> ## Documentation Index
> Fetch the complete documentation index at: https://docs.microsandbox.dev/llms.txt
> Use this file to discover all available pages before exploring further.

# Docker in a sandbox

> Start dockerd inside a microsandbox VM and run containers from an interactive shell

This recipe starts a complete Docker environment inside a microsandbox VM. It is useful for sandboxed builds, agent workflows that need their own Docker daemon, or experiments you do not want leaking onto the dev machine. The host's Docker setup, if any, is left untouched.

The command below boots the `docker:dind` image, starts Docker inside the sandbox, waits for it to be ready, and then opens an interactive shell. From there, Docker commands run against the daemon inside the sandbox, not your host.

## Start Docker in a sandbox

```sh theme={null}
msb run --name docker-demo --replace \
  --memory 2G \
  --mount-named docker-data:/var/lib/docker:kind=disk,size=10G \
  --script start='dockerd >/tmp/dockerd.log 2>&1 &
  timeout 60 sh -c "until docker info>/dev/null 2>&1;do sleep 1;done" || {
    cat /tmp/dockerd.log
    false
  }
  exec sh' \
  --entrypoint start \
  docker:dind
```

This command does three things:

* Starts the `docker:dind` image in a sandbox named `docker-demo`.
* Mounts a disk-backed named volume called `docker-data` at `/var/lib/docker`, where Docker stores images, containers, and build cache.
* Runs the inline `start` script as the entrypoint. The script starts Docker, waits until it is ready, and then opens a shell.

`--mount-named docker-data:/var/lib/docker:kind=disk,size=10G` is idempotent. If `docker-data` does not exist, the CLI creates it before starting the sandbox. If it already exists with compatible disk settings, the same command reuses it, so pulled images and created containers can survive `msb rm docker-demo`.

## Run a container

From the sandbox shell, run a nested Ubuntu container:

```sh theme={null}
docker run -it --rm ubuntu bash
```

You are now in a container running inside Docker, which is itself running inside the microsandbox VM. Exit the Ubuntu container with `exit` to return to the `docker-demo` sandbox shell.

You can also verify the daemon with a short non-interactive command:

```sh theme={null}
docker run --rm hello-world
```

## Cleanup

```sh theme={null}
exit
msb rm -f docker-demo
msb volume rm docker-data
```

Remove `docker-data` only when you no longer need the images, containers, and build cache stored by the nested daemon.

## Details

The disk-backed named mount gives Docker its own ext4 filesystem at `/var/lib/docker`. That matters because the sandbox root filesystem is already overlay-backed, and Docker's default storage driver also uses overlay layers. Keeping Docker's data root on a dedicated disk-backed volume avoids putting Docker's overlay storage directly on top of the sandbox root overlay.

## Notes

* **Memory.** The recipe uses `--memory 2G`. Increase it for larger builds or memory-hungry containers.
* **Not the same as [Sandbox in Docker](/recipes/docker/docker).** That recipe covers the opposite direction.