| `name` | yes, when used with any other option | 9.4 |Full name of the image that should be used. It should contain the Registry part if needed. |
| `name` | yes, when used with any other option | 9.4 |Full name of the image to use. It should contain the Registry part if needed. |
| `entrypoint` | no | 9.4 |Command or script that should be executed as the container's entrypoint. It's translated to Docker's `--entrypoint` option while creating the container. The syntax is similar to [`Dockerfile`'s `ENTRYPOINT`](https://docs.docker.com/engine/reference/builder/#entrypoint) directive, where each shell token is a separate string in the array. |
| `entrypoint` | no | 9.4 |Command or script to execute as the container's entrypoint. It's translated to Docker's `--entrypoint` option while creating the container. The syntax is similar to [`Dockerfile`'s `ENTRYPOINT`](https://docs.docker.com/engine/reference/builder/#entrypoint) directive, where each shell token is a separate string in the array. |
### Available settings for `services`
### Available settings for `services`
...
@@ -359,8 +360,8 @@ For example, the following two definitions are equal:
...
@@ -359,8 +360,8 @@ For example, the following two definitions are equal:
| Setting | Required | GitLab version | Description |
| Setting | Required | GitLab version | Description |
| `name` | yes, when used with any other option | 9.4 | Full name of the image that should be used. It should contain the Registry part if needed. |
| `name` | yes, when used with any other option | 9.4 | Full name of the image to use. It should contain the Registry part if needed. |
| `entrypoint` | no | 9.4 |Command or script that should be executed as the container's entrypoint. It's translated to Docker's `--entrypoint` option while creating the container. The syntax is similar to [`Dockerfile`'s `ENTRYPOINT`](https://docs.docker.com/engine/reference/builder/#entrypoint) directive, where each shell token is a separate string in the array. |
| `entrypoint` | no | 9.4 |Command or script to execute as the container's entrypoint. It's translated to Docker's `--entrypoint` option while creating the container. The syntax is similar to [`Dockerfile`'s `ENTRYPOINT`](https://docs.docker.com/engine/reference/builder/#entrypoint) directive, where each shell token is a separate string in the array. |
| `command` | no | 9.4 |Command or script that should be used as the container's command. It's translated to arguments passed to Docker after the image's name. The syntax is similar to [`Dockerfile`'s `CMD`](https://docs.docker.com/engine/reference/builder/#cmd) directive, where each shell token is a separate string in the array. |
| `command` | no | 9.4 |Command or script that should be used as the container's command. It's translated to arguments passed to Docker after the image's name. The syntax is similar to [`Dockerfile`'s `CMD`](https://docs.docker.com/engine/reference/builder/#cmd) directive, where each shell token is a separate string in the array. |
| `alias` (1) | no | 9.4 |Additional alias that can be used to access the service from the job's container. Read [Accessing the services](#accessing-the-services) for more information. |
| `alias` (1) | no | 9.4 |Additional alias that can be used to access the service from the job's container. Read [Accessing the services](#accessing-the-services) for more information. |
...
@@ -379,8 +380,8 @@ services:
...
@@ -379,8 +380,8 @@ services:
-mysql:latest
-mysql:latest
```
```
The runner would start two containers using the `mysql:latest` image, but both
The runner would start two containers, each that uses the `mysql:latest` image.
of them would be added to the job's container with the `mysql` alias based on
However, both of them would be added to the job's container with the `mysql` alias, based on
the [default hostname naming](#accessing-the-services). This would end with one
the [default hostname naming](#accessing-the-services). This would end with one
of the services not being accessible.
of the services not being accessible.
...
@@ -404,31 +405,33 @@ in `.gitlab-ci.yml` file.
...
@@ -404,31 +405,33 @@ in `.gitlab-ci.yml` file.
> Introduced in GitLab and GitLab Runner 9.4. Read more about the [extended configuration options](#extended-docker-configuration-options).
> Introduced in GitLab and GitLab Runner 9.4. Read more about the [extended configuration options](#extended-docker-configuration-options).
