Create network per build to link containers together (#1042) · Issues · GitLab.org / gitlab-runner

Create network per build to link containers together

Overview

Right now when a user defines a services we are using the legacy Docker --link which can be removed any time. Apart from us depending on deprecated function, it's very limiting as well since the connection is only 1 way.

Scenarios it would solve

Service containers can communicate with one another
The service can communicate with the build container is it desires
It will unblock work for Windows Docker executor to support services
Possibly solves this bug #2699 (closed)
security issues like #4430 (closed)

Proposal

We can solve all the above problem if we create a network per build, where every service and build container can talk to one another. The lifetime of the network is duration on the build and cleaned up after the build finishes. We have a community contribution that already gets us 90% of the way !1041 (closed), the contribution said that they will not work anymore on this we GitLab has to pick up from where they left of.

The flow would look something like this:

Create a network
Start services inside of that network
Start build container inside of that network
Build finishes
Network removed

Things to keep in mind

With workspaces we are planning to keep the environment after the build is done we have to keep in mind if that works as expected.
This might conflict with network_mode and might result in a breaking change. We have to be careful about how this would work and to handle it properly.

Original proposal

Hi,

I recently run into an issue when running build using gitlab runner with docker images. I want to test my web app (one container) with selenium (second container). The problem is that the selenium container is a service and it does not know the IP of the main (web) container.

The solution is very simple - create a network

docker network create CI_BUILD_ID

And then run a simple command for each container:

docker network connect CI_BUILD_ID CONTAINER_ID

It can be also achieved by adding a network and then adding --net=NETWORK_ID to docker run commands.

After all build containers are in the same network - they can see each other.

## Overview

Right now when a user defines a [`services`](https://docs.gitlab.com/ee/ci/services/) we are using the [legacy Docker `--link`](https://docs.docker.com/network/links/) which can be removed any time. Apart from us depending on deprecated function, it's very limiting as well since the connection is only 1 way.

### Scenarios it would solve

- [Service containers can communicate with one another](https://gitlab.com/gitlab-org/gitlab-runner/issues/4244)
- The service can communicate with the build container is it desires
- It will unblock work for Windows Docker executor to [support services](https://gitlab.com/gitlab-org/gitlab-runner/issues/4186)
- Possibly solves this ~bug https://gitlab.com/gitlab-org/gitlab-runner/issues/2699
- ~security issues like https://gitlab.com/gitlab-org/gitlab-runner/issues/4430

## Proposal

We can solve all the above problem if we create a network per build, where every service and build container can talk to one another. The lifetime of the network is duration on the build and cleaned up after the build finishes. We have a community contribution that already gets us 90% of the way https://gitlab.com/gitlab-org/gitlab-runner/merge_requests/1041, the contribution said that they will not [work anymore on this](https://gitlab.com/gitlab-org/gitlab-runner/merge_requests/1041#note_166000412) we GitLab has to pick up from where they left of.

The flow would look something like this:

1. Create a network
1. Start services inside of that network
1. Start build container inside of that network
1. Build finishes
1. Network removed

### Things to keep in mind

- With [workspaces](https://gitlab.com/gitlab-org/gitlab-ce/issues/62802) we are planning to keep the environment after the build is done we have to keep in mind if that works as expected.
- This might conflict with `network_mode` and might result in a breaking change. We have to be careful about how this would work and to handle it properly.

## Original proposal

Hi,

I recently run into an issue when running build using gitlab runner with docker images.
I want to test my web app (one container) with selenium (second container). The problem is that the selenium container is a service and it does not know the IP of the main (web) container.

The solution is very simple - create a network

`docker network create CI_BUILD_ID `

And then run a simple command for each container:

`docker network connect CI_BUILD_ID CONTAINER_ID`

It can be also achieved by adding a network and then adding `--net=NETWORK_ID` to docker run commands.