It seems like since the dawn of time, or at least as soon as people learn about docker, everyone wants to know how to run more docker containers inside their docker containers. This completely misses the point, but there are ways and means.
Sometimes it makes sense to have a tool inside docker that can launch docker containers, or at least control them, for example, a control panel application, or for the [Launcher Container] pattern
In order to do this, we don't run docker-in-docker, and instead use a Socket Mount. By default the local docker client will communicate with the local docker server via a socket in /var/run/docker.sock. By mounting this location in our container we can actually control the docker server on the host, allowing us to launch new containers or do whatever we want!
It looks like this:
docker run -d -v /var/run/docker.sock:/var/run/docker.sock:ro someapp
and of course, the docker-compose version:
app:
image: someapp
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
You'll note we're mounting the docker socket with the readonly flags. This stops you from writing over the socket file itself, but doesn't stop you interacting with it (including "writes") to control docker!