diff options
Diffstat (limited to 'doc/ci/docker')
-rw-r--r-- | doc/ci/docker/using_docker_build.md | 97 | ||||
-rw-r--r-- | doc/ci/docker/using_docker_images.md | 255 | ||||
-rw-r--r-- | doc/ci/docker/using_kaniko.md | 35 |
3 files changed, 217 insertions, 170 deletions
diff --git a/doc/ci/docker/using_docker_build.md b/doc/ci/docker/using_docker_build.md index 8e5ce2fb359..af88a006156 100644 --- a/doc/ci/docker/using_docker_build.md +++ b/doc/ci/docker/using_docker_build.md @@ -7,17 +7,17 @@ type: concepts, howto # Building Docker images with GitLab CI/CD -GitLab CI/CD allows you to use Docker Engine to build and test Docker-based projects. +You can use GitLab CI/CD with Docker Engine to build and test Docker-based projects. -One of the new trends in Continuous Integration/Deployment is to: +For example, you might want to: 1. Create an application image. 1. Run tests against the created image. 1. Push image to a remote registry. 1. Deploy to a server from the pushed image. -It's also useful when your application already has the `Dockerfile` that can be -used to create and test an image: +Or, if your application already has a `Dockerfile`, you can +use it to create and test an image: ```shell docker build -t my-image dockerfiles/ @@ -26,29 +26,37 @@ docker tag my-image my-registry:5000/my-image docker push my-registry:5000/my-image ``` -This requires special configuration of GitLab Runner to enable `docker` support -during jobs. +To run Docker commands in your CI/CD jobs, you must configure +GitLab Runner to enable `docker` support. -## Runner Configuration +## Enable Docker commands in your CI/CD jobs -There are three methods to enable the use of `docker build` and `docker run` -during jobs, each with their own tradeoffs. +There are three ways to enable the use of `docker build` and `docker run` +during jobs, each with their own tradeoffs. You can use: -An alternative to using `docker build` is to [use kaniko](using_kaniko.md). -This avoids having to execute a runner in privileged mode. +- [The shell executor](#use-the-shell-executor) +- [The Docker executor with the Docker image (Docker-in-Docker)](#use-the-docker-executor-with-the-docker-image-docker-in-docker) +- [Docker socket binding](#use-docker-socket-binding) -NOTE: -To see how Docker and GitLab Runner are configured for shared runners on -GitLab.com, see [GitLab.com shared -runners](../../user/gitlab_com/index.md#shared-runners). +If you don't want to execute a runner in privileged mode, +but want to use `docker build`, you can also [use kaniko](using_kaniko.md). + +If you are using shared runners on GitLab.com, see +[GitLab.com shared runners](../../user/gitlab_com/index.md#shared-runners) +to learn more about how these runners are configured. -### Use shell executor +### Use the shell executor -The simplest approach is to install GitLab Runner in `shell` execution mode. -GitLab Runner then executes job scripts as the `gitlab-runner` user. +One way to configure GitLab Runner for `docker` support is to use the +`shell` executor. -1. Install [GitLab Runner](https://gitlab.com/gitlab-org/gitlab-runner/#installation). -1. During GitLab Runner installation select `shell` as method of executing job scripts or use command: +After you register a runner and select the `shell` executor, +your job scripts are executed as the `gitlab-runner` user. +This user needs permission to run Docker commands. + +1. [Install](https://gitlab.com/gitlab-org/gitlab-runner/#installation) GitLab Runner. +1. [Register](https://docs.gitlab.com/runner/register/) a runner. + Select the `shell` executor. For example: ```shell sudo gitlab-runner register -n \ @@ -58,12 +66,10 @@ GitLab Runner then executes job scripts as the `gitlab-runner` user. --description "My Runner" ``` -1. Install Docker Engine on server. - - For more information how to install Docker Engine on different systems, - check out the [Supported installations](https://docs.docker.com/engine/installation/). +1. On the server where GitLab Runner is installed, install Docker Engine. + View a list of [supported platforms](https://docs.docker.com/engine/installation/). -1. Add `gitlab-runner` user to `docker` group: +1. Add the `gitlab-runner` user to the `docker` group: ```shell sudo usermod -aG docker gitlab-runner @@ -75,7 +81,7 @@ GitLab Runner then executes job scripts as the `gitlab-runner` user. sudo -u gitlab-runner -H docker info ``` - You can now verify that everything works by adding `docker info` to `.gitlab-ci.yml`: +1. In GitLab, to verify that everything works, add `docker info` to `.gitlab-ci.yml`: ```yaml before_script: @@ -87,28 +93,30 @@ GitLab Runner then executes job scripts as the `gitlab-runner` user. - docker run my-docker-image /script/to/run/tests ``` -1. You can now use `docker` command (and **install** `docker-compose` if needed). +You can now use `docker` commands (and install `docker-compose` if needed). + +When you add `gitlab-runner` to the `docker` group, you are effectively granting `gitlab-runner` full root permissions. +Learn more about the [security of the `docker` group](https://blog.zopyx.com/on-docker-security-docker-group-considered-harmful/). -By