Let's assume you have a `super/sql:latest` image with some SQL database
Let's assume you have a `super/sql:latest` image with some SQL database
inside it and you would like to use it as a service for your job. Let's also
in it. You would like to use it as a service for your job. Let's also
assume that this image does not start the database process while starting
assume that this image does not start the database process while starting
the container and the user needs to manually use `/usr/bin/super-sql run` as
the container. The user needs to manually use `/usr/bin/super-sql run` as
a command to start the database.
a command to start the database.
Before the new extended Docker configuration options, you would need to create
Before the new extended Docker configuration options, you would need to:
your own image based on the `super/sql:latest` image, add the default command,
and then use it in job's configuration, like:
```dockerfile
- Create your own image based on the `super/sql:latest` image.
# my-super-sql:latest image's Dockerfile
- Add the default command.
- Use the image in the job's configuration:
FROM super/sql:latest
```dockerfile
CMD ["/usr/bin/super-sql", "run"]
# my-super-sql:latest image's Dockerfile
```
```yaml
FROM super/sql:latest
# .gitlab-ci.yml
CMD ["/usr/bin/super-sql", "run"]
```
services:
```yaml
# .gitlab-ci.yml
services:
-my-super-sql:latest
-my-super-sql:latest
```
```
After the new extended Docker configuration options, you can now simply
After the new extended Docker configuration options, you can
set a `command` in `.gitlab-ci.yml`, like:
set a `command` in the `.gitlab-ci.yml` file instead:
```yaml
```yaml
# .gitlab-ci.yml
# .gitlab-ci.yml
...
@@ -438,15 +441,15 @@ services:
...
@@ -438,15 +441,15 @@ services:
command:["/usr/bin/super-sql","run"]
command:["/usr/bin/super-sql","run"]
```
```
As you can see, the syntax of `command` is similar to [Dockerfile's `CMD`](https://docs.docker.com/engine/reference/builder/#cmd).
The syntax of `command` is similar to [Dockerfile's `CMD`](https://docs.docker.com/engine/reference/builder/#cmd).
### Overriding the entrypoint of an image
### Overriding the entrypoint of an image
> Introduced in GitLab and GitLab Runner 9.4. Read more about the [extended configuration options](#extended-docker-configuration-options).
> Introduced in GitLab and GitLab Runner 9.4. Read more about the [extended configuration options](#extended-docker-configuration-options).
Before showing the available entrypoint override methods, let's describe shortly
Before showing the available entrypoint override methods, let's describe
how the runner starts and uses a Docker image for the containers used in the
how the runner starts. It uses a Docker image for the containers used in the
CI jobs:
CI/CD jobs:
1. The runner starts a Docker container using the defined entrypoint (default
1. The runner starts a Docker container using the defined entrypoint (default
from `Dockerfile` that may be overridden in `.gitlab-ci.yml`)
from `Dockerfile` that may be overridden in `.gitlab-ci.yml`)
and [`after_script`](../yaml/README.md#after_script)).
and [`after_script`](../yaml/README.md#after_script)).
1. The runner sends the script to the container's shell STDIN and receives the
1. The runner sends the script to the container's shell `stdin` and receives the
output.
output.
To override the entrypoint of a Docker image, the recommended solution is to
To override the entrypoint of a Docker image, you should
define an empty `entrypoint` in `.gitlab-ci.yml`, so the runner does not start
define an empty `entrypoint` in `.gitlab-ci.yml`, so the runner does not start
a useless shell layer. However, that does not work for all Docker versions, and
a useless shell layer. However, that does not work for all Docker versions, and
you should check which one your runner is using. Specifically:
you should check which one your runner is using:
-If Docker 17.06 or later is used, the `entrypoint` can be set to an empty value.
-_If Docker 17.06 or later is used,_ the `entrypoint` can be set to an empty value.
-If Docker 17.03 or previous versions are used, the `entrypoint` can be set to
-_If Docker 17.03 or previous versions are used,_ the `entrypoint` can be set to
`/bin/sh -c`, `/bin/bash -c` or an equivalent shell available in the image.
