Skip to main content
This recipe starts a complete Docker environment inside a microsandbox VM. It is useful for sandboxed builds, agent workflows that need their own Docker daemon, or experiments you do not want leaking onto the dev machine. The host’s Docker setup, if any, is left untouched. The command below boots the docker:dind image, starts Docker inside the sandbox, waits for it to be ready, and then opens an interactive shell. From there, Docker commands run against the daemon inside the sandbox, not your host.

Start Docker in a sandbox

msb run --name docker-demo --replace \
  --memory 2G \
  --mount-named docker-data:/var/lib/docker:kind=disk,size=10G \
  --script start='dockerd >/tmp/dockerd.log 2>&1 &
  timeout 60 sh -c "until docker info>/dev/null 2>&1;do sleep 1;done" || {
    cat /tmp/dockerd.log
    false
  }
  exec sh' \
  --entrypoint start \
  docker:dind
This command does three things:
  • Starts the docker:dind image in a sandbox named docker-demo.
  • Mounts a disk-backed named volume called docker-data at /var/lib/docker, where Docker stores images, containers, and build cache.
  • Runs the inline start script as the entrypoint. The script starts Docker, waits until it is ready, and then opens a shell.
--mount-named docker-data:/var/lib/docker:kind=disk,size=10G is idempotent. If docker-data does not exist, the CLI creates it before starting the sandbox. If it already exists with compatible disk settings, the same command reuses it, so pulled images and created containers can survive msb rm docker-demo.

Run a container

From the sandbox shell, run a nested Ubuntu container: 
docker run -it --rm ubuntu bash
You are now in a container running inside Docker, which is itself running inside the microsandbox VM. Exit the Ubuntu container with exit to return to the docker-demo sandbox shell. You can also verify the daemon with a short non-interactive command: 
docker run --rm hello-world

Cleanup

exit
msb rm -f docker-demo
msb volume rm docker-data
Remove docker-data only when you no longer need the images, containers, and build cache stored by the nested daemon.

Details

The disk-backed named mount gives Docker its own ext4 filesystem at /var/lib/docker. That matters because the sandbox root filesystem is already overlay-backed, and Docker’s default storage driver also uses overlay layers. Keeping Docker’s data root on a dedicated disk-backed volume avoids putting Docker’s overlay storage directly on top of the sandbox root overlay.

Notes

  • Memory. The recipe uses --memory 2G. Increase it for larger builds or memory-hungry containers.
  • Not the same as Sandbox in Docker. That recipe covers the opposite direction.