adding `gitlab-runner` to the `docker` group you are effectively granting `gitlab-runner` full root permissions. -For more information please read [On Docker security: `docker` group considered harmful](https://blog.zopyx.com/on-docker-security-docker-group-considered-harmful/). +### Use the Docker executor with the Docker image (Docker-in-Docker) -### Use Docker-in-Docker workflow with Docker executor +Another way to configure GitLab Runner for `docker` support is to +register a runner with the Docker executor and use the [Docker image](https://hub.docker.com/_/docker/) +to run your job scripts. This configuration is referred to as "Docker-in-Docker." -The second approach is to use the special Docker-in-Docker (dind) -[Docker image](https://hub.docker.com/_/docker/) with all tools installed -(`docker`) and run the job script in context of that -image in privileged mode. +The Docker image has all of the `docker` tools installed +and can run the job script in context of the image in privileged mode. -`docker-compose` is not part of Docker-in-Docker (dind). To use `docker-compose` in your -CI builds, follow the `docker-compose` +The `docker-compose` command is not available in this configuration by default. +To use `docker-compose` in your job scripts, follow the `docker-compose` [installation instructions](https://docs.docker.com/compose/install/). WARNING: -By enabling `--docker-privileged`, you are effectively disabling all of +When you enable `--docker-privileged`, you are effectively disabling all of the security mechanisms of containers and exposing your host to privilege escalation which can lead to container breakout. For more information, check out the official Docker documentation on -[Runtime privilege and Linux capabilities](https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities). +[runtime privilege and Linux capabilities](https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities). Docker-in-Docker works well, and is the recommended configuration, but it is not without its own challenges: @@ -363,10 +371,11 @@ build: - docker run my-docker-image /script/to/run/tests ``` -#### Use Docker socket binding +### Use Docker socket binding -The third approach is to bind-mount `/var/run/docker.sock` into the -container so that Docker is available in the context of that image. +Another way to configure GitLab Runner for `docker` support is to +bind-mount `/var/run/docker.sock` into the +container so that Docker is available in the context of the image. NOTE: If you bind the Docker socket and you are @@ -395,7 +404,7 @@ To make Docker available in the context of the image: commands are siblings of the runner rather than children of the runner.** This may have complications and limitations that are unsuitable for your workflow. - Your `config.toml` file should not have an entry like this: + Your `config.toml` file should now have an entry like this: ```toml [[runners]] @@ -854,13 +863,13 @@ After you've built a Docker image, you can push it up to the built-in ### `docker: Cannot connect to the Docker daemon at tcp://docker:2375. Is the docker daemon running?` This is a common error when you are using -[Docker in Docker](#use-docker-in-docker-workflow-with-docker-executor) +[Docker in Docker](#use-the-docker-executor-with-the-docker-image-docker-in-docker) v19.03 or higher. This occurs because Docker starts on TLS automatically, so you need to do some setup. If: - This is the first time setting it up, carefully read - [using Docker in Docker workflow](#use-docker-in-docker-workflow-with-docker-executor). + [using Docker in Docker workflow](#use-the-docker-executor-with-the-docker-image-docker-in-docker). - You are upgrading from v18.09 or earlier, read our [upgrade guide](https://about.gitlab.com/releases/2019/07/31/docker-in-docker-with-docker-19-dot-03/). diff --git a/doc/ci/docker/using_docker_images.md b/doc/ci/docker/using_docker_images.md index 7171269cf2d..630e106b72c 100644 --- a/doc/ci/docker/using_docker_images.md +++ b/doc/ci/docker/using_docker_images.md @@ -10,18 +10,18 @@ type: concepts, howto GitLab CI/CD in conjunction with [GitLab Runner](../runners/README.md) can use [Docker Engine](https://www.docker.com/) to test and build any application. -Docker is an open-source project that allows you to use predefined images to -run applications in independent "containers" that are run within a single Linux -instance. [Docker Hub](https://hub.docker.com/) has a rich database of pre-built images that can be -used to test and build your applications. - -When used with GitLab CI/CD, Docker runs each job in a separate and isolated -container using the predefined image that's set up in -[`.gitlab-ci.yml`](../yaml/README.md). - -This makes it easier to have a simple and reproducible build environment that -can also run on your workstation. The added benefit is that you can test all -the commands that we explore later from your shell, rather than having to +Docker is an open-source project that has predefined images you can use to +run applications in independent "containers." These containers run in a single Linux +instance. [Docker