summaryrefslogtreecommitdiff
path: root/doc
diff options
context:
space:
mode:
authorAchilleas Pipinellis <axilleas@axilleas.me>2016-04-28 10:59:20 +0000
committerAchilleas Pipinellis <axilleas@axilleas.me>2016-04-28 10:59:20 +0000
commit45f4cc6e9bee72ef91331721fe1c515c8ad2b913 (patch)
treeef22cc370e9d47b1e1aa4ee956791a279544103b /doc
parent7aff855bc7f0ac5a688df7dcafffbdc617882fc1 (diff)
parent8b09dafb16726168ab78ff425c7c3d7c668ac5a5 (diff)
downloadgitlab-ce-45f4cc6e9bee72ef91331721fe1c515c8ad2b913.tar.gz
Merge branch 'fix/docker-in-docker-ci-documentation' into 'master'
Update using_docker_build.md, clarify the 'privileged' mode requirement Related to #15428 Fixes gitlab-org/gitlab-ci-multi-runner#1261 See merge request !3909
Diffstat (limited to 'doc')
-rw-r--r--doc/ci/docker/using_docker_build.md83
1 files changed, 63 insertions, 20 deletions
diff --git a/doc/ci/docker/using_docker_build.md b/doc/ci/docker/using_docker_build.md
index 4b1788a9af0..5fb086b1dd9 100644
--- a/doc/ci/docker/using_docker_build.md
+++ b/doc/ci/docker/using_docker_build.md
@@ -8,7 +8,7 @@ This is one of new trends in Continuous Integration/Deployment to:
1. create application image,
1. run test against created image,
-1. push image to remote registry,
+1. push image to remote registry,
1. deploy server from pushed image
It's also useful in case when your application already has the `Dockerfile` that can be used to create and test image:
@@ -46,22 +46,22 @@ GitLab Runner then executes build scripts as `gitlab-runner` user.
For more information how to install Docker on different systems checkout the [Supported installations](https://docs.docker.com/installation/).
3. Add `gitlab-runner` user to `docker` group:
-
+
```bash
$ sudo usermod -aG docker gitlab-runner
```
4. Verify that `gitlab-runner` has access to Docker:
-
+
```bash
$ sudo -u gitlab-runner -H docker info
```
-
+
You can now verify that everything works by adding `docker info` to `.gitlab-ci.yml`:
```yaml
before_script:
- docker info
-
+
build_image:
script:
- docker build -t my-docker-image .
@@ -75,37 +75,80 @@ For more information please checkout [On Docker security: `docker` group conside
## 2. Use docker-in-docker executor
-Second approach is to use special Docker image with all tools installed (`docker` and `docker-compose`) and run build script in context of that image in privileged mode.
+The second approach is to use the special Docker image with all tools installed
+(`docker` and `docker-compose`) and run the build script in context of that
+image in privileged mode.
+
In order to do that follow the steps:
1. Install [GitLab Runner](https://gitlab.com/gitlab-org/gitlab-ci-multi-runner/#installation).
-1. Register GitLab Runner from command line to use `docker` and `privileged` mode:
+1. Register GitLab Runner from the command line to use `docker` and `privileged`
+ mode:
```bash
- $ sudo gitlab-runner register -n \
+ sudo gitlab-runner register -n \
--url https://gitlab.com/ci \
--token RUNNER_TOKEN \
--executor docker \
--description "My Docker Runner" \
- --docker-image "gitlab/dind:latest" \
+ --docker-image "docker:latest" \
--docker-privileged
```
-
- The above command will register new Runner to use special [gitlab/dind](https://registry.hub.docker.com/u/gitlab/dind/) image which is provided by GitLab Inc.
- The image at the start runs Docker daemon in [docker-in-docker](https://blog.docker.com/2013/09/docker-can-now-run-within-docker/) mode.
+
+ The above command will register a new Runner to use the special
+ `docker:latest` image which is provided by Docker. **Notice that it's using
+ the `privileged` mode to start the build and service containers.** If you
+ want to use [docker-in-docker] mode, you always have to use `privileged = true`
+ in your Docker containers.
+
+ The above command will create a `config.toml` entry similar to this:
+
+ ```
+ [[runners]]
+ url = "https://gitlab.com/ci"
+ token = TOKEN
+ executor = "docker"
+ [runners.docker]
+ tls_verify = false
+ image = "docker:latest"
+ privileged = true
+ disable_cache = false
+ volumes = ["/cache"]
+ [runners.cache]
+ Insecure = false
+ ```
+
+ If you want to use the Shared Runners available on your GitLab CE/EE
+ installation in order to build Docker images, then make sure that your
+ Shared Runners configuration has the `privileged` mode set to `true`.
1. You can now use `docker` from build script:
-
+
```yaml
+ image: docker:latest
+
+ services:
+ - docker:dind
+
before_script:
- - docker info
-
- build_image:
+ - docker info
+
+ build:
+ stage: build
script:
- - docker build -t my-docker-image .
- - docker run my-docker-image /script/to/run/tests
+ - docker build -t my-docker-image .
+ - docker run my-docker-image /script/to/run/tests
```
-1. However, by enabling `--docker-privileged` you are effectively disables all security mechanisms of containers and exposing your host to privilege escalation which can lead to container breakout.
-For more information, check out [Runtime privilege](https://docs.docker.com/reference/run/#runtime-privilege-linux-capabilities-and-lxc-configuration). \ No newline at end of file
+1. However, by enabling `--docker-privileged` you are effectively disabling all
+ the security mechanisms of containers and exposing your host to privilege
+ escalation which can lead to container breakout.
+
+ For more information, check out the official Docker documentation on
+ [Runtime privilege and Linux capabilities][docker-cap].
+
+An example project using this approach can be found here: https://gitlab.com/gitlab-examples/docker.
+
+[docker-in-docker]: https://blog.docker.com/2013/09/docker-can-now-run-within-docker/
+[docker-cap]: https://docs.docker.com/reference/run/#runtime-privilege-and-linux-capabilities