debian-mirror-gitlab/doc/ci/docker/using_docker_images.md

476 lines
17 KiB
Markdown
Raw Normal View History

2019-09-04 21:01:54 +05:30
---
2020-06-23 00:09:42 +05:30
stage: Verify
group: Runner
2022-11-25 23:54:43 +05:30
info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/product/ux/technical-writing/#assignments
2019-09-04 21:01:54 +05:30
type: concepts, howto
---
2021-09-30 23:02:18 +05:30
# Run your CI/CD jobs in Docker containers **(FREE)**
2015-09-25 12:07:36 +05:30
2021-04-17 20:07:23 +05:30
You can run your CI/CD jobs in separate, isolated Docker containers.
2015-09-25 12:07:36 +05:30
2021-04-29 21:17:54 +05:30
If you run Docker on your local machine, you can run tests in the container,
rather than testing on a dedicated CI/CD server.
2021-03-08 18:12:59 +05:30
2021-04-17 20:07:23 +05:30
To run CI/CD jobs in a Docker container, you need to:
2021-03-08 18:12:59 +05:30
2021-04-29 21:17:54 +05:30
1. Register a runner so that all jobs run in Docker containers. Do this by choosing the Docker executor during registration.
1. Specify which container to run the jobs in. Do this by specifying an image in your `.gitlab-ci.yml` file.
1. Optional. Run other services, like MySQL, in containers. Do this by specifying [services](../services/index.md)
in your `.gitlab-ci.yml` file.
2015-12-23 02:04:40 +05:30
2021-04-17 20:07:23 +05:30
## Register a runner that uses the Docker executor
2015-12-23 02:04:40 +05:30
2021-04-17 20:07:23 +05:30
To use GitLab Runner with Docker you need to [register a runner](https://docs.gitlab.com/runner/register/)
that uses the Docker executor.
2017-09-10 17:25:29 +05:30
2021-04-29 21:17:54 +05:30
This example shows how to set up a temporary template to supply services:
2020-05-24 23:13:21 +05:30
```shell
cat > /tmp/test-config.template.toml << EOF
[[runners]]
[runners.docker]
[[runners.docker.services]]
name = "postgres:latest"
[[runners.docker.services]]
name = "mysql:latest"
EOF
```
2021-03-08 18:12:59 +05:30
Then use this template to register the runner:
2015-09-25 12:07:36 +05:30
2020-03-13 15:44:24 +05:30
```shell
2017-09-10 17:25:29 +05:30
sudo gitlab-runner register \
--url "https://gitlab.example.com/" \
2015-09-25 12:07:36 +05:30
--registration-token "PROJECT_REGISTRATION_TOKEN" \
2020-03-13 15:44:24 +05:30
--description "docker-ruby:2.6" \
2015-09-25 12:07:36 +05:30
--executor "docker" \
2020-05-24 23:13:21 +05:30
--template-config /tmp/test-config.template.toml \
--docker-image ruby:2.6
2015-09-25 12:07:36 +05:30
```
2020-10-24 23:57:45 +05:30
The registered runner uses the `ruby:2.6` Docker image and runs two
services, `postgres:latest` and `mysql:latest`, both of which are
2015-12-23 02:04:40 +05:30
accessible during the build process.
2015-09-25 12:07:36 +05:30
2017-08-17 22:00:37 +05:30
## What is an image
2015-09-25 12:07:36 +05:30
2017-09-10 17:25:29 +05:30
The `image` keyword is the name of the Docker image the Docker executor
2021-04-29 21:17:54 +05:30
uses to run CI/CD jobs.
2015-09-25 12:07:36 +05:30
2021-04-29 21:17:54 +05:30
By default, the executor pulls images from [Docker Hub](https://hub.docker.com/).
However, you can configure the registry location in the `gitlab-runner/config.toml` file.