Hub](https://hub.docker.com/) is a database of pre-built images you can +use to test and build your applications. + +When you use Docker with GitLab CI/CD, Docker runs each job in a separate and isolated +container. You specify the container image in the project's +[`.gitlab-ci.yml`](../yaml/README.md) file. + +Docker containers provide a reproducible build environment that +can run on your workstation. When a Docker container is running, you can test +commands from your shell, rather than having to test them on a dedicated CI server. ## Register Docker Runner @@ -29,7 +29,7 @@ test them on a dedicated CI server. To use GitLab Runner with Docker you need to [register a new runner](https://docs.gitlab.com/runner/register/) to use the `docker` executor. -An example can be seen below. First we set up a temporary template to supply the services: +In this example, we first set up a temporary template to supply the services: ```shell cat > /tmp/test-config.template.toml << EOF @@ -42,7 +42,7 @@ name = "mysql:latest" EOF ``` -Then we register the runner using the template that was just created: +Then use this template to register the runner: ```shell sudo gitlab-runner register \ @@ -63,25 +63,26 @@ accessible during the build process. The `image` keyword is the name of the Docker image the Docker executor runs to perform the CI tasks. -By default, the executor only pulls images from [Docker Hub](https://hub.docker.com/), -however this can be configured in the `gitlab-runner/config.toml` by setting -the [Docker pull policy](https://docs.gitlab.com/runner/executors/docker.html#how-pull-policies-work) to allow using local images. +By default, the executor pulls images only from [Docker Hub](https://hub.docker.com/). +However, you can configure the location in the `gitlab-runner/config.toml` file. For example, +you can set the [Docker pull policy](https://docs.gitlab.com/runner/executors/docker.html#how-pull-policies-work) +to use local images. -For more information about images and Docker Hub, please read +For more information about images and Docker Hub, read the [Docker Fundamentals](https://docs.docker.com/engine/understanding-docker/) documentation. ## What is a service -The `services` keyword defines just another Docker image that's run during -your job and is linked to the Docker image that the `image` keyword defines. -This allows you to access the service image during build time. +The `services` keyword defines another Docker image that's run during +your job. It's linked to the Docker image that the `image` keyword defines, +which allows you to access the service image during build time. The service image can run any application, but the most common use case is to run a database container, for example, `mysql`. It's easier and faster to use an -existing image and run it as an additional container than install `mysql` every +existing image and run it as an additional container than to install `mysql` every time the project is built. -You're not limited to have only database services. You can add as many +You're not limited to only database services. You can add as many services you need to `.gitlab-ci.yml` or manually modify `config.toml`. Any image found at [Docker Hub](https://hub.docker.com/) or your private Container Registry can be used as a service. @@ -94,56 +95,57 @@ You can see some widely used services examples in the relevant documentation of ### How services are linked to the job -To better understand how the container linking works, read +To better understand how container linking works, read [Linking containers together](https://docs.docker.com/engine/userguide/networking/default_network/dockerlinks/). -To summarize, if you add `mysql` as service to your application, the image is -then used to create a container that's linked to the job container. +If you add `mysql` as service to your application, the image is +used to create a container that's linked to the job container. The service container for MySQL is accessible under the hostname `mysql`. -So, in order to access your database service you have to connect to the host -named `mysql` instead of a socket or `localhost`. Read more in [accessing the -services](#accessing-the-services). +To access your database service, connect to the host named `mysql` instead of a +socket or `localhost`. Read more in [accessing the services](#accessing-the-services). ### How the health check of services works -Services are designed to provide additional functionality which is **network accessible**. -It may be a database like MySQL, or Redis, and even `docker:stable-dind` which -allows you to use Docker in Docker. It can be practically anything that's -required for the CI/CD job to proceed and is accessed by network. +Services are designed to provide additional features which are **network accessible**. +They may be a database like MySQL, or Redis, and even `docker:stable-dind` which +allows you to use Docker-in-Docker. It can be practically anything that's +required for the CI/CD job to proceed, and is accessed by network. To make sure this works, the runner: 1. Checks which ports are exposed from the container by default. 