- \n
- Create a docker volume to store the gitlab runner config\n
docker volume create gitlab_runner_config<\/code><\/pre>\n<\/li>\n- Start the runner\n
docker run -d --name gitlab-runner --restart always -v $XDG_RUNTIME_DIR\/docker.sock:\/var\/run\/docker.sock -v gitlab_runner_config:\/etc\/gitlab-runner gitlab\/gitlab-runner:latest<\/code><\/pre>\nIn the command shown above, the Docker socket is mounted to the container to enable the GitLab Runner to generate additional containers while executing the job. If you're using a rootful Docker, you can use
\/var\/run\/docker.sock<\/code>, but since I'm using a rootless Docker, theXDG_RUNTIME_DIR<\/code> is defined on my machine. Additionally, we attach a named volume that we created earlier, which will store the configurations that are automatically generated by the runner upon registration.<\/p>\n<\/li>\n<\/ol>\nRegister the gitlab runner<\/h3>\n
docker run --rm -it -v gitlab_runner_config:\/etc\/gitlab-runner gitlab\/gitlab-runner:latest register -n \\\n --url https:\/\/your.gitlab.url\/ \\\n --registration-token <GITLAB_TOKEN>\\\n --executor docker \\\n --description <Enter your description> \\\n --docker-image "docker:23.0.3-cli" \\\n --docker-privileged \\\n --docker-volumes gitlab_certs_client:\/certs\/client \\\n --tag-list <Enter your tag list>\n<\/code><\/pre>\n- \n
- \n
docker run<\/strong>: This starts a new Docker container.<\/p>\n<\/li>\n
- \n
--rm<\/strong>: This option automatically removes the container after it exits.<\/p>\n<\/li>\n
- \n
-it<\/strong>: This option allocates a pseudo-TTY and opens an interactive terminal.<\/p>\n<\/li>\n
- \n
-v<\/strong> gitlab-runner-config:\/etc\/gitlab-runner: This mounts a named volume named "gitlab-runner-config" to the \/etc\/gitlab-runner directory in the container. This allows the container to access the GitLab Runner configuration file.<\/p>\n<\/li>\n
- \n
gitlab\/gitlab-runner:latest<\/strong>: This specifies the GitLab Runner Docker image to use.<\/p>\n<\/li>\n
- \n
register<\/strong>: This tells the GitLab Runner to register itself with the GitLab server.<\/p>\n<\/li>\n
- \n
-n<\/strong>: This option specifies that the runner should not perform any builds automatically after registration.<\/p>\n<\/li>\n
- \n
--url<\/strong> https:\/\/your.gitlab.url\/<\/a>: This specifies the URL of the GitLab instance to register the runner with.<\/p>\n<\/li>\n
- \n
--registration-token<\/strong>
: This specifies the registration token to use. You can obtain this token from your GitLab instance.<\/p>\n<\/li>\n - \n
--executor docker<\/strong>: This specifies that the GitLab Runner should use Docker as its execution environment.<\/p>\n<\/li>\n
- \n
--description
<\/strong>: This allows you to enter a description for the runner.<\/p>\n<\/li>\n - \n
--docker-image "docker:23.0.3-cli"<\/strong>: This specifies the Docker image to use for running the build.<\/p>\n<\/li>\n
- \n
--docker-privileged<\/strong>: This enables privileged mode for the Docker container.<\/p>\n<\/li>\n
- \n
--docker-volumes gitlab_certs_client:\/certs\/client<\/strong>: This mounts a named volume named "gitlab_certs_client" to the \/certs\/client directory in the container. This allows the service and build container to communicate with one another with TLS.<\/p>\n<\/li>\n
- \n
--tag-list<\/strong>
: This allows you to specify any tags to assign to the runner.<\/p>\n<\/li>\n<\/ul>\n To build an docker image, here is an example of the
