We write CI by declaring a mirror as the execution environment for jobs, each of which is executed in a clean container. Sometimes we need a Docker container environment to perform Docker build, Docker push, and so on. Looking at the official Docker image, we find that there are two major versions: Docker: Latest, Docker: Dind, and Docker :git.


This image contains the Docker client (the command-line tool) and the Docker daemon.

Through the docker history docker: dind command we found docker: dind is the docker: based on the latest and installed the docker daemon, and the last two build commands as follows:

IMAGE CREATED CREATED BY SIZE COMMENT 66dc2d45749a 8 weeks ago /bin/sh -c #(nop) CMD [] 0B <missing> 8 weeks ago /bin/sh -C #(nop) entryPoint ["dockerd-entr... 0B...

When this image is run, the sh CMD parameter cannot be specified, and dockerd-entryPoint.sh command receiving this parameter will not start Docker daemon. To properly start the Docker daemon in the container and enter the container, there are steps:

$docker run-d --name dind --privileged docker:dind # $docker log-f dind # $docker exec-it dind # Into the container

When starting docker:dind container, the parameter –privileged must be added, otherwise the docker daemon will start with an error.


Docker :dind / /var/run/docker.sock / /docker.sock / / /docker.sock / / / /docker.sock / / / /docker.sock / / / /docker.sock / / / /docker.sock / / /docker.sock / / /docker.sock / / /docker.sock / / /docker.sock / / /docker.sock

This image startup does not require the –privileged parameter.

The default CMD is sh:

81f5749c9058 3 months ago /bin/sh -c #(nop) CMD ["sh"] 0B <missing> 3 months ago /bin/sh -c #(nop) ENTRYPOINT [" docker - entry... 0 b...

Mount sock file on host

$ docker run -it --rm -v /var/run/docker.sock:/var/run/docker.sock docker:latest

Start way two: with docker:dind

Put docker:dind and docker:latest on the same network, and specify that the alias name for the dind container in the network is docker, because the default daemon host in the latest container is docker.

In addition, we need to pay attention to the certificate issue. The new version Docker client needs TLS certificate to ensure communication security when communicating with Docker daemon. Docker :dind container will generate the certificate to the directory specified by the environment variable DOCKER_TLS_CERTDIR. The certificate needs to be mounted and fed to the docker:latest container.

$ docker run --privileged --name some-docker -d \ --network some-network --network-alias docker \ -e DOCKER_TLS_CERTDIR=/certs \ -v some-docker-certs-ca:/certs/ca \ -v some-docker-certs-client:/certs/client \ docker:dind $ docker run --rm --network some-network \ -e DOCKER_TLS_CERTDIR=/certs \ -v some-docker-certs-client:/certs/client:ro \  docker:latest


Docker :git is a docker:latest command that contains git to make it easier to use git when using CI.

Refer to the link

  • Docker Hub – docker