Hello.
Has anyone managed to launch docker within the env setup? I want to be able to run some applications that are containerized as part of my dev environment. Is socker mounter docker in docker supported?
dockerd doesn’t seem to work
1 Like
Hey there and welcome to the community!
to clarify, you’re asking about whether or not docker runs in the ChatGPT Pro Codex feature, yes?
While I don’t yet have access to that, I do use the CLI version, and I’m at least familiar with how the chatgpt version works.
Codex essentially handles every run inside a container already, so if you ask codex in chatgpt to handle a task, that task is already containerized (it’s just abstracted away from the end user). Because of that abstraction, you don’t get any control over how those isolated containers communicate to each other.
My question then is, what exactly are you trying to achieve ultimately? Why are containers important here for you?
Containers inside containers is not exactly easy nor recommended. Unless you’re in control of your own bare metal machine(s), you’re going to struggle attempting that in systems that are essentially managed for you.
Are you trying to have containers exchange data between each other in a certain way? If so, I’d look more into MCP servers. Are you just trying to containerize github repos or pieces of it, and keep them running? For that I’d recommend you try codex as a command line tool, not a chatgpt GUI. The reason why is because you have fine-grained control over how and what you containerize, and they will all be able to interact with each other under localhost, so they don’t need to be exposed to the internet if you don’t need them to.
Codex in ChatGPT is built to handle goals with a definite start and end. It’s not designed for keeping up and maintaining persistent containers if that’s what you’re attempting. Could it theoretically be possible? Perhaps, but it’ll be clunky and if you’re rate limited (which I’ve heard is generous, but will be tighter soon), it will cut that container off and you won’t have access to it until that limit has rolled over, which significantly hinders the usefulness of whatever you’re trying to develop.
1 Like
Yes, I’m using the newly release codex pro, not the cli version.
I want it to be able to recreate my development environment so that it can run integration tests, and use the app as part of debugging to make sure the changes it’s suggesting actually work. Unfortunately parts of my app are dependent on other docker containers (one example is supabase).
A very simple repro is to setup a Environment with this setup script. It will hang and timeout waiting for docker to start:
sudo apt update
sudo apt install -y build-essential procps curl file git ca-certificates
sudo install -m 0755 -d /etc/apt/keyrings
sudo curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc
sudo chmod a+r /etc/apt/keyrings/docker.asc
# Add the repository to Apt sources:
echo \
"deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu \
$(. /etc/os-release && echo "${UBUNTU_CODENAME:-$VERSION_CODENAME}") stable" | \
sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
sudo apt-get update
sudo apt-get install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
sudo dockerd > /tmp/dockerd.log 2>&1 &
# Wait until Docker is responsive
until docker info >/dev/null 2>&1; do
echo "Waiting for Docker daemon to start..."
sleep 1
done
docker run hello-world
1 Like
I can get static docker running, but kernel restrictions in the Codex image prevent creating new user namespaces (apparently because the unshare syscall is not available), and hence it will not run an image. I think this is a dead horse not to be kicked until they add custom image support (as hinted in the environment setup UI)
Here is the script I have for running the static docker:
#!/usr/bin/env bash
set -euo pipefail
# set -x # Uncomment for extreme verbosity
echo "🔧 Installing static Docker"
ARCH=$(uname -m); VER=24.0.9
mkdir -p /usr/local/bin
curl -fsSL "https://download.docker.com/linux/static/stable/${ARCH}/docker-${VER}.tgz" \
| tar -xzC /usr/local/bin --strip-components=1 docker/docker docker/dockerd docker/containerd docker/ctr docker/runc docker/docker-init
hash -r
DATA="$HOME/docker-data-test" # Use a different data dir for test
SOCK="$DATA/docker.sock"
LOG_FILE="/tmp/dockerd-test.log"
rm -rf "$DATA" "$LOG_FILE" # Clean previous test runs
mkdir -p "$DATA"
echo "🚀 Starting custom dockerd for test..."
dockerd \
-H "unix://$SOCK" \
--data-root="$DATA" \
--storage-driver=vfs \
--iptables=false --ip-forward=false --bridge=none \
--shutdown-timeout 5 \
>"$LOG_FILE" 2>&1 &
DOCKERD_PID=$!
# Simplified cleanup
cleanup_test() {
echo
echo "🧹 Cleaning up test dockerd (PID: $DOCKERD_PID)..."
if kill -0 $DOCKERD_PID >/dev/null 2>&1; then
kill $DOCKERD_PID || true
wait $DOCKERD_PID || true
echo "Test dockerd stopped."
else
echo "Test dockerd (PID: $DOCKERD_PID) was not running or already exited."
fi
echo "--- Test Dockerd Log ($LOG_FILE) ---"
cat "$LOG_FILE" || echo "Log file $LOG_FILE not found."
echo "--- End of Test Dockerd Log ---"
}
trap cleanup_test EXIT INT TERM
export DOCKER_HOST="unix://$SOCK"
echo "⏳ Waiting for test daemon on $SOCK"
for i in {1..30}; do
if ! kill -0 $DOCKERD_PID >/dev/null 2>&1; then
echo; echo "❌ Critical: Test dockerd process (PID $DOCKERD_PID) died prematurely!"
exit 1
fi
if docker info >/dev/null 2>&1; then
echo; echo "✅ Test Docker daemon is up! (Attempt $i)"
break
fi
if [ "$i" -eq 30 ]; then
echo; echo "❌ Test Docker daemon failed to start after 30 seconds."
docker info || true # Attempt one last time
exit 1
fi
echo -n "."
sleep 1
done
echo "--- Test: Docker Info Output ---"
docker info # Show that daemon is responsive
And the terminal output:
⏳ Waiting for test daemon on /root/docker-data-test/docker.sock
→ for i in {1..30}
→ kill -0 4130
→ docker info
→ '[' 1 -eq 30 ']'
→ echo -n .
