diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2021-10-20 08:43:02 +0000 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2021-10-20 08:43:02 +0000 |
commit | d9ab72d6080f594d0b3cae15f14b3ef2c6c638cb (patch) | |
tree | 2341ef426af70ad1e289c38036737e04b0aa5007 /doc/ci/docker | |
parent | d6e514dd13db8947884cd58fe2a9c2a063400a9b (diff) | |
download | gitlab-ce-14.4.0-rc42.tar.gz |
Add latest changes from gitlab-org/gitlab@14-4-stable-eev14.4.0-rc42
Diffstat (limited to 'doc/ci/docker')
-rw-r--r-- | doc/ci/docker/using_docker_build.md | 2 | ||||
-rw-r--r-- | doc/ci/docker/using_docker_images.md | 19 | ||||
-rw-r--r-- | doc/ci/docker/using_kaniko.md | 10 |
3 files changed, 12 insertions, 19 deletions
diff --git a/doc/ci/docker/using_docker_build.md b/doc/ci/docker/using_docker_build.md index d5adedc611c..9a4290ead4c 100644 --- a/doc/ci/docker/using_docker_build.md +++ b/doc/ci/docker/using_docker_build.md @@ -572,7 +572,7 @@ The configuration is picked up by the `dind` service. ## Authenticate with registry in Docker-in-Docker When you use Docker-in-Docker, the -[standard authentication methods](using_docker_images.md#define-an-image-from-a-private-container-registry) +[standard authentication methods](using_docker_images.md#access-an-image-from-a-private-container-registry) don't work because a fresh Docker daemon is started with the service. ### Option 1: Run `docker login` diff --git a/doc/ci/docker/using_docker_images.md b/doc/ci/docker/using_docker_images.md index c2991ce66f9..79c23d73a68 100644 --- a/doc/ci/docker/using_docker_images.md +++ b/doc/ci/docker/using_docker_images.md @@ -214,7 +214,7 @@ Look for the `[runners.docker]` section: The image and services defined this way are added to all jobs run by that runner. -## Define an image from a private Container Registry +## Access an image from a private Container Registry To access private container registries, the GitLab Runner process can use: @@ -224,19 +224,12 @@ To access private container registries, the GitLab Runner process can use: To define which option should be used, the runner process reads the configuration in this order: -- A `DOCKER_AUTH_CONFIG` variable provided as either: - - A [CI/CD variable](../variables/index.md) in the `.gitlab-ci.yml` file. - - A project's variables stored on the project's **Settings > CI/CD** page. -- A `DOCKER_AUTH_CONFIG` variable provided as environment variable in the runner's `config.toml` file. +- A `DOCKER_AUTH_CONFIG` [CI/CD variable](../variables/index.md). +- A `DOCKER_AUTH_CONFIG` environment variable set in the runner's `config.toml` file. - A `config.json` file in `$HOME/.docker` directory of the user running the process. If the `--user` flag is provided to run the child processes as unprivileged user, the home directory of the main runner process user is used. -The runner reads this configuration **only** from the `config.toml` file and ignores it if -it's provided as a CI/CD variable. This is because the runner uses **only** -`config.toml` configuration and does not interpolate **any** CI/CD variables at -runtime. - ### Requirements and limitations - Available for [Kubernetes executor](https://docs.gitlab.com/runner/executors/kubernetes.html) @@ -253,9 +246,9 @@ private registry. Both require setting the CI/CD variable `DOCKER_AUTH_CONFIG` with appropriate authentication information. 