Commit 77a1ab50 authored by Marcel Amirault's avatar Marcel Amirault

Merge branch 'selhorn-docker-another12' into 'master'

More edits for style and vale

See merge request gitlab-org/gitlab!55707
parents 6c8c0c0e 2de0ab1d
...@@ -7,32 +7,16 @@ type: concepts, howto ...@@ -7,32 +7,16 @@ type: concepts, howto
# Use Docker to build Docker images # Use Docker to build Docker images
You can use GitLab CI/CD with Docker to build and test Docker images. You can use GitLab CI/CD with Docker to create Docker images.
For example, you can create a Docker image of your application,
For example, you might want to: test it, and publish it to a container registry.
1. Create a Docker image of your application.
1. Run tests against the image.
1. Push the image to a remote registry.
1. Use the image to deploy your application to a server.
Or, if your application already has a `Dockerfile`, you can
use it to create and test an image:
```shell
docker build -t my-image dockerfiles/
docker run my-image /script/to/run/tests
docker tag my-image my-registry:5000/my-image
docker push my-registry:5000/my-image
```
To run Docker commands in your CI/CD jobs, you must configure To run Docker commands in your CI/CD jobs, you must configure
GitLab Runner to support `docker` commands. GitLab Runner to support `docker` commands.
## Enable Docker commands in your CI/CD jobs ## Enable Docker commands in your CI/CD jobs
There are three ways to enable the use of `docker build` and `docker run` To enable Docker commands for your CI/CD jobs, you can use:
during jobs, each with their own tradeoffs. You can use:
- [The shell executor](#use-the-shell-executor) - [The shell executor](#use-the-shell-executor)
- [The Docker executor with the Docker image (Docker-in-Docker)](#use-the-docker-executor-with-the-docker-image-docker-in-docker) - [The Docker executor with the Docker image (Docker-in-Docker)](#use-the-docker-executor-with-the-docker-image-docker-in-docker)
...@@ -47,12 +31,9 @@ to learn more about how these runners are configured. ...@@ -47,12 +31,9 @@ to learn more about how these runners are configured.
### Use the shell executor ### Use the shell executor
One way to configure GitLab Runner for `docker` support is to use the You can include Docker commands in your CI/CD jobs if your runner is configured to
`shell` executor. use the `shell` executor. The `gitlab-runner` user runs the Docker commands, but
needs permission to run them.
After you register a runner and select the `shell` executor,
your job scripts are executed as the `gitlab-runner` user.
This user needs permission to run Docker commands.
1. [Install](https://gitlab.com/gitlab-org/gitlab-runner/#installation) GitLab Runner. 1. [Install](https://gitlab.com/gitlab-org/gitlab-runner/#installation) GitLab Runner.
1. [Register](https://docs.gitlab.com/runner/register/) a runner. 1. [Register](https://docs.gitlab.com/runner/register/) a runner.
...@@ -100,9 +81,11 @@ Learn more about the [security of the `docker` group](https://blog.zopyx.com/on- ...@@ -100,9 +81,11 @@ Learn more about the [security of the `docker` group](https://blog.zopyx.com/on-
### Use the Docker executor with the Docker image (Docker-in-Docker) ### Use the Docker executor with the Docker image (Docker-in-Docker)
Another way to configure GitLab Runner for `docker` support is to You can use "Docker-in-Docker" to run commands in your CI/CD jobs:
register a runner with the Docker executor and use the [Docker image](https://hub.docker.com/_/docker/)
to run your job scripts. This configuration is referred to as "Docker-in-Docker." - Register a runner that uses the Docker executor.
- Use the [Docker image](https://hub.docker.com/_/docker/) provided by Docker to
run the jobs that need Docker commands.
The Docker image has all of the `docker` tools installed The Docker image has all of the `docker` tools installed
and can run the job script in context of the image in privileged mode. and can run the job script in context of the image in privileged mode.
...@@ -111,14 +94,18 @@ The `docker-compose` command is not available in this configuration by default. ...@@ -111,14 +94,18 @@ The `docker-compose` command is not available in this configuration by default.
To use `docker-compose` in your job scripts, follow the `docker-compose` To use `docker-compose` in your job scripts, follow the `docker-compose`
[installation instructions](https://docs.docker.com/compose/install/). [installation instructions](https://docs.docker.com/compose/install/).
An example project that uses this approach can be found here: <https://gitlab.com/gitlab-examples/docker>.