.+ sleep 1
→ for i in {1..30}
→ kill -0 4130
→ docker info
→ echo
→ echo '✅ Test Docker daemon is up! (Attempt 2)'
✅ Test Docker daemon is up! (Attempt 2)
→ break
→ echo '--- Test: Docker Info Output ---'
--- Test: Docker Info Output ---
→ docker info
Client:
Version: 24.0.9
Context: default
Debug Mode: false
Server:
Containers: 0
Running: 0
Paused: 0
Stopped: 0
Images: 0
Server Version: 24.0.9
Storage Driver: vfs
Logging Driver: json-file
Cgroup Driver: cgroupfs
Cgroup Version: 2
Plugins:
Volume: local
Network: bridge host ipvlan macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
Swarm: inactive
Runtimes: io.containerd.runc.v2 runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 7c3aca7a610df76212171d200ca3811ff6096eb8
runc version: v1.1.12-0-g51d5e94
init version: de40ad0
Security Options:
seccomp
Profile: builtin
cgroupns
Kernel Version: 6.12.13
Operating System: Ubuntu 24.04.2 LTS
OSType: linux
Architecture: x86_64
CPUs: 3
Total Memory: 9.931GiB
Name: 8a2ab101e83b
ID: a81f2975-cebd-4fef-98a1-d40863ab8307
Docker Root Dir: /root/docker-data-test
Debug Mode: false
HTTP Proxy: http://proxy:8080
HTTPS Proxy: http://proxy:8080
No Proxy: localhost,127.0.0.1,::1
Experimental: false
Insecure Registries:
127.0.0.0/8
Live Restore Enabled: false
Product License: Community Engine
WARNING: IPv4 forwarding is disabled
WARNING: bridge-nf-call-iptables is disabled
WARNING: bridge-nf-call-ip6tables is disabled
The part that fails:
# Find the tarball
TAR_FILE_NAME="hello-world.tar"
TAR=$(find "$PWD" -maxdepth 1 -name "$TAR_FILE_NAME" -print -quit)
if [ -z "$TAR" ] || [ ! -f "$TAR" ]; then
echo "❌ $TAR_FILE_NAME not found in $PWD. Cannot test image load."
exit 1
fi
echo "Found image tarball for test: $TAR"
echo "🧪 Attempting to load image: $TAR"
if docker load -i "$TAR"; then
echo "✅ UNEXPECTED: Image loaded successfully into test daemon."
echo "Images available:"
docker images
echo "🧪 Attempting to run 'hello-world' from loaded image..."
if docker run --rm hello-world; then
echo "✅✅ UNEXPECTED: 'hello-world' container ran successfully!"
else
echo "❌ FAILED (as expected if load was somehow bypassed): 'hello-world' container DID NOT run. Exit code: $?"
echo "This might indicate other issues like runc failure, cgroups, capabilities, docker-init."
fi
else
And the terminal confirmation of failure:
Found image tarball for test: /workspace/codex_bootstrap/hello-world.tar
→ echo '🧪 Attempting to load image: /workspace/codex_bootstrap/hello-world.tar'
🧪 Attempting to load image: /workspace/codex_bootstrap/hello-world.tar
→ docker load -i /workspace/codex_bootstrap/hello-world.tar
unshare: operation not permitted
→ echo '❌ FAILED (as expected): Could not load image '\''/workspace/codex_bootstrap/hello-world.tar'\''. Exit code: 1'
❌ FAILED (as expected): Could not load image '/workspace/codex_bootstrap/hello-world.tar'. Exit code: 1
→ echo 'This confirms the '\''unshare: operation not permitted'\'' error (or similar) prevents image loading.'
1 Like
No, you cannot use custom images yet in Codex. It is the most important feature that it is missing right now, and luckily seems like it is coming soon.
1 Like
It’s definitely not possible. Not only are there cgroup restrictions, as mentioned above-- even if you try to run a container without cgroups like with podman rootless and crun, it’ll fail due to not being allowed to bind mount /proc. I had to resort to creating a shim for podman that “simulates” running containers by untarring the container image into a chroot and faking various bits of /proc and /dev, and even this is fraught with problems as the Codex AI keeps getting confused and upset by this unconventional container setup. Half of the time it decides to disable key features of the app because it thinks it can’t possibly work.
1 Like
I’m looking for the same, because my integration test depends on container, without it, I don’t have certainties with the generated code.
2 Likes
Need the container feature as well as I am blocked from doing unit tests without it.
2 Likes