1. Starts a special container that waits for these ports to be accessible. -When the second stage of the check fails, either because there is no opened port in the -service, or the service was not started properly before the timeout and the port is not -responding, it prints the warning: `*** WARNING: Service XYZ probably didn't start properly`. +If the second stage of the check fails, it prints the warning: `*** WARNING: Service XYZ probably didn't start properly`. +This issue can occur because: + +- There is no opened port in the service. +- The service was not started properly before the timeout, and the port is not + responding. In most cases it affects the job, but there may be situations when the job still succeeds even if that warning was printed. For example: -- The service was started a little after the warning was raised, and the job is +- The service was started shortly after the warning was raised, and the job is not using the linked service from the beginning. In that case, when the job needed to access the service, it may have been already there waiting for connections. - The service container is not providing any networking service, but it's doing something with the job's directory (all services have the job directory mounted as a volume under `/builds`). In that case, the service does its job, and - since the job is not trying to connect to it, it does not fail. + because the job is not trying to connect to it, it does not fail. ### What services are not for -As it was mentioned before, this feature is designed to provide **network accessible** +As mentioned before, this feature is designed to provide **network accessible** services. A database is the simplest example of such a service. -The services feature is not designed to, and does not add any software from the +The services feature is not designed to, and does not, add any software from the defined `services` image(s) to the job's container. For example, if you have the following `services` defined in your job, the `php`, -`node` or `go` commands are **not** available for your script, and thus -the job fails: +`node` or `go` commands are **not** available for your script, and the job fails: ```yaml job: @@ -162,16 +164,15 @@ If you need to have `php`, `node` and `go` available for your script, you should either: - Choose an existing Docker image that contains all required tools. -- Create your own Docker image, with all the required tools included +- Create your own Docker image, with all the required tools included, and use that in your job. ### Accessing the services Let's say that you need a Wordpress instance to test some API integration with -your application. - -You can then use for example the [tutum/wordpress](https://hub.docker.com/r/tutum/wordpress/) image in your -`.gitlab-ci.yml`: +your application. You can then use for example the +[`tutum/wordpress`](https://hub.docker.com/r/tutum/wordpress/) image in your +`.gitlab-ci.yml` file: ```yaml services: @@ -179,13 +180,13 @@ services: ``` If you don't [specify a service alias](#available-settings-for-services), -when the job is run, `tutum/wordpress` is started and you have -access to it from your build container under two hostnames to choose from: +when the job runs, `tutum/wordpress` is started. You have +access to it from your build container under two hostnames: - `tutum-wordpress` - `tutum__wordpress` -Hostnames with underscores are not RFC valid and may cause problems in 3rd party +Hostnames with underscores are not RFC valid and may cause problems in third-party applications. The default aliases for the service's hostname are created from its image name @@ -202,7 +203,7 @@ To override the default behavior, you can ## Define `image` and `services` from `.gitlab-ci.yml` -You can simply define an image that's used for all jobs and a list of +You can define an image that's used for all jobs, and a list of services that you want to use during build time: ```yaml @@ -275,7 +276,7 @@ test: You can also pass custom environment [variables](../variables/README.md) to fine tune your Docker `images` and `services` directly in the `.gitlab-ci.yml` file. -For more information, see [custom environment variables](../variables/README.md#gitlab-ciyml-defined-variables) +For more information, read [custom environment variables](../variables/README.md#gitlab-ciyml-defined-variables) ```yaml # The following variables are automatically passed down to the Postgres container @@ -314,11 +315,11 @@ test: When configuring the `image` or `services` entries, you can use a string or a map as options: -- when using a string as an option, it must be the full name of the image to use +- When using a string as an option, it must be the full name of the image to use (including the Registry part if you want to download the image from a Registry - other than Docker Hub) -- when using a map as an option, then it must contain at least the `name` - option, which is the same name of the image as used for the string setting + other than Docker Hub). +- When using a map as an option, then it must contain at least the `name` + option, which is the same name of the image as