`/bin/sh -c`, `/bin/bash -c` or an equivalent shell available in the image.
The syntax of `image:entrypoint` is similar to [Dockerfile's `ENTRYPOINT`](https://docs.docker.com/engine/reference/builder/#entrypoint).
The syntax of `image:entrypoint` is similar to [Dockerfile's `ENTRYPOINT`](https://docs.docker.com/engine/reference/builder/#entrypoint).
Let's assume you have a `super/sql:experimental` image with some SQL database
Let's assume you have a `super/sql:experimental` image with a SQL database
inside it and you would like to use it as a base image for your job because you
in it. You want to use it as a base image for your job because you
want to execute some tests with this database binary. Let's also assume that
want to execute some tests with this database binary. Let's also assume that
this image is configured with `/usr/bin/super-sql run` as an entrypoint. That
this image is configured with `/usr/bin/super-sql run` as an entrypoint. When
means that when starting the container without additional options, it runs
the container starts without additional options, it runs
the database's process, while the runner expects that the image has no
the database's process. The runner expects that the image has no
entrypoint or that the entrypoint is prepared to start a shell command.
entrypoint or that the entrypoint is prepared to start a shell command.
With the extended Docker configuration options, instead of creating your
With the extended Docker configuration options, instead of:
own image based on `super/sql:experimental`, setting the `ENTRYPOINT`
to a shell, and then using the new image in your CI job, you can now simply
- Creating your own image based on `super/sql:experimental`.
define an `entrypoint` in `.gitlab-ci.yml`.
- Setting the `ENTRYPOINT` to a shell.
- Using the new image in your CI job.
You can now define an `entrypoint` in the `.gitlab-ci.yml` file.
**For Docker 17.06+:**
**For Docker 17.06+:**
...
@@ -508,7 +514,7 @@ Look for the `[runners.docker]` section:
...
@@ -508,7 +514,7 @@ Look for the `[runners.docker]` section:
services=["mysql:latest","postgres:latest"]
services=["mysql:latest","postgres:latest"]
```
```
The image and services defined this way are added to all job run by
The image and services defined this way are added to all jobs run by
that runner.
that runner.
## Define an image from a private Container Registry
## Define an image from a private Container Registry
...
@@ -516,8 +522,8 @@ that runner.
...
@@ -516,8 +522,8 @@ that runner.
To access private container registries, the GitLab Runner process can use:
To access private container registries, the GitLab Runner process can use:
-[Statically defined credentials](#using-statically-defined-credentials). That is, a username and password for a specific registry.
-[Statically defined credentials](#using-statically-defined-credentials). That is, a username and password for a specific registry.
-[Credentials Store](#using-credentials-store). For more information, see[the relevant Docker documentation](https://docs.docker.com/engine/reference/commandline/login/#credentials-store).
-[Credentials Store](#using-credentials-store). For more information, read[the relevant Docker documentation](https://docs.docker.com/engine/reference/commandline/login/#credentials-store).
-[Credential Helpers](#using-credential-helpers). For more information, see[the relevant Docker documentation](https://docs.docker.com/engine/reference/commandline/login/#credential-helpers).
-[Credential Helpers](#using-credential-helpers). For more information, read[the relevant Docker documentation](https://docs.docker.com/engine/reference/commandline/login/#credential-helpers).
To define which should be used, the GitLab Runner process reads the configuration in the following order:
To define which should be used, the GitLab Runner process reads the configuration in the following order:
...
@@ -531,7 +537,7 @@ To define which should be used, the GitLab Runner process reads the configuratio
...
@@ -531,7 +537,7 @@ To define which should be used, the GitLab Runner process reads the configuratio
GitLab Runner reads this configuration **only** from `config.toml` and ignores it if
GitLab Runner reads this configuration **only** from `config.toml` and ignores it if
it's provided as an environment variable. This is because GitLab Runner uses **only**
it's provided as an environment variable. This is because GitLab Runner uses **only**
`config.toml` configuration and does not interpolate **ANY** environment variables at
`config.toml` configuration and does not interpolate **any** environment variables at
runtime.
runtime.
