Docker in Docker

This Docker AMI is designed to support Docker-in-Docker workloads. You can use this image as is for any Docker based workload, however; this AMI has been configured to make running Docker-in-Docker workloads as easy and as secure as possible. In addition, this image enables DinD workloads without the need for the --privileged flag.

Docker-in-Docker allows you to run Docker inside a container, isolated from the rest of the host. This is useful in CI environments, where the test job is packaged in a container and the job itself needs to run Docker inside that container. For this reason, Docker's official Docker-in-Docker image is one of the most popular images on DockerHub.

One of the main problems with the DinD image is that it requires the --privileged flag, therefore reducing isolation and making the host more vulnerable to malicious container workloads. To solve this, this AMI comes preconfigured with Sysbox as the default OCI runtime, instead of runc. Sysbox is capable of running Docker-in-Docker without the --privileged flag; in fact, it runs all containers with enhanced isolation by virtue of using the Linux user-namespace and other cutting edge techniques to isolate containers running on the AWS compute instance. As a result of these features, you can run Docker-in-Docker workloads much more safely, ensuring that such workloads can't easily escape the container and compromise the AWS compute instance. Enhanced container isolation was first released in Docker Desktop 4.13.0 and is now available for compute workloads in AWS. For more on enhanced container isolation, see: https://docs.docker.com/desktop/hardened-desktop/enhanced-container-isolation/