Ask for better support in docker when running in internal network
At the beginning, I am new in this area. Although problems here I have been resolved somehow, issue here is all about my feedback and ask for a better solution :P
Description
Problems when I am setup a docker + gitlab runner in an internal network.
docker socket
is better than dind
when running Gitlab server with self-sign cert and internal DNS
Q1: Using As document here recommend dind
when dealing with container registry
,
however, this is not easy and straight forward if there are self-sign cert and host is only reachable by internal DNS.
The root cause is configuration of HOST docker
is unable to be shared with docker in docker
.
For example, dind
ignores configuration in extra_hosts
, dns
in config.toml
as they are applied to HOST docker
only.
So, what will happen?
Given yml runs
build_image:
image: docker:git
services:
- docker:dind
script:
- docker login -u gitlab-ci-token -p $CI_BUILD_TOKEN internal-gitlab.local
- docker build -t internal-gitlab.local/my-group/my-project .
- docker run internal-gitlab.local/my-group/my-project /script/to/run/tests
- docker push internal-gitlab.local/my-group/my-project:latest
only:
- master
Problems in a runner
-
internal-gitlab.local
is unable to resolved as default DNS is 8.8.8.8 indind
-
internal-gitlab.local
is not able to pass SSL verification as this is a self-sign certification indind
even though you have configureHOST docker
to trust this certificate
How to solve?
Using docker socket solution so that configuration in HOST docker
can be shared with the running container.
Q2: Configure Docker service is hard
As document here suggest, service configuration is only available through environment variables.
Back to dind
in Q1, there is no way for you to config how dind
works (for example, adding a dns) in gitlab-ci.yml
. All you (I) can do is editing /etc/docker/daemon.json
so that internal DNS can be honored. For self-sign certificate, you need to follow discussion here which is mounting your /etc/docker/certs.d
into the `dind by creating a local dind image.
It will be nice if there are ways for me to config how docker service should run directly inside the .gitlab-ci.yml
.