.gitlab-ci.yml<\/code><\/p>\nvariables:\n DOCKER_TLS_CERTDIR: "\/certs"\n\nservices:\n - docker:23.0.3-dind\n\nbuild:\n stage: build\n script:\n - docker build -t my-docker-image .\n - docker run my-docker-image \/script\/to\/run\/tests<\/code><\/pre>\nTo utilize the official Docker Hub registry for pulling and pushing images, simply modify the aforementioned example. For those, like myself, who employ a private Docker registry, additional configuration steps are necessary.<\/p>\n
Configuration for Docker-in-Docker<\/h2>\n
As TLS is in use, it is essential to direct Docker to employ the correct CA certificate when connecting to the private registry; failing to do so may result in an x509: certificate signed by unknown authority error.<\/p>\n
Let\\'s first create a docker volume to hold the docker daemon configurations for the dind container.<\/p>\n
docker volume create gitlab_runner_docker_config<\/code><\/pre>\nNext, navigate to the newly created directory and create a
daemon.json<\/code> file with the following content.<\/p>\n{\n "registry-mirrors": [\n "https:\/\/registry-mirror.example.com:28000"\n ]\n}<\/code><\/pre>\nWithin the same directory create a directory in this format
cert.d\/<registry.url>:<port><\/code> to hold the CA certificate.<\/p>\nmkdir -p cert.d\/registry-mirror.example.com:28000<\/code><\/pre>\nNext, copy your CA certificate to the newly created directory.<\/p>\n
Proceed to update the
config.toml<\/code> file located in thegitlab_runner_config<\/code> directory. Withinconfig.toml<\/code>, add thegitlab_runner_docker_config<\/code> to the volumes parameter.<\/p>\nconcurrent = 1\ncheck_interval = 0\nshutdown_timeout = 0\n\n[session_server]\n session_timeout = 1800\n\n[[runners]]\n name = "gitlab runner docker executor"\n url = "https:\/\/your.gitlab.url\/"\n id = 1\n token = "TOKEN"\n token_obtained_at = 2023-04-17T05:42:11Z\n token_expires_at = 0001-01-01T00:00:00Z\n executor = "docker"\n\n [runners.cache]\n MaxUploadedArchiveSize = 0\n [runners.docker]\n tls_verify = false\n image = "docker:23.0.3-cli"\n privileged = true\n disable_entrypoint_overwrite = false\n oom_kill_disable = false\n disable_cache = false\n volumes = [\n "gitlab_runner_docker_config:\/etc\/docker",\n "gitlab_certs_client:\/certs\/client",\n "\/cache"\n ]\n shm_size = 0\n<\/code><\/pre>\nReload the gitlab runner configuration by executing the following command in your gitlab runner container<\/p>\n
gitlab-runner restart<\/code><\/pre>\nAfter implementing the changes, the updated Docker daemon configurations will be available within the Docker-in-Docker (dind) containers as they run. However, there is one more step: guiding the Docker daemon to log into the private registry.<\/p>\n
build:\n before_script:\n - echo "$DOCKER_REGISTRY_PASS" | docker login $DOCKER_REGISTRY --username $DOCKER_REGISTRY_USER --password-stdin<\/code><\/pre>\nNow you should be able to build, pull and push images within your gitlab runner using docker-in-docker image.<\/p>\n
What if you are using a self-hosted gitlab?<\/h2>\n
If you are using a self-hosted gitlab like me, you will need update the CA certificate on the default docker job container and the dind service container.<\/p>\n
Add the following
pre_build_script<\/code> intoconfig.toml<\/code> which will update the ca-certificate within the dind container. (Modify the script if you are using a Ubuntu based dind image)<\/p>\npre_bulid_script = """\n apk update >\/dev\/null\n apk add ca-certificates > \/dev\/null\n cp \/etc\/gitlab-runner\/certs\/ca.crt \/usr\/local\/share\/ca-certificates\/ca.crt\n update-ca-certificates --refresh > \/dev\/null\n"""<\/code><\/pre>\nNext, we need to ensure that the