WARNING: WARNING:
When you enable `--docker-privileged`, you are effectively disabling all of When you enable `--docker-privileged`, you are effectively disabling all of
the security mechanisms of containers and exposing your host to privilege the security mechanisms of containers and exposing your host to privilege
escalation which can lead to container breakout. For more information, check escalation. Doing this can lead to container breakout. For more information, check
out the official Docker documentation on out the official Docker documentation on
[runtime privilege and Linux capabilities](https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities). [runtime privilege and Linux capabilities](https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities).
Docker-in-Docker works well, and is the recommended configuration, but it is #### Limitations of Docker-in-Docker
Docker-in-Docker is the recommended configuration, but it is
not without its own challenges: not without its own challenges:
- When using Docker-in-Docker, each job is in a clean environment without the past - When using Docker-in-Docker, each job is in a clean environment without the past
...@@ -144,8 +131,6 @@ not without its own challenges: ...@@ -144,8 +131,6 @@ not without its own challenges:
- docker run -v "$MOUNT_POINT:/mnt" my-docker-image - docker run -v "$MOUNT_POINT:/mnt" my-docker-image
``` ```
An example project using this approach can be found here: <https://gitlab.com/gitlab-examples/docker>.
In the examples below, we are using Docker images tags to specify a In the examples below, we are using Docker images tags to specify a
specific version, such as `docker:19.03.12`. If tags like `docker:stable` specific version, such as `docker:19.03.12`. If tags like `docker:stable`
are used, you have no control over what version is used. This can lead to are used, you have no control over what version is used. This can lead to
...@@ -373,9 +358,8 @@ build: ...@@ -373,9 +358,8 @@ build:
### Use Docker socket binding ### Use Docker socket binding
Another way to configure GitLab Runner for `docker` support is to To use Docker commands in your CI/CD jobs, you can bind-mount `/var/run/docker.sock` into the
bind-mount `/var/run/docker.sock` into the container. Docker is then available in the context of the image.
container so that Docker is available in the context of the image.
NOTE: NOTE:
If you bind the Docker socket and you are If you bind the Docker socket and you are
...@@ -478,13 +462,10 @@ services: ...@@ -478,13 +462,10 @@ services:
> [Introduced](https://gitlab.com/gitlab-org/gitlab-runner/-/issues/27173) in GitLab Runner 13.6. > [Introduced](https://gitlab.com/gitlab-org/gitlab-runner/-/issues/27173) in GitLab Runner 13.6.
If you are an administrator of GitLab Runner and you have the `dind` If you are a GitLab Runner administrator, you can specify the `command` to configure the registry mirror
service defined for the [Docker for the Docker daemon. The `dind` service must be defined for the
executor](https://docs.gitlab.com/runner/configuration/advanced-configuration.html#the-runnersdockerservices-section), [Docker](https://docs.gitlab.com/runner/configuration/advanced-configuration.html#the-runnersdockerservices-section)
or the [Kubernetes or [Kubernetes executor](https://docs.gitlab.com/runner/executors/kubernetes.html#using-services).
executor](https://docs.gitlab.com/runner/executors/kubernetes.html#using-services)
you can specify the `command` to configure the registry mirror for the
Docker daemon.
Docker: Docker:
...@@ -516,11 +497,10 @@ Kubernetes: ...@@ -516,11 +497,10 @@ Kubernetes:
##### Docker executor inside GitLab Runner configuration ##### Docker executor inside GitLab Runner configuration
If you are an administrator of GitLab Runner and you want to use If you are a GitLab Runner administrator, you can use
the mirror for every `dind` service, update the the mirror for every `dind` service. Update the
[configuration](https://docs.gitlab.com/runner/configuration/advanced-configuration.html) [configuration](https://docs.gitlab.com/runner/configuration/advanced-configuration.html)
to specify a [volume to specify a [volume mount](https://docs.gitlab.com/runner/configuration/advanced-configuration.html#volumes-in-the-runnersdocker-section).
mount](https://docs.gitlab.com/runner/configuration/advanced-configuration.html#volumes-in-the-runnersdocker-section).
For example, if you have a `/opt/docker/daemon.json` file with the following For example, if you have a `/opt/docker/daemon.json` file with the following
content: content:
...@@ -552,11 +532,10 @@ picked up by the `dind` service. ...@@ -552,11 +532,10 @@ picked up by the `dind` service.
