?

Also: does openVPN drive your "mesh network VPN"? i thought it was only
client<\-->server!

~~~
andrewmunsell
OpenVPN is only client-server, so I'm currently using tinc[1]. BitTorrent Sync
is the software used to synchronize the actual public keys and container IP
addresses.

[1]: [http://www.tinc-vpn.org/](http://www.tinc-vpn.org/)

------
tlrobinson
Mostly-unrelated question: could one build a desktop Linux distribution around
Docker? Or rather, how difficult would it be? I assume OS X's application
sandboxing uses a technology similar to LXC.

~~~
joffreyf
You might be looking for something akin to
[http://coreos.com/](http://coreos.com/) !

~~~
tlrobinson
CoreOS could be a good starting point, but it's intended for servers so it's
very bare bones (and the service discovery stuff might not make much sense)

------
songgao
Another feature liberated by `-privilege ` that I like a lot is ability to run
`mknod`, which is necessary for using TUN/TAP interface.

------
tachion
It is nice to see, especially because fast moving project is always an
enjoyable thing to observer. As a sidenote, to increase overall awareness,
FreeBSD has capability for hierarchical Jails (Jails inside of Jails) for a
while.

------
outside1234
Does anyone know if there are plans for when docker will be able to run in
32-bit?

~~~
dsissitka
It'll work now if you remove this if block...

[https://github.com/dotcloud/docker/blob/master/server.go#L12...](https://github.com/dotcloud/docker/blob/master/server.go#L1250)

...and create your own images.

It's unsupported, but it'll work.

------
segeek
Very nice!

One thing that I am looking forward to is Docker support for Windows. Would
really like to see that feature.

~~~
yebyen
There is Docker within Vagrant, I have a Windows 7 desktop in front of me and
all I need to do to enter my CoreOS system is "vagrant up; vagrant ssh" from
the git shell.

I don't think there will be direct Docker support for Windows (erm... hrm)

[http://coreos.com/blog/coreos-vagrant-images/](http://coreos.com/blog/coreos-
vagrant-images/)

~~~
yebyen
Actually I do remember hearing that docker/lxc was only the beginning, can you
be more specific? What virtualization tech in Windows do you want to see
Docker containers running in?

There's no reason you can't run CoreOS in qemu or CoreOS in VirtualBox, but
all of those things are still coming back to Linux Containers. Did you have an
idea of another way?

------
likeclockwork
When will Docker support distros other than Ubuntu?

~~~
jpetazzo
There is already some support for Gentoo and Archlinux, and if you are willing
to use a "foreign" kernel, Red Hat / Fedora / CentOS work as well.

There is some significant work in progress to add compatibility for non-AUFS
systems. I don't have an accurate timeline at this point, but expect something
(or at least an announcement) at the end of the month!

~~~
gcr
Last I checked, using Docker on Arch required a custom kernel with the AUFS
patch. Is that still true?

Edit: yes, docker on arch still requires a custom kernel. See
[http://docs.docker.io/en/latest/installation/archlinux/](http://docs.docker.io/en/latest/installation/archlinux/)

~~~
jpetazzo
Yeah, still true, but we are actively working on an alternate implementation
to be compatible with anything post 3.2 _and_ RHEL 6.4 as well.

~~~
shykes
Just to confirm that we're planning to remove the dependency on aufs for the
0.7 release (late September). As a result docker will run on vanilla linux
kernels.

aufs will probably come back as a plugin in a future version.

aufs is great and I wish we could keep it as the default. But the kernel
politics are what they are.

~~~
gcr
Oh interesting. What are you moving to? Are you hooking into 'libc' to be able
to intercept file accesse for layers or something?

~~~
shykes
We're moving to device-mapper, which is the underlying block-level facility
used by LVM.

------
bachback
Amazing. What do the docker guys think of coreOS?

------
arnley
so meta

~~~
nnnnni
Also "yo dawg...".

Now that the obligatory comments have been covered, we can move on. Yay!

~~~
jpetazzo
Yeah... Note for future self: make all the mandatory lame jokes in the blog
post itself, so people don't feel obligated to do them on HN instead. ;-)

~~~
reginaldjcooper
Please no :) just rely on us to downvote these people on HN, then you can
spare at least some of the readers the pain.

I don't even understand, it's not like it's conversation or even funny, but X
in X immediately results in someone announcing their awareness of canonical
jokes. "yo dawg i heard you like plays so I put a play in your play to
inception the king."

