Ask for better support in docker when running in internal network

At the beginning, I am new in this area. Although problems here I have been resolved somehow, issue here is all about my feedback and ask for a better solution :P

Description

Problems when I am setup a docker + gitlab runner in an internal network.

Q1: Using docker socket is better than dind when running Gitlab server with self-sign cert and internal DNS

As document here recommend dind when dealing with container registry, however, this is not easy and straight forward if there are self-sign cert and host is only reachable by internal DNS.

The root cause is configuration of HOST docker is unable to be shared with docker in docker. For example, dind ignores configuration in extra_hosts, dns in config.toml as they are applied to HOST docker only.

So, what will happen?

Given yml runs

build_image:
  image: docker:git
  services:
  - docker:dind
  script:
    - docker login -u gitlab-ci-token -p $CI_BUILD_TOKEN internal-gitlab.local
    - docker build -t internal-gitlab.local/my-group/my-project .
    - docker run internal-gitlab.local/my-group/my-project /script/to/run/tests
    - docker push internal-gitlab.local/my-group/my-project:latest
  only:
    - master

Problems in a runner

  • internal-gitlab.local is unable to resolved as default DNS is 8.8.8.8 in dind
  • internal-gitlab.local is not able to pass SSL verification as this is a self-sign certification in dind even though you have configure HOST docker to trust this certificate

How to solve?

Using docker socket solution so that configuration in HOST docker can be shared with the running container.

Q2: Configure Docker service is hard

As document here suggest, service configuration is only available through environment variables.

Back to dind in Q1, there is no way for you to config how dind works (for example, adding a dns) in gitlab-ci.yml. All you (I) can do is editing /etc/docker/daemon.json so that internal DNS can be honored. For self-sign certificate, you need to follow discussion here which is mounting your /etc/docker/certs.d into the `dind by creating a local dind image.

It will be nice if there are ways for me to config how docker service should run directly inside the .gitlab-ci.yml.