[WestCoastJustin]

For anyone else who runs into this. You can restricted a set of capabilities each container can use. This, for example can deny mount operations, socket access, etc. You can do this via "docker run" --cap-add or --cap-drop [2]. This type of stuff is great for running docker-in-docker for these types of learning tools or Jenkins builds. You'll need to play around with it though to make sure it'll work for you.

For a real-world example check out http://play-with-docker.com as they are running docker-in-docker and all the backend code is at https://github.com/play-with-docker/play-with-docker. So, you can likely get ideas from what they are doing to lock down their env.

[1] https://docs.docker.com/engine/security/security/#linux-kern...

[2] https://docs.docker.com/engine/reference/run/#runtime-privil...