For example, you can set the [Docker pull policy](https://docs.gitlab.com/runner/executors/docker.html#how-pull-policies-work)
2021-03-08 18:12:59 +05:30
to use local images.
2015-09-25 12:07:36 +05:30
2021-04-29 21:17:54 +05:30
For more information about images and Docker Hub, see
2023-01-13 00:05:48 +05:30
the [Docker overview](https://docs.docker.com/get-started/overview/).
2017-08-17 22:00:37 +05:30
2021-04-29 21:17:54 +05:30
## Define `image` in the `.gitlab-ci.yml` file
2015-12-23 02:04:40 +05:30
2021-03-08 18:12:59 +05:30
You can define an image that's used for all jobs, and a list of
2021-04-29 21:17:54 +05:30
services that you want to use during runtime:
2015-12-23 02:04:40 +05:30
```yaml
2019-09-30 21:07:59 +05:30
default:
2020-03-13 15:44:24 +05:30
image: ruby:2.6
2015-12-23 02:04:40 +05:30
2019-09-30 21:07:59 +05:30
services:
2020-05-24 23:13:21 +05:30
- postgres:11.7
2015-12-23 02:04:40 +05:30
2019-09-30 21:07:59 +05:30
before_script:
- bundle install
2015-12-23 02:04:40 +05:30
2015-09-25 12:07:36 +05:30
test:
script:
2020-07-28 23:09:34 +05:30
- bundle exec rake spec
2015-09-25 12:07:36 +05:30
```
2020-05-24 23:13:21 +05:30
The image name must be in one of the following formats:
- `image: <image-name>` (Same as using `<image-name>` with the `latest` tag)
- `image: <image-name>:<tag>`
- `image: <image-name>@<digest>`
2017-09-10 17:25:29 +05:30
## Extended Docker configuration options
2018-03-17 18:26:18 +05:30
> Introduced in GitLab and GitLab Runner 9.4.
2017-09-10 17:25:29 +05:30
2021-04-29 21:17:54 +05:30
You can use a string or a map for the `image` or `services` entries:
2017-09-10 17:25:29 +05:30
2021-04-29 21:17:54 +05:30
- Strings must include the full image name
(including the registry, if you want to download the image from a registry
2021-03-08 18:12:59 +05:30
other than Docker Hub).
2021-04-29 21:17:54 +05:30
- Maps must contain at least the `name` option,
which is the same image name as used for the string setting.
2017-09-10 17:25:29 +05:30
For example, the following two definitions are equal:
2021-04-29 21:17:54 +05:30
- A string for `image` and `services`:
2017-09-10 17:25:29 +05:30
2021-04-29 21:17:54 +05:30
```yaml
image: "registry.example.com/my/image:latest"
2017-09-10 17:25:29 +05:30
2021-04-29 21:17:54 +05:30
services:
2022-07-23 23:45:48 +05:30
- postgresql:14.3
2021-04-29 21:17:54 +05:30
- redis:latest
2021-03-08 18:12:59 +05:30
```
2017-09-10 17:25:29 +05:30
2021-04-29 21:17:54 +05:30
- A map for `image` and `services`. The `image:name` is
required:
2021-03-08 18:12:59 +05:30
```yaml
2021-04-29 21:17:54 +05:30
image:
name: "registry.example.com/my/image:latest"
2021-03-08 18:12:59 +05:30
services:
2022-07-23 23:45:48 +05:30
- name: postgresql:14.3
2021-04-29 21:17:54 +05:30
- name: redis:latest
2021-03-08 18:12:59 +05:30
```
2017-09-10 17:25:29 +05:30
2021-09-04 01:27:46 +05:30
## Where scripts are executed
When a CI job runs in a Docker container, the `before_script`, `script`, and `after_script` commands run in the `/builds/<project-path>/` directory. Your image may have a different default `WORKDIR` defined. To move to your `WORKDIR`, save the `WORKDIR` as an environment variable so you can reference it in the container during the job's runtime.