### Requirements and limitations
### Requirements and limitations
...
@@ -543,7 +549,7 @@ runtime.
...
@@ -543,7 +549,7 @@ runtime.
at least version **1.8** if you want to use private registries.
at least version **1.8** if you want to use private registries.
- Available for [Kubernetes executor](https://docs.gitlab.com/runner/executors/kubernetes.html)
- Available for [Kubernetes executor](https://docs.gitlab.com/runner/executors/kubernetes.html)
in GitLab Runner 13.1 and later.
in GitLab Runner 13.1 and later.
-[Credentials Store](#using-credentials-store) and [Credential Helpers](#using-credential-helpers) require binaries to be added to the GitLab Runner's `$PATH`, and require access to do so. Therefore, these features are not available on shared runners or any other runner where the user does not have access to the environment where the runner is installed.
-[Credentials Store](#using-credentials-store) and [Credential Helpers](#using-credential-helpers) require binaries to be added to the GitLab Runner's `$PATH`, and require access to do so. Therefore, these features are not available on shared runners, or any other runner where the user does not have access to the environment where the runner is installed.
### Using statically-defined credentials
### Using statically-defined credentials
...
@@ -562,7 +568,7 @@ See below for examples of each.
...
@@ -562,7 +568,7 @@ See below for examples of each.
#### Determining your `DOCKER_AUTH_CONFIG` data
#### Determining your `DOCKER_AUTH_CONFIG` data
As an example, let's assume you want to use the `registry.example.com:5000/private/image:latest`
As an example, let's assume you want to use the `registry.example.com:5000/private/image:latest`
image, which is private and requires you to sign in to a private container
image. This image is private and requires you to sign in to a private container
registry.
registry.
Let's also assume that these are the sign-in credentials:
Let's also assume that these are the sign-in credentials:
...
@@ -592,7 +598,7 @@ Use one of the following methods to determine the value of `DOCKER_AUTH_CONFIG`:
...
@@ -592,7 +598,7 @@ Use one of the following methods to determine the value of `DOCKER_AUTH_CONFIG`:
- In some setups, it's possible that Docker client uses the available system key
- In some setups, it's possible that Docker client uses the available system key
store to store the result of `docker login`. In that case, it's impossible to
store to store the result of `docker login`. In that case, it's impossible to
read `~/.docker/config.json`, so you need to prepare the required
read `~/.docker/config.json`, so you must prepare the required
base64-encoded version of `${username}:${password}` and create the Docker
base64-encoded version of `${username}:${password}` and create the Docker
configuration JSON manually. Open a terminal and execute the following command:
configuration JSON manually. Open a terminal and execute the following command:
...
@@ -691,7 +697,7 @@ To add `DOCKER_AUTH_CONFIG` to a runner:
...
@@ -691,7 +697,7 @@ To add `DOCKER_AUTH_CONFIG` to a runner:
To configure credentials store, follow these steps:
To configure credentials store, follow these steps:
1. To use a credentials store, you need an external helper program to interact with a specific keychain or external store.
1. To use a credentials store, you need an external helper program to interact with a specific keychain or external store.
Make sure helper program is available in GitLab Runner `$PATH`.
Make sure the helper program is available in GitLab Runner `$PATH`.
1. Make GitLab Runner use it. There are two ways to accomplish this. Either:
1. Make GitLab Runner use it. There are two ways to accomplish this. Either:
...
@@ -710,16 +716,16 @@ To configure credentials store, follow these steps:
...
@@ -710,16 +716,16 @@ To configure credentials store, follow these steps:
`${GITLAB_RUNNER_HOME}/.docker/config.json`. GitLab Runner reads this configuration file
`${GITLAB_RUNNER_HOME}/.docker/config.json`. GitLab Runner reads this configuration file
and uses the needed helper for this specific repository.
and uses the needed helper for this specific repository.
`credsStore` is used to access ALL the registries.
`credsStore` is used to access **all** the registries.