1. Per-job: To configure one job to access a private registry, add - `DOCKER_AUTH_CONFIG` as a job variable. + `DOCKER_AUTH_CONFIG` as a [CI/CD variable](../variables/index.md). 1. Per-runner: To configure a runner so all its jobs can access a - private registry, add `DOCKER_AUTH_CONFIG` to the environment in the + private registry, add `DOCKER_AUTH_CONFIG` as an environment variable in the runner's configuration. See below for examples of each. @@ -274,7 +267,7 @@ Let's also assume that these are the sign-in credentials: | username | `my_username` | | password | `my_password` | -Use one of the following methods to determine the value of `DOCKER_AUTH_CONFIG`: +Use one of the following methods to determine the value for `DOCKER_AUTH_CONFIG`: - Do a `docker login` on your local machine: diff --git a/doc/ci/docker/using_kaniko.md b/doc/ci/docker/using_kaniko.md index 6886899a54b..69c4557dcbe 100644 --- a/doc/ci/docker/using_kaniko.md +++ b/doc/ci/docker/using_kaniko.md @@ -13,8 +13,8 @@ type: howto container images from a Dockerfile, inside a container or Kubernetes cluster. kaniko solves two problems with using the -[Docker-in-Docker -build](using_docker_build.md#use-the-docker-executor-with-the-docker-image-docker-in-docker) method: +[Docker-in-Docker build](using_docker_build.md#use-the-docker-executor-with-the-docker-image-docker-in-docker) +method: - Docker-in-Docker requires [privileged mode](https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities) to function, which is a significant security concern. @@ -64,7 +64,7 @@ build: entrypoint: [""] script: - mkdir -p /kaniko/.docker - - echo "{\"auths\":{\"$CI_REGISTRY\":{\"auth\":\"$(echo -n ${CI_REGISTRY_USER}:${CI_REGISTRY_PASSWORD} | base64)\"}}}" > /kaniko/.docker/config.json + - echo "{\"auths\":{\"$CI_REGISTRY\":{\"auth\":\"$(echo -n ${CI_REGISTRY_USER}:${CI_REGISTRY_PASSWORD} | base64 | tr -d '\n')\"}}}" > /kaniko/.docker/config.json - /kaniko/executor --context $CI_PROJECT_DIR --dockerfile $CI_PROJECT_DIR/Dockerfile --destination $CI_REGISTRY_IMAGE:$CI_COMMIT_TAG rules: - if: $CI_COMMIT_TAG @@ -91,7 +91,7 @@ build: - mkdir -p /kaniko/.docker - |- KANIKOPROXYBUILDARGS="" - KANIKOCFG="{\"auths\":{\"$CI_REGISTRY\":{\"auth\":\"$(echo -n ${CI_REGISTRY_USER}:${CI_REGISTRY_PASSWORD} | base64)\"}}}" + KANIKOCFG="{\"auths\":{\"$CI_REGISTRY\":{\"auth\":\"$(echo -n ${CI_REGISTRY_USER}:${CI_REGISTRY_PASSWORD} | base64 | tr -d '\n')\"}}}" if [ "x${http_proxy}" != "x" -o "x${https_proxy}" != "x" ]; then KANIKOCFG="${KANIKOCFG}, \"proxies\": { \"default\": { \"httpProxy\": \"${http_proxy}\", \"httpsProxy\": \"${https_proxy}\", \"noProxy\": \"${no_proxy}\"}}" KANIKOPROXYBUILDARGS="--build-arg http_proxy=${http_proxy} --build-arg https_proxy=${https_proxy} --build-arg no_proxy=${no_proxy}" @@ -120,7 +120,7 @@ store: ```yaml before_script: - mkdir -p /kaniko/.docker - - echo "{\"auths\":{\"$CI_REGISTRY\":{\"auth\":\"$(echo -n ${CI_REGISTRY_USER}:${CI_REGISTRY_PASSWORD} | base64)\"}}}" > /kaniko/.docker/config.json + - echo "{\"auths\":{\"$CI_REGISTRY\":{\"auth\":\"$(echo -n ${CI_REGISTRY_USER}:${CI_REGISTRY_PASSWORD} | base64 | tr -d '\n')\"}}}" > /kaniko/.docker/config.json - | echo "-----BEGIN CERTIFICATE----- ... |