2021-12-11 22:18:48 +05:30
### Override the entrypoint of an image
2017-09-10 17:25:29 +05:30
2021-04-29 21:17:54 +05:30
> Introduced in GitLab and GitLab Runner 9.4. Read more about the [extended configuration options](../docker/using_docker_images.md#extended-docker-configuration-options).
2018-03-17 18:26:18 +05:30
2021-04-29 21:17:54 +05:30
Before explaining the available entrypoint override methods, let's describe
2021-03-08 18:12:59 +05:30
how the runner starts. It uses a Docker image for the containers used in the
CI/CD jobs:
2018-03-17 18:26:18 +05:30
2021-04-29 21:17:54 +05:30
1. The runner starts a Docker container using the defined entrypoint. The default
from `Dockerfile` that may be overridden in the `.gitlab-ci.yml` file.
2020-11-24 15:15:51 +05:30
1. The runner attaches itself to a running container.
1. The runner prepares a script (the combination of
2021-09-30 23:02:18 +05:30
[`before_script`](../yaml/index.md#before_script),
[`script`](../yaml/index.md#script),
and [`after_script`](../yaml/index.md#after_script)).
2021-03-08 18:12:59 +05:30
1. The runner sends the script to the container's shell `stdin` and receives the
2018-03-17 18:26:18 +05:30
output.
2021-04-29 21:17:54 +05:30
To override the entrypoint of a Docker image,
define an empty `entrypoint` in the `.gitlab-ci.yml` file, so the runner does not start
a useless shell layer. However, that does not work for all Docker versions.
2018-03-17 18:26:18 +05:30
2021-04-29 21:17:54 +05:30
- For Docker 17.06 and later, the `entrypoint` can be set to an empty value.
- For Docker 17.03 and earlier, the `entrypoint` can be set to
`/bin/sh -c`, `/bin/bash -c`, or an equivalent shell available in the image.
2018-03-17 18:26:18 +05:30
2020-04-22 19:07:51 +05:30
The syntax of `image:entrypoint` is similar to [Dockerfile's `ENTRYPOINT`](https://docs.docker.com/engine/reference/builder/#entrypoint).
2018-03-17 18:26:18 +05:30
2021-03-08 18:12:59 +05:30
Let's assume you have a `super/sql:experimental` image with a SQL database
in it. You want to use it as a base image for your job because you
2017-09-10 17:25:29 +05:30
want to execute some tests with this database binary. Let's also assume that
2021-03-08 18:12:59 +05:30
this image is configured with `/usr/bin/super-sql run` as an entrypoint. When
the container starts without additional options, it runs
the database's process. The runner expects that the image has no
2018-03-17 18:26:18 +05:30
entrypoint or that the entrypoint is prepared to start a shell command.
2017-09-10 17:25:29 +05:30
2021-03-08 18:12:59 +05:30
With the extended Docker configuration options, instead of:
- Creating your own image based on `super/sql:experimental`.
- Setting the `ENTRYPOINT` to a shell.
- Using the new image in your CI job.
You can now define an `entrypoint` in the `.gitlab-ci.yml` file.
2017-09-10 17:25:29 +05:30
2021-04-29 21:17:54 +05:30
**For Docker 17.06 and later:**
2017-09-10 17:25:29 +05:30
```yaml
2018-03-17 18:26:18 +05:30
image:
name: super/sql:experimental
entrypoint: [""]
2017-09-10 17:25:29 +05:30
```
2021-04-29 21:17:54 +05:30
**For Docker 17.03 and earlier:**
2017-09-10 17:25:29 +05:30
```yaml
image:
name: super/sql:experimental
2018-03-17 18:26:18 +05:30
entrypoint: ["/bin/sh", "-c"]
2017-09-10 17:25:29 +05:30
```
2015-12-23 02:04:40 +05:30
## Define image and services in `config.toml`
Look for the `[runners.docker]` section:
2019-09-04 21:01:54 +05:30
```toml
2015-09-25 12:07:36 +05:30
[runners.docker]
2020-04-08 14:13:33 +05:30
image = "ruby:latest"
2015-12-23 02:04:40 +05:30
services = ["mysql:latest", "postgres:latest"]
2015-09-25 12:07:36 +05:30
```
2021-03-08 18:12:59 +05:30
The image and services defined this way are added to all jobs run by
2015-12-23 02:04:40 +05:30
that runner.
2021-11-18 22:05:49 +05:30
## Access an image from a private Container Registry
2015-12-23 02:04:40 +05:30
2019-09-04 21:01:54 +05:30
To access private container registries, the GitLab Runner process can use:
2021-04-29 21:17:54 +05:30
- [Statically defined credentials](#use-statically-defined-credentials). That is, a username and password for a specific registry.
- [Credentials Store](#use-a-credentials-store). For more information, see [the relevant Docker documentation](https://docs.docker.com/engine/reference/commandline/login/#credentials-store).
- [Credential Helpers](#use-credential-helpers). For more information, see [the relevant Docker documentation](https://docs.docker.com/engine/reference/commandline/login/#credential-helpers).
2019-09-04 21:01:54 +05:30
2021-04-29 21:17:54 +05:30
To define which option should be used, the runner process reads the configuration in this order:
2019-09-04 21:01:54 +05:30
2021-11-18 22:05:49 +05:30
- A `DOCKER_AUTH_CONFIG` [CI/CD variable](../variables/index.md).
- A `DOCKER_AUTH_CONFIG` environment variable set in the runner's `config.toml` file.
2021-04-29 21:17:54 +05:30
- A `config.json` file in `$HOME/.docker` directory of the user running the process.
If the `--user` flag is provided to run the child processes as unprivileged user,
the home directory of the main runner process user is used.
2019-09-04 21:01:54 +05:30
2019-12-04 20:38:33 +05:30
### Requirements and limitations
2020-07-28 23:09:34 +05:30
- Available for [Kubernetes executor](https://docs.gitlab.com/runner/executors/kubernetes.html)
in GitLab Runner 13.1 and later.
2021-04-29 21:17:54 +05:30
- [Credentials Store](#use-a-credentials-store) and [Credential Helpers](#use-credential-helpers)
require binaries to be added to the GitLab Runner `$PATH`, and require access to do so. Therefore,
these features are not available on shared runners, or any other runner where the user does not
have access to the environment where the runner is installed.
2019-12-04 20:38:33 +05:30
2021-04-29 21:17:54 +05:30
### Use statically-defined credentials
2019-10-12 21:52:04 +05:30
2021-04-29 21:17:54 +05:30
There are two approaches that you can take to access a
private registry. Both require setting the CI/CD variable
2020-04-22 19:07:51 +05:30
`DOCKER_AUTH_CONFIG` with appropriate authentication information.
2019-09-30 21:07:59 +05:30
1. Per-job: To configure one job to access a private registry, add
2021-11-18 22:05:49 +05:30
`DOCKER_AUTH_CONFIG` as a [CI/CD variable](../variables/index.md).
2020-11-24 15:15:51 +05:30
1. Per-runner: To configure a runner so all its jobs can access a
2021-11-18 22:05:49 +05:30
private registry, add `DOCKER_AUTH_CONFIG` as an environment variable in the
2020-11-24 15:15:51 +05:30
runner's configuration.
2019-09-30 21:07:59 +05:30
See below for examples of each.
2021-04-29 21:17:54 +05:30
#### Determine your `DOCKER_AUTH_CONFIG` data
2019-09-30 21:07:59 +05:30
2021-01-29 00:20:46 +05:30
As an example, let's assume you want to use the `registry.example.com:5000/private/image:latest`
2021-03-08 18:12:59 +05:30
image. This image is private and requires you to sign in to a private container
2021-01-29 00:20:46 +05:30
registry.