> [Introduced](https://gitlab.com/gitlab-org/gitlab-runner/-/issues/3223) in GitLab Runner 13.6. > [Introduced](https://gitlab.com/gitlab-org/gitlab-runner/-/issues/3223) in GitLab Runner 13.6.
If you are an administrator of GitLab Runner and you want to use If you are a GitLab Runner administrator, you can use
the mirror for every `dind` service, update the the mirror for every `dind` service. Update the
[configuration](https://docs.gitlab.com/runner/configuration/advanced-configuration.html) [configuration](https://docs.gitlab.com/runner/configuration/advanced-configuration.html)
to specify a [ConfigMap volume to specify a [ConfigMap volume mount](https://docs.gitlab.com/runner/executors/kubernetes.html#using-volumes).
mount](https://docs.gitlab.com/runner/executors/kubernetes.html#using-volumes).
For example, if you have a `/tmp/daemon.json` file with the following For example, if you have a `/tmp/daemon.json` file with the following
content: content:
...@@ -602,7 +581,7 @@ The configuration is picked up by the `dind` service. ...@@ -602,7 +581,7 @@ The configuration is picked up by the `dind` service.
When you use Docker-in-Docker, the [normal authentication When you use Docker-in-Docker, the [normal authentication
methods](using_docker_images.html#define-an-image-from-a-private-container-registry) methods](using_docker_images.html#define-an-image-from-a-private-container-registry)
won't work because a fresh Docker daemon is started with the service. don't work because a fresh Docker daemon is started with the service.
### Option 1: Run `docker login` ### Option 1: Run `docker login`
...@@ -634,14 +613,14 @@ empty or remove it. ...@@ -634,14 +613,14 @@ empty or remove it.
If you are an administrator for GitLab Runner, you can mount a file If you are an administrator for GitLab Runner, you can mount a file
with the authentication configuration to `~/.docker/config.json`. with the authentication configuration to `~/.docker/config.json`.
Then every job that the runner picks up will be authenticated already. If you Then every job that the runner picks up is authenticated already. If you
are using the official `docker:19.03.13` image, the home directory is are using the official `docker:19.03.13` image, the home directory is
under `/root`. under `/root`.
If you mount the configuration file, any `docker` command If you mount the configuration file, any `docker` command
that modifies the `~/.docker/config.json` (for example, `docker login`) that modifies the `~/.docker/config.json` (for example, `docker login`)
fails, because the file is mounted as read-only. Do not change it from fails, because the file is mounted as read-only. Do not change it from
read-only, because other problems will occur. read-only, because problems occur.
Here is an example of `/opt/.docker/config.json` that follows the Here is an example of `/opt/.docker/config.json` that follows the
[`DOCKER_AUTH_CONFIG`](using_docker_images.md#determining-your-docker_auth_config-data) [`DOCKER_AUTH_CONFIG`](using_docker_images.md#determining-your-docker_auth_config-data)
...@@ -743,8 +722,8 @@ build: ...@@ -743,8 +722,8 @@ build:
When using Docker-in-Docker, Docker downloads all layers of your image every When using Docker-in-Docker, Docker downloads all layers of your image every
time you create a build. Recent versions of Docker (Docker 1.13 and above) can time you create a build. Recent versions of Docker (Docker 1.13 and above) can
use a pre-existing image as a cache during the `docker build` step, considerably use a pre-existing image as a cache during the `docker build` step. This considerably
speeding up the build process. speeds up the build process.
### How Docker caching works ### How Docker caching works
...@@ -754,8 +733,8 @@ any changes. Change in one layer causes all subsequent layers to be recreated. ...@@ -754,8 +733,8 @@ any changes. Change in one layer causes all subsequent layers to be recreated.
You can specify a tagged image to be used as a cache source for the `docker build` You can specify a tagged image to be used as a cache source for the `docker build`
command by using the `--cache-from` argument. Multiple images can be specified command by using the `--cache-from` argument. Multiple images can be specified
as a cache source by using multiple `--cache-from` arguments. Keep in mind that as a cache source by using multiple `--cache-from` arguments. Any image that's used
any image that's used with the `--cache-from` argument must first be pulled with the `--cache-from` argument must first be pulled
(using `docker pull`) before it can be used as a cache source. (using `docker pull`) before it can be used as a cache source.
### Using Docker caching ### Using Docker caching
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment