This guide shows you how to run Docker inside a Sandbox, enabling you to build and run container images from within a secure sandbox.
When to use Docker-in-Docker
Use Docker-in-Docker when you need to:
- Develop containerized applications - Run
docker build to create images from Dockerfiles
- Run Docker as part of CI/CD - Respond to code changes and build and push images using Cloudflare Containers
- Run arbitrary container images - Start containers from an end-user provided image
Create a Docker-enabled image
Cloudflare Containers run without root privileges, so you must use the rootless Docker image. Create a custom Dockerfile that combines the sandbox binary with Docker:
Use Docker in your sandbox
Once deployed, you can run Docker commands through the sandbox:
Docker-in-Docker in Cloudflare Containers has the following limitations:
- No iptables - Network isolation features that rely on iptables are not available
- Rootless mode only - You cannot use privileged containers or features requiring root
- Ephemeral storage - Built images and containers are lost when the sandbox sleeps. You must persist them manually.