ca.crt<\/code> is available at\/etc\/gitlab-runner\/certs<\/code>. To achieve that , we ill need to mount a new volume inconfig.toml<\/code><\/p>\nvolumes = [\n ...\n "\/path\/to\/your\/ca.crt:\/etc\/gitlab-runner\/certs\/ca.crt:ro",\n ...\n]<\/code><\/pre>\nYour final
config.toml<\/code> may look like this.<\/p>\nconcurrent = 1\ncheck_interval = 0\nshutdown_timeout = 0\n\n[session_server]\n session_timeout = 1800\n\n[[runners]]\n name = "gitlab runner docker executor"\n url = "https:\/\/your.gitlab.url\/"\n id = 6\n token = "TOKEN"\n token_obtained_at = 2023-04-17T05:42:11Z\n token_expires_at = 0001-01-01T00:00:00Z\n executor = "docker"\n pre_build_script = """\n apk update >\/dev\/null\n apk add ca-certificates > \/dev\/null\n rm -rf \/var\/cache\/apk\/*\n cp \/etc\/gitlab-runner\/certs\/ca.crt \/usr\/local\/share\/ca-certificates\/ca.crt\n update-ca-certificates --fresh > \/dev\/null\n mkdir -p \/etc\/docker\/certs.d\/registry-mirror.example.com:28000\n cp \/etc\/gitlab-runner\/certs\/ca.crt \/etc\/docker\/certs.d\/registry-mirror.example.com:28000\/ca.crt\n """\n\n [runners.cache]\n MaxUploadedArchiveSize = 0\n [runners.docker]\n tls_verify = false\n image = "docker:23.0.3-cli"\n privileged = true\n disable_entrypoint_overwrite = false\n oom_kill_disable = false\n disable_cache = false\n volumes = [\n "gitlab_runner_docker_config:\/etc\/docker",\n "gitlab_certs_client:\/certs\/client",\n "\/home\/docker\/.docker\/certs\/internal-ca.crt:\/etc\/gitlab-runner\/certs\/ca.crt:ro",\n "\/cache"\n ]\n shm_size = 0\n<\/code><\/pre>\nLastly, make sure that the CA cert is copied to your
\/path\/to\/docker\/volumes\/gitlab_runner_config\/_data\/certs\/<\/code> and named asca.crt<\/code>.<\/p>\nRestart your gitlab runner and your pipeline should be working smoothly now.<\/p>\n
![\"\"](\"https:\/\/codestrian.com\/wp-content\/uploads\/2023\/04\/gitlab_success-1024x92.png\")
<\/p>\nReferences<\/h2>\n
https:\/\/docs.gitlab.com\/ee\/ci\/docker\/using_docker_build.html<\/a>
\nhttps:\/\/docs.gitlab.com\/ee\/ci\/docker\/authenticate_registry.html<\/a>
\nhttps:\/\/docs.gitlab.com\/ee\/ci\/yaml\/<\/a>
\nhttps:\/\/docs.gitlab.com\/runner\/configuration\/tls-self-signed.html<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"Running GitLab Runner in a Docker container can be a great way to isolate your build environment and easily deploy your runners to different machines. Here are the steps to set up GitLab Runner in a Docker container: Run the gitlab runner in a container Create a docker volume to […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[62],"tags":[73,13,43],"_links":{"self":[{"href":"https:\/\/codestrian.com\/index.php\/wp-json\/wp\/v2\/posts\/621"}],"collection":[{"href":"https:\/\/codestrian.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/codestrian.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/codestrian.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/codestrian.com\/index.php\/wp-json\/wp\/v2\/comments?post=621"}],"version-history":[{"count":9,"href":"https:\/\/codestrian.com\/index.php\/wp-json\/wp\/v2\/posts\/621\/revisions"}],"predecessor-version":[{"id":631,"href":"https:\/\/codestrian.com\/index.php\/wp-json\/wp\/v2\/posts\/621\/revisions\/631"}],"wp:attachment":[{"href":"https:\/\/codestrian.com\/index.php\/wp-json\/wp\/v2\/media?parent=621"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/codestrian.com\/index.php\/wp-json\/wp\/v2\/categories?post=621"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/codestrian.com\/index.php\/wp-json\/wp\/v2\/tags?post=621"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
- \n
- Start the runner\n