used for the string setting. For example, the following two definitions are equal: @@ -350,8 +351,8 @@ For example, the following two definitions are equal: | Setting | Required | GitLab version | Description | |------------|----------|----------------| ----------- | -| `name` | yes, when used with any other option | 9.4 |Full name of the image that should be used. It should contain the Registry part if needed. | -| `entrypoint` | no | 9.4 |Command or script that should be executed as the container's entrypoint. It's translated to Docker's `--entrypoint` option while creating the container. The syntax is similar to [`Dockerfile`'s `ENTRYPOINT`](https://docs.docker.com/engine/reference/builder/#entrypoint) directive, where each shell token is a separate string in the array. | +| `name` | yes, when used with any other option | 9.4 |Full name of the image to use. It should contain the Registry part if needed. | +| `entrypoint` | no | 9.4 |Command or script to execute as the container's entrypoint. It's translated to Docker's `--entrypoint` option while creating the container. The syntax is similar to [`Dockerfile`'s `ENTRYPOINT`](https://docs.docker.com/engine/reference/builder/#entrypoint) directive, where each shell token is a separate string in the array. | ### Available settings for `services` @@ -359,8 +360,8 @@ For example, the following two definitions are equal: | Setting | Required | GitLab version | Description | |------------|----------|----------------| ----------- | -| `name` | yes, when used with any other option | 9.4 | Full name of the image that should be used. It should contain the Registry part if needed. | -| `entrypoint` | no | 9.4 |Command or script that should be executed as the container's entrypoint. It's translated to Docker's `--entrypoint` option while creating the container. The syntax is similar to [`Dockerfile`'s `ENTRYPOINT`](https://docs.docker.com/engine/reference/builder/#entrypoint) directive, where each shell token is a separate string in the array. | +| `name` | yes, when used with any other option | 9.4 | Full name of the image to use. It should contain the Registry part if needed. | +| `entrypoint` | no | 9.4 |Command or script to execute as the container's entrypoint. It's translated to Docker's `--entrypoint` option while creating the container. The syntax is similar to [`Dockerfile`'s `ENTRYPOINT`](https://docs.docker.com/engine/reference/builder/#entrypoint) directive, where each shell token is a separate string in the array. | | `command` | no | 9.4 |Command or script that should be used as the container's command. It's translated to arguments passed to Docker after the image's name. The syntax is similar to [`Dockerfile`'s `CMD`](https://docs.docker.com/engine/reference/builder/#cmd) directive, where each shell token is a separate string in the array. | | `alias` (1) | no | 9.4 |Additional alias that can be used to access the service from the job's container. Read [Accessing the services](#accessing-the-services) for more information. | @@ -379,8 +380,8 @@ services: - mysql:latest ``` -The runner would start two containers using the `mysql:latest` image, but both -of them would be added to the job's container with the `mysql` alias based on +The runner would start two containers, each that uses the `mysql:latest` image. +However, both of them would be added to the job's container with the `mysql` alias, based on the [default hostname naming](#accessing-the-services). This would end with one of the services not being accessible. @@ -404,31 +405,33 @@ in `.gitlab-ci.yml` file. > Introduced in GitLab and GitLab Runner 9.4. Read more about the [extended configuration options](#extended-docker-configuration-options). Let's assume you have a `super/sql:latest` image with some SQL database -inside it and you would like to use it as a service for your job. Let's also +in it. You would like to use it as a service for your job. Let's also assume that this image does not start the database process while starting -the container and the user needs to manually use `/usr/bin/super-sql run` as +the container. The user needs to manually use `/usr/bin/super-sql run` as a command to start the database. -Before the new extended Docker configuration options, you would need to create -your own image based on the `super/sql:latest` image, add the default command, -and then use it in job's configuration, like: +Before the new extended Docker configuration options, you would need to: -```dockerfile -# my-super-sql:latest image's Dockerfile +- Create your own image based on the `super/sql:latest` image. +- Add the default command. +- Use the image in the job's configuration: -FROM super/sql:latest -CMD ["/usr/bin/super-sql", "run"] -``` + ```dockerfile + # my-super-sql:latest image's Dockerfile -```yaml -# .gitlab-ci.yml + FROM super/sql:latest + CMD ["/usr/bin/super-sql", "run"] + ``` -services: - - my-super-sql:latest -``` + ```yaml + # .gitlab-ci.yml + + services: + - my-super-sql:latest + ``` -After the new extended Docker configuration options, you can now simply -set a `command` in `.gitlab-ci.yml`, like: +After the new extended Docker configuration