2018-03-17 18:26:18 +05:30
2021-01-29 00:20:46 +05:30
Let's also assume that these are the sign-in credentials:
2018-03-17 18:26:18 +05:30
2019-09-04 21:01:54 +05:30
| Key | Value |
|:---------|:----------------------------|
| registry | `registry.example.com:5000` |
| username | `my_username` |
| password | `my_password` |
2018-03-17 18:26:18 +05:30
2021-11-18 22:05:49 +05:30
Use one of the following methods to determine the value for `DOCKER_AUTH_CONFIG`:
2019-09-30 21:07:59 +05:30
2021-01-29 00:20:46 +05:30
- Do a `docker login` on your local machine:
2019-09-30 21:07:59 +05:30
2020-03-13 15:44:24 +05:30
```shell
2019-10-12 21:52:04 +05:30
docker login registry.example.com:5000 --username my_username --password my_password
```
2019-09-30 21:07:59 +05:30
2019-10-12 21:52:04 +05:30
Then copy the content of `~/.docker/config.json`.
2015-12-23 02:04:40 +05:30
2019-10-12 21:52:04 +05:30
If you don't need access to the registry from your computer, you
can do a `docker logout`:
2015-12-23 02:04:40 +05:30
2020-03-13 15:44:24 +05:30
```shell
2019-10-12 21:52:04 +05:30
docker logout registry.example.com:5000
```
2019-09-30 21:07:59 +05:30
2021-04-29 21:17:54 +05:30
- In some setups, it's possible the Docker client uses the available system key
2021-01-29 00:20:46 +05:30
store to store the result of `docker login`. In that case, it's impossible to
2021-03-08 18:12:59 +05:30
read `~/.docker/config.json`, so you must prepare the required
2021-01-29 00:20:46 +05:30
base64-encoded version of `${username}:${password}` and create the Docker
configuration JSON manually. Open a terminal and execute the following command:
2018-03-17 18:26:18 +05:30
2020-03-13 15:44:24 +05:30
```shell
2022-11-25 23:54:43 +05:30
# The use of printf (as opposed to echo) prevents encoding a newline in the password.
printf "my_username:my_password" | openssl base64 -A
2019-09-30 21:07:59 +05:30
2019-10-12 21:52:04 +05:30
# Example output to copy
bXlfdXNlcm5hbWU6bXlfcGFzc3dvcmQ=
```
2020-04-08 14:13:33 +05:30
2020-01-01 13:55:28 +05:30
Create the Docker JSON configuration content as follows:
```json
{
"auths": {
"registry.example.com:5000": {
"auth": "(Base64 content from above)"
}
}
}
```
2018-03-17 18:26:18 +05:30
2021-04-29 21:17:54 +05:30
#### Configure a job
2018-03-17 18:26:18 +05:30
2019-09-30 21:07:59 +05:30
To configure a single job with access for `registry.example.com:5000`,
follow these steps:
2015-12-23 02:04:40 +05:30
2021-09-30 23:02:18 +05:30
1. Create a [CI/CD variable](../variables/index.md) `DOCKER_AUTH_CONFIG` with the content of the
2017-09-10 17:25:29 +05:30
Docker configuration file as the value:
2015-12-23 02:04:40 +05:30
2019-10-12 21:52:04 +05:30
```json
{
"auths": {
"registry.example.com:5000": {
"auth": "bXlfdXNlcm5hbWU6bXlfcGFzc3dvcmQ="
}
}
}
```
2015-12-23 02:04:40 +05:30
2018-12-13 13:39:08 +05:30
1. You can now use any private image from `registry.example.com:5000` defined in
2021-04-29 21:17:54 +05:30
`image` or `services` in your `.gitlab-ci.yml` file:
2017-08-17 22:00:37 +05:30
2019-10-12 21:52:04 +05:30
```yaml
image: registry.example.com:5000/namespace/image:tag
```
2015-12-23 02:04:40 +05:30
2020-10-24 23:57:45 +05:30
In the example above, GitLab Runner looks at `registry.example.com:5000` for the
2019-10-12 21:52:04 +05:30
image `namespace/image:tag`.
