What is Docker in Docker (DinD)?

Docker-in-Docker (DinD) is the technique of running the Docker daemon inside a Docker container, allowing that container to build and run Docker containers itself. Use case: CI/CD systems where build jobs run in Docker containers and need to build Docker images. Implementation: (1) Privileged DinD: run a container with Docker daemon inside: docker run --privileged docker:dind — the inner daemon needs privileged mode to create namespaces and manage cgroups; (2) Docker socket mounting (sidecar approach): mount the host Docker socket: -v /var/run/docker.sock:/var/run/docker.sock — the container uses the host's daemon directly (this is NOT truly DinD — it's using the host daemon). Problems with true DinD: security risks (privileged mode), shared cgroups leading to resource conflicts, Docker storage driver conflicts, instability. Better alternatives: (1) Kaniko: Google's tool that builds images from Dockerfiles inside Kubernetes pods without Docker daemon — most secure; (2) Buildah: builds OCI images without a daemon; (3) img: daemonless image building; (4) docker buildx with remote builder: build remotely; (5) Earthly: build tool that doesn't need DinD. Most modern CI systems (GitHub Actions, GitLab CI, CircleCI) have native Docker build support without needing DinD.