Demo of how to run an entire Buildkite job (including hooks) in a Docker container.
When a build agent starts up, the buildkite-elastic-bootstrap script configures the Buildkite agent to use the buildkite-docker-bootstrap script, which executes the job in a Docker container.
Because the job is bootstrapped inside the container, the workdir does not have to be bind-mounted from the host (unlike when using the Docker plugin). This means the user inside the container owns all the checked-out files so doesn't need to be root or to match the user on the host to access them.
The user will need to belong to the docker group on the host if the Docker socket is bind-mounted into the container for Docker-outside-of-Docker builds.
buildkite-docker-bootstrap passes the --group-add option to docker run to ensure that the user has the necessary permissions.
Unfortunately, this requires user namespace remapping to be disabled.