2015-12-23 02:04:40 +05:30
2017-09-10 17:25:29 +05:30
You can add configuration for as many registries as you want, adding more
registries to the `"auths"` hash as described above.
2015-12-23 02:04:40 +05:30
2019-09-04 21:01:54 +05:30
The full `hostname:port` combination is required everywhere
2020-11-24 15:15:51 +05:30
for the runner to match the `DOCKER_AUTH_CONFIG`. For example, if
2021-04-29 21:17:54 +05:30
`registry.example.com:5000/namespace/image:tag` is specified in the `.gitlab-ci.yml` file,
2018-12-13 13:39:08 +05:30
then the `DOCKER_AUTH_CONFIG` must also specify `registry.example.com:5000`.
2020-10-24 23:57:45 +05:30
Specifying only `registry.example.com` does not work.
2018-12-13 13:39:08 +05:30
2020-11-24 15:15:51 +05:30
### Configuring a runner
2019-09-30 21:07:59 +05:30
2021-04-29 21:17:54 +05:30
If you have many pipelines that access the same registry, you should
set up registry access at the runner level. This
2019-09-30 21:07:59 +05:30
allows pipeline authors to have access to a private registry just by
2021-04-29 21:17:54 +05:30
running a job on the appropriate runner. It also helps simplify registry
changes and credential rotations.
2019-09-30 21:07:59 +05:30
2021-04-29 21:17:54 +05:30
This means that any job on that runner can access the
2019-09-30 21:07:59 +05:30
registry with the same privilege, even across projects. If you need to
2020-10-24 23:57:45 +05:30
control access to the registry, you need to be sure to control
2019-09-30 21:07:59 +05:30
access to the runner.
2020-11-24 15:15:51 +05:30
To add `DOCKER_AUTH_CONFIG` to a runner:
2019-09-30 21:07:59 +05:30
2020-11-24 15:15:51 +05:30
1. Modify the runner's `config.toml` file as follows:
2019-09-30 21:07:59 +05:30
2019-10-12 21:52:04 +05:30
```toml
[[runners]]
environment = ["DOCKER_AUTH_CONFIG={\"auths\":{\"registry.example.com:5000\":{\"auth\":\"bXlfdXNlcm5hbWU6bXlfcGFzc3dvcmQ=\"}}}"]
```
2019-09-30 21:07:59 +05:30
2021-01-03 14:25:43 +05:30
- The double quotes included in the `DOCKER_AUTH_CONFIG`
data must be escaped with backslashes. This prevents them from being
interpreted as TOML.
- The `environment` option is a list. Your runner may
have existing entries and you should add this to the list, not replace
it.
2019-09-30 21:07:59 +05:30
2021-01-03 14:25:43 +05:30
1. Restart the runner service.
2019-09-04 21:01:54 +05:30
2021-04-29 21:17:54 +05:30
### Use a Credentials Store
2019-09-04 21:01:54 +05:30
2021-04-29 21:17:54 +05:30
To configure a Credentials Store:
2019-09-04 21:01:54 +05:30
2021-04-29 21:17:54 +05:30
1. To use a Credentials Store, you need an external helper program to interact with a specific keychain or external store.
Make sure the helper program is available in the GitLab Runner `$PATH`.