options, you can +set a `command` in the `.gitlab-ci.yml` file instead: ```yaml # .gitlab-ci.yml @@ -438,15 +441,15 @@ services: command: ["/usr/bin/super-sql", "run"] ``` -As you can see, the syntax of `command` is similar to [Dockerfile's `CMD`](https://docs.docker.com/engine/reference/builder/#cmd). +The syntax of `command` is similar to [Dockerfile's `CMD`](https://docs.docker.com/engine/reference/builder/#cmd). ### Overriding the entrypoint of an image > Introduced in GitLab and GitLab Runner 9.4. Read more about the [extended configuration options](#extended-docker-configuration-options). -Before showing the available entrypoint override methods, let's describe shortly -how the runner starts and uses a Docker image for the containers used in the -CI jobs: +Before showing the available entrypoint override methods, let's describe +how the runner starts. It uses a Docker image for the containers used in the +CI/CD jobs: 1. The runner starts a Docker container using the defined entrypoint (default from `Dockerfile` that may be overridden in `.gitlab-ci.yml`) @@ -455,32 +458,35 @@ CI jobs: [`before_script`](../yaml/README.md#before_script), [`script`](../yaml/README.md#script), and [`after_script`](../yaml/README.md#after_script)). -1. The runner sends the script to the container's shell STDIN and receives the +1. The runner sends the script to the container's shell `stdin` and receives the output. -To override the entrypoint of a Docker image, the recommended solution is to +To override the entrypoint of a Docker image, you should define an empty `entrypoint` in `.gitlab-ci.yml`, so the runner does not start a useless shell layer. However, that does not work for all Docker versions, and -you should check which one your runner is using. Specifically: +you should check which one your runner is using: -- If Docker 17.06 or later is used, the `entrypoint` can be set to an empty value. -- If Docker 17.03 or previous versions are used, the `entrypoint` can be set to +- _If Docker 17.06 or later is used,_ the `entrypoint` can be set to an empty value. +- _If Docker 17.03 or previous versions are used,_ the `entrypoint` can be set to `/bin/sh -c`, `/bin/bash -c` or an equivalent shell available in the image. The syntax of `image:entrypoint` is similar to [Dockerfile's `ENTRYPOINT`](https://docs.docker.com/engine/reference/builder/#entrypoint). -Let's assume you have a `super/sql:experimental` image with some SQL database -inside it and you would like to use it as a base image for your job because you +Let's assume you have a `super/sql:experimental` image with a SQL database +in it. You want to use it as a base image for your job because you want to execute some tests with this database binary. Let's also assume that -this image is configured with `/usr/bin/super-sql run` as an entrypoint. That -means that when starting the container without additional options, it runs -the database's process, while the runner expects that the image has no +this image is configured with `/usr/bin/super-sql run` as an entrypoint. When +the container starts without additional options, it runs +the database's process. The runner expects that the image has no entrypoint or that the entrypoint is prepared to start a shell command. -With the extended Docker configuration options, instead of creating your -own image based on `super/sql:experimental`, setting the `ENTRYPOINT` -to a shell, and then using the new image in your CI job, you can now simply -define an `entrypoint` in `.gitlab-ci.yml`. +With the extended Docker configuration options, instead of: + +- Creating your own image based on `super/sql:experimental`. +- Setting the `ENTRYPOINT` to a shell. +- Using the new image in your CI job. + +You can now define an `entrypoint` in the `.gitlab-ci.yml` file. **For Docker 17.06+:** @@ -508,7 +514,7 @@ Look for the `[runners.docker]` section: services = ["mysql:latest", "postgres:latest"] ``` -The image and services defined this way are added to all job run by +The image and services defined this way are added to all jobs run by that runner. ## Define an image from a private Container Registry @@ -516,8 +522,8 @@ that runner. To access private container registries, the GitLab Runner process can use: - [Statically defined credentials](#using-statically-defined-credentials). That is, a username and password for a specific registry. -- [Credentials Store](#using-credentials-store). For more information, see [the relevant Docker documentation](https://docs.docker.com/engine/reference/commandline/login/#credentials-store). -- [Credential Helpers](#using-credential-helpers). For more information, see [the relevant Docker documentation](https://docs.docker.com/engine/reference/commandline/login/#credential-helpers). +- [Credentials Store](#using-credentials-store). For more information, read [the relevant Docker documentation](https://docs.docker.com/engine/reference/commandline/login/#credentials-store). +- [Credential Helpers](#using-credential-helpers). For more information, read [the relevant Docker documentation](https://docs.docker.com/engine/reference/commandline/login/#credential-helpers). To define which should be used, the GitLab Runner process reads the configuration in the following order: @@ -531,7 +537,7 @@ To define which should be used, the GitLab Runner process reads the configuratio GitLab Runner reads this configuration **only** from `config.toml` and ignores it if it's provided as an environment variable. This is because GitLab Runner uses **only** -`config.toml` configuration and does not interpolate **ANY** environment variables at +`config.toml` configuration and does not interpolate **any** environment variables at runtime. ### Requirements and limitations @@ -543,7 +549,7 @@ runtime. at least version **1.8** if you want to use private registries. - Available for [Kubernetes executor](https://docs.gitlab.com/runner/executors/kubernetes.html) in GitLab Runner 13.1 and later. -- [Credentials Store](#using-credentials-store) and [Credential Helpers](#using-credential-helpers) require binaries to be added to the GitLab Runner's `$PATH`, and require access to do so. Therefore, these features are not available on shared runners or any other runner where the user does not have access to the environment where the runner is installed. +- [Credentials Store](#using-credentials-store) and [Credential Helpers](#using-credential-helpers) require binaries to be added to the GitLab Runner's `$PATH`, and require access to do so. Therefore, these features are not available on shared runners, or any other runner where the user does not have access to the environment where the runner is installed. ### Using statically-defined credentials @@ -562,7 +568,7 @@ See below for examples of each. #### Determining your `DOCKER_AUTH_CONFIG` data As an example, let's assume you want to use the `registry.example.com:5000/private/image:latest` -image, which is private and requires you to sign in to a private container +image. This image is private and requires you to sign in to a private container registry. Let's also assume that these are the sign-in credentials: @@ -592,7 +598,7 @@ Use one of the following methods to determine the value of `DOCKER_AUTH_CONFIG`: - In some setups, it's possible that Docker client uses the available system key store to store the result of `docker login`. In that case, it's impossible to - read `~/.docker/config.json`, so you need to prepare the required + read `~/.docker/config.json`, so you must prepare the required base64-encoded version of `${username}:${password}` and create the Docker configuration JSON manually. Open a terminal and execute the following command: @@ -691,7 +697,7 @@ To add `DOCKER_AUTH_CONFIG` to a runner: To configure credentials store, follow these steps: 1. To use a credentials store, you need an external helper program to interact with a specific keychain or external store. - Make sure helper program is available in GitLab Runner `$PATH`. + Make sure the helper program is available in GitLab Runner `$PATH`. 1. Make GitLab Runner use it. There are two ways to accomplish this. Either: @@ -710,16 +716,16 @@ To configure credentials store, follow these steps: `${GITLAB_RUNNER_HOME}/.docker/config.json`. GitLab Runner reads this configuration file and uses the needed helper for this specific repository. -`credsStore` is used to access ALL the registries. -If you want to use both images from private registry and public images from Docker Hub, -pulling from Docker Hub would fail, because Docker daemon tries to use the same credentials for **ALL** the registries. +`credsStore` is used to access **all** the registries. +If you use both images from a private registry and public images from Docker Hub, +pulling from Docker Hub fails. Docker daemon tries to use the same credentials for **all** the registries. ### Using Credential Helpers > Support for using Credential Helpers was added in GitLab Runner 12.0 As an example, let's assume that you want to use the `aws_account_id.dkr.ecr.region.amazonaws.com/private/image:latest` -image which is private and requires you to log in into a private container registry. +image. This image is private and requires you to log in into a private container registry. To configure access for `aws_account_id.dkr.ecr.region.amazonaws.com`, follow these steps: @@ -750,7 +756,7 @@ To configure access for `aws_account_id.dkr.ecr.region.amazonaws.com`, follow th } ``` - This configures Docker to use the credential helper for all Amazon ECR registries. + This configures Docker to use the credential helper for all Amazon Elastic Container Registry (ECR) registries. - Or, if you're running self-managed runners, add the above JSON to `${GITLAB_RUNNER_HOME}/.docker/config.json`. @@ -772,13 +778,13 @@ registries to the `"credHelpers"` hash as described above. ## Configuring services -Many services accept environment variables which allow you to easily change -database names or set account names depending on the environment. +Many services accept environment variables, which you can use to change +database names or set account names, depending on the environment. GitLab Runner 0.5.0 and up passes all YAML-defined variables to the created service containers. -For all possible configuration variables check