If you want to use both images from private registry and public images from Docker Hub,
If you use both images from a private registry and public images from Docker Hub,
pulling from Docker Hub would fail, because Docker daemon tries to use the same credentials for **ALL** the registries.
pulling from Docker Hub fails. Docker daemon tries to use the same credentials for **all** the registries.
### Using Credential Helpers
### Using Credential Helpers
> Support for using Credential Helpers was added in GitLab Runner 12.0
> Support for using Credential Helpers was added in GitLab Runner 12.0
As an example, let's assume that you want to use the `aws_account_id.dkr.ecr.region.amazonaws.com/private/image:latest`
As an example, let's assume that you want to use the `aws_account_id.dkr.ecr.region.amazonaws.com/private/image:latest`
image which is private and requires you to log in into a private container registry.
image. This image is private and requires you to log in into a private container registry.
To configure access for `aws_account_id.dkr.ecr.region.amazonaws.com`, follow these steps:
To configure access for `aws_account_id.dkr.ecr.region.amazonaws.com`, follow these steps:
...
@@ -750,7 +756,7 @@ To configure access for `aws_account_id.dkr.ecr.region.amazonaws.com`, follow th
...
@@ -750,7 +756,7 @@ To configure access for `aws_account_id.dkr.ecr.region.amazonaws.com`, follow th
}
}
```
```
This configures Docker to use the credential helper for all Amazon ECR registries.
This configures Docker to use the credential helper for all Amazon Elastic Container Registry (ECR) registries.
- Or, if you're running self-managed runners,
- Or, if you're running self-managed runners,
add the above JSON to `${GITLAB_RUNNER_HOME}/.docker/config.json`.
add the above JSON to `${GITLAB_RUNNER_HOME}/.docker/config.json`.
...
@@ -772,13 +778,13 @@ registries to the `"credHelpers"` hash as described above.
...
@@ -772,13 +778,13 @@ registries to the `"credHelpers"` hash as described above.
## Configuring services
## Configuring services
Many services accept environment variables which allow you to easily change
Many services accept environment variables, which you can use to change
database names or set account names depending on the environment.
database names or set account names, depending on the environment.
GitLab Runner 0.5.0 and up passes all YAML-defined variables to the created
GitLab Runner 0.5.0 and up passes all YAML-defined variables to the created
service containers.
service containers.
For all possible configuration variables check the documentation of each image
For all possible configuration variables, check the documentation of each image
provided in their corresponding Docker hub page.
provided in their corresponding Docker hub page.
All variables are passed to all services containers. It's not
All variables are passed to all services containers. It's not
...
@@ -786,12 +792,12 @@ designed to distinguish which variable should go where.
...
@@ -786,12 +792,12 @@ designed to distinguish which variable should go where.
### PostgreSQL service example
### PostgreSQL service example
See the specific documentation for
Read the specific documentation for
[using PostgreSQL as a service](../services/postgres.md).
[using PostgreSQL as a service](../services/postgres.md).
### MySQL service example
### MySQL service example
See the specific documentation for
Read the specific documentation for
[using MySQL as a service](../services/mysql.md).
[using MySQL as a service](../services/mysql.md).
## How Docker integration works
## How Docker integration works
...
@@ -800,15 +806,15 @@ Below is a high level overview of the steps performed by Docker during job
...
@@ -800,15 +806,15 @@ Below is a high level overview of the steps performed by Docker during job
time.
time.
1. Create any service container: `mysql`, `postgresql`, `mongodb`, `redis`.
1. Create any service container: `mysql`, `postgresql`, `mongodb`, `redis`.
1. Create cache container to store all volumes as defined in `config.toml` and
1. Create a cache container to store all volumes as defined in `config.toml` and
`Dockerfile` of build image (`ruby:2.6` as in above example).
`Dockerfile` of build image (`ruby:2.6` as in above example).
1. Create build container and link any service container to build container.
1. Create a build container and link any service container to build container.
1. Start build container and send job script to the container.
1. Start the build container, and send a job script to the container.
