Add docker bind-mount as an option
This commit is contained in:
parent
17eb51594d
commit
4209212bb8
1 changed files with 68 additions and 10 deletions
|
@ -4,14 +4,14 @@ GitLab CI allows you to use Docker Engine to build and test docker-based project
|
||||||
|
|
||||||
**This also allows to you to use `docker-compose` and other docker-enabled tools.**
|
**This also allows to you to use `docker-compose` and other docker-enabled tools.**
|
||||||
|
|
||||||
This is one of new trends in Continuous Integration/Deployment to:
|
This is one of the new trends in Continuous Integration/Deployment to:
|
||||||
|
|
||||||
1. create application image,
|
1. create an application image,
|
||||||
1. run test against created image,
|
1. run tests against the created image,
|
||||||
1. push image to remote registry,
|
1. push image to a remote registry,
|
||||||
1. deploy server from pushed image
|
1. deploy server from the pushed image
|
||||||
|
|
||||||
It's also useful in case when your application already has the `Dockerfile` that can be used to create and test image:
|
It's also useful when your application already has the `Dockerfile` that can be used to create and test an image:
|
||||||
```bash
|
```bash
|
||||||
$ docker build -t my-image dockerfiles/
|
$ docker build -t my-image dockerfiles/
|
||||||
$ docker run my-docker-image /script/to/run/tests
|
$ docker run my-docker-image /script/to/run/tests
|
||||||
|
@ -19,10 +19,7 @@ $ docker tag my-image my-registry:5000/my-image
|
||||||
$ docker push my-registry:5000/my-image
|
$ docker push my-registry:5000/my-image
|
||||||
```
|
```
|
||||||
|
|
||||||
However, this requires special configuration of GitLab Runner to enable `docker` support during build.
|
However, this requires special configuration of GitLab Runner to enable `docker` support during builds. There are three methods to enable the use of `docker build` and `docker run` during builds.
|
||||||
**This requires running GitLab Runner in privileged mode which can be harmful when untrusted code is run.**
|
|
||||||
|
|
||||||
There are two methods to enable the use of `docker build` and `docker run` during build.
|
|
||||||
|
|
||||||
## 1. Use shell executor
|
## 1. Use shell executor
|
||||||
|
|
||||||
|
@ -150,5 +147,66 @@ In order to do that follow the steps:
|
||||||
|
|
||||||
An example project using this approach can be found here: https://gitlab.com/gitlab-examples/docker.
|
An example project using this approach can be found here: https://gitlab.com/gitlab-examples/docker.
|
||||||
|
|
||||||
|
## 3. Bind Docker socket
|
||||||
|
|
||||||
|
The third approach is to bind-mount `/var/run/docker.sock` into the container so that docker is available in the context of that image.
|
||||||
|
|
||||||
|
In order to do that follow the steps:
|
||||||
|
|
||||||
|
1. Install [GitLab Runner](https://gitlab.com/gitlab-org/gitlab-ci-multi-runner/#installation).
|
||||||
|
|
||||||
|
1. Register GitLab Runner from the command line to use `docker` and `privileged`
|
||||||
|
mode:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
sudo gitlab-runner register -n \
|
||||||
|
--url https://gitlab.com/ci \
|
||||||
|
--token RUNNER_TOKEN \
|
||||||
|
--executor docker \
|
||||||
|
--description "My Docker Runner" \
|
||||||
|
--docker-image "docker:latest" \
|
||||||
|
--docker-volumes /var/run/docker.sock:/var/run/docker.sock
|
||||||
|
```
|
||||||
|
|
||||||
|
The above command will register a new Runner to use the special
|
||||||
|
`docker:latest` image which is provided by Docker. **Notice that it's using
|
||||||
|
the Docker daemon of the runner itself, and any containers spawned by docker commands will be siblings of the runner rather than children of the runner.** This may have complications and limitations that are unsuitable for your workflow.
|
||||||
|
|
||||||
|
The above command will create a `config.toml` entry similar to this:
|
||||||
|
|
||||||
|
```
|
||||||
|
[[runners]]
|
||||||
|
url = "https://gitlab.com/ci"
|
||||||
|
token = TOKEN
|
||||||
|
executor = "docker"
|
||||||
|
[runners.docker]
|
||||||
|
tls_verify = false
|
||||||
|
image = "docker:latest"
|
||||||
|
privileged = false
|
||||||
|
disable_cache = false
|
||||||
|
volumes = ["/usr/local/bin/docker:/usr/bin/docker", "/cache"]
|
||||||
|
[runners.cache]
|
||||||
|
Insecure = false
|
||||||
|
```
|
||||||
|
|
||||||
|
1. You can now use `docker` from build script (note that you don't need to include the `docker:dind` service as in the option above):
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
image: docker:latest
|
||||||
|
|
||||||
|
before_script:
|
||||||
|
- docker info
|
||||||
|
|
||||||
|
build:
|
||||||
|
stage: build
|
||||||
|
script:
|
||||||
|
- docker build -t my-docker-image .
|
||||||
|
- docker run my-docker-image /script/to/run/tests
|
||||||
|
```
|
||||||
|
|
||||||
|
1. However, by sharing the docker daemon, you are effectively disabling all
|
||||||
|
the security mechanisms of containers and exposing your host to privilege
|
||||||
|
escalation which can lead to container breakout.
|
||||||
|
|
||||||
[docker-in-docker]: https://blog.docker.com/2013/09/docker-can-now-run-within-docker/
|
[docker-in-docker]: https://blog.docker.com/2013/09/docker-can-now-run-within-docker/
|
||||||
[docker-cap]: https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities
|
[docker-cap]: https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities
|
||||||
|
|
Loading…
Reference in a new issue