the documentation of each image +For all possible configuration variables, check the documentation of each image provided in their corresponding Docker hub page. All variables are passed to all services containers. It's not @@ -786,12 +792,12 @@ designed to distinguish which variable should go where. ### PostgreSQL service example -See the specific documentation for +Read the specific documentation for [using PostgreSQL as a service](../services/postgres.md). ### MySQL service example -See the specific documentation for +Read the specific documentation for [using MySQL as a service](../services/mysql.md). ## How Docker integration works @@ -800,15 +806,15 @@ Below is a high level overview of the steps performed by Docker during job time. 1. Create any service container: `mysql`, `postgresql`, `mongodb`, `redis`. -1. Create cache container to store all volumes as defined in `config.toml` and +1. Create a cache container to store all volumes as defined in `config.toml` and `Dockerfile` of build image (`ruby:2.6` as in above example). -1. Create build container and link any service container to build container. -1. Start build container and send job script to the container. -1. Run job script. +1. Create a build container and link any service container to build container. +1. Start the build container, and send a job script to the container. +1. Run the job script. 1. Checkout code in: `/builds/group-name/project-name/`. 1. Run any step defined in `.gitlab-ci.yml`. -1. Check exit status of build script. -1. Remove build container and all created service containers. +1. Check the exit status of build script. +1. Remove the build container and all created service containers. ## How to debug a job locally @@ -827,8 +833,7 @@ EOF Here we use as an example the GitLab Runner repository which contains a Makefile, so running `make` executes the commands defined in the Makefile. -Your mileage may vary, so instead of `make` you could run the command which -is specific to your project. +Instead of `make`, you could run the command which is specific to your project. Then create some service containers: @@ -850,7 +855,7 @@ docker run --name build -i --link=service-mysql:mysql --link=service-postgres:po The above command creates a container named `build` that's spawned from the `ruby:2.6` image and has two services linked to it. The `build_script` is -piped using STDIN to the bash interpreter which in turn executes the +piped using `stdin` to the bash interpreter which in turn executes the `build_script` in the `build` container. When you finish testing and no longer need the containers, you can remove them @@ -861,5 +866,5 @@ docker rm -f -v build service-mysql service-postgres ``` This forcefully (`-f`) removes the `build` container, the two service -containers as well as all volumes (`-v`) that were created with the container +containers, and all volumes (`-v`) that were created with the container creation. diff --git a/doc/ci/docker/using_kaniko.md b/doc/ci/docker/using_kaniko.md index 13d3c607f8a..7eb2a8286c7 100644 --- a/doc/ci/docker/using_kaniko.md +++ b/doc/ci/docker/using_kaniko.md @@ -14,7 +14,7 @@ container images from a Dockerfile, inside a container or Kubernetes cluster. kaniko solves two problems with using the [Docker-in-Docker -build](using_docker_build.md#use-docker-in-docker-workflow-with-docker-executor) method: +build](using_docker_build.md#use-the-docker-executor-with-the-docker-image-docker-in-docker) method: - Docker-in-Docker requires [privileged mode](https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities) to function, which is a significant security concern. @@ -70,6 +70,39 @@ build: - if: $CI_COMMIT_TAG ``` +### Building an image with kaniko behind a proxy + +If you use a custom GitLab Runner behind an http(s) proxy, kaniko needs to be set +up accordingly. This means: + +- Adding the proxy to `/kaniko/.docker/config.json` +- Passing the `http_proxy` environment variables as build args so the Dockerfile + instructions can use the proxy when building the image. + +The previous example can be extended as follows: + +```yaml +build: + stage: build + image: + name: gcr.io/kaniko-project/executor:debug + entrypoint: [""] + script: + - mkdir -p /kaniko/.docker + - |- + KANIKOPROXYBUILDARGS="" + KANIKOCFG="{ \"auths\":{\"$CI_REGISTRY\":{\"username\":\"$CI_REGISTRY_USER\",\"password\":\"$CI_REGISTRY_PASSWORD\"}}" + if [ "x${http_proxy}" != "x" -o "x${https_proxy}" != "x" ]; then + KANIKOCFG="${KANIKOCFG}, \"proxies\": { \"default\": { \"httpProxy\": \"${http_proxy}\", \"httpsProxy\": \"${https_proxy}\", \"noProxy\": \"${no_proxy}\"}}" + KANIKOPROXYBUILDARGS="--build-arg http_proxy=${http_proxy} --build-arg https_proxy=${https_proxy} --build-arg no_proxy=${no_proxy}" + fi + KANIKOCFG="${KANIKOCFG} }" + echo "${KANIKOCFG}" > /kaniko/.docker/config.json + - /kaniko/executor --context $CI_PROJECT_DIR --dockerfile $CI_PROJECT_DIR/Dockerfile $KANIKOPROXYBUILDARGS --destination $CI_REGISTRY_IMAGE:$CI_COMMIT_TAG + only: + - tags +``` + ## Using a registry with a custom certificate When trying to push to a Docker registry that uses a certificate that is signed |