2019-09-04 21:01:54 +05:30
1. Make GitLab Runner use it. There are two ways to accomplish this. Either:
2019-10-12 21:52:04 +05:30
2019-09-30 21:07:59 +05:30
- Create a
2021-09-30 23:02:18 +05:30
[CI/CD variable](../variables/index.md)
2019-09-04 21:01:54 +05:30
`DOCKER_AUTH_CONFIG` with the content of the
2019-10-12 21:52:04 +05:30
Docker configuration file as the value:
2019-09-04 21:01:54 +05:30
2019-10-12 21:52:04 +05:30
```json
{
"credsStore": "osxkeychain"
}
```
2019-09-04 21:01:54 +05:30
2020-11-24 15:15:51 +05:30
- Or, if you're running self-managed runners, add the above JSON to
2020-10-24 23:57:45 +05:30
`${GITLAB_RUNNER_HOME}/.docker/config.json`. GitLab Runner reads this configuration file
and uses the needed helper for this specific repository.
2019-09-04 21:01:54 +05:30
2021-03-08 18:12:59 +05:30
`credsStore` is used to access **all** the registries.
If you use both images from a private registry and public images from Docker Hub,
pulling from Docker Hub fails. Docker daemon tries to use the same credentials for **all** the registries.
2019-09-04 21:01:54 +05:30
2021-04-29 21:17:54 +05:30
### Use Credential Helpers
2019-09-04 21:01:54 +05:30
2021-04-29 21:17:54 +05:30
> Introduced in GitLab Runner 12.0.
2019-09-04 21:01:54 +05:30
2022-03-02 08:16:31 +05:30
As an example, let's assume that you want to use the `<aws_account_id>.dkr.ecr.<region>.amazonaws.com/private/image:latest`
2022-11-25 23:54:43 +05:30
image. This image is private and requires you to sign in to a private container registry.
2019-09-04 21:01:54 +05:30
2022-03-02 08:16:31 +05:30
To configure access for `<aws_account_id>.dkr.ecr.<region>.amazonaws.com`, follow these steps:
2019-09-04 21:01:54 +05:30
2022-10-11 01:57:18 +05:30
1. Make sure [`docker-credential-ecr-login`](https://github.com/awslabs/amazon-ecr-credential-helper) is available in the GitLab Runner `$PATH`.
2020-06-23 00:09:42 +05:30
1. Have any of the following [AWS credentials setup](https://github.com/awslabs/amazon-ecr-credential-helper#aws-credentials).
Make sure that GitLab Runner can access the credentials.
2019-09-04 21:01:54 +05:30
1. Make GitLab Runner use it. There are two ways to accomplish this. Either:
2019-10-12 21:52:04 +05:30
2021-09-30 23:02:18 +05:30
- Create a [CI/CD variable](../variables/index.md)
2019-09-04 21:01:54 +05:30
`DOCKER_AUTH_CONFIG` with the content of the
2019-10-12 21:52:04 +05:30
Docker configuration file as the value:
2019-09-04 21:01:54 +05:30
2019-10-12 21:52:04 +05:30
```json
{
"credHelpers": {
2022-03-02 08:16:31 +05:30
"<aws_account_id>.dkr.ecr.<region>.amazonaws.com": "ecr-login"
2019-10-12 21:52:04 +05:30
}
}
```
2019-09-04 21:01:54 +05:30
2021-04-29 21:17:54 +05:30
This configures Docker to use the Credential Helper for a specific registry.
2020-06-23 00:09:42 +05:30
2021-04-29 21:17:54 +05:30
Instead, you can configure Docker to use the Credential Helper for all Amazon Elastic Container Registry (ECR) registries:
2020-06-23 00:09:42 +05:30
```json
{
"credsStore": "ecr-login"
}
```
2020-11-24 15:15:51 +05:30
- Or, if you're running self-managed runners,
2021-04-29 21:17:54 +05:30
add the previous JSON to `${GITLAB_RUNNER_HOME}/.docker/config.json`.
2020-10-24 23:57:45 +05:30
GitLab Runner reads this configuration file and uses the needed helper for this
2019-09-04 21:01:54 +05:30
specific repository.
2022-03-02 08:16:31 +05:30
1. You can now use any private image from `<aws_account_id>.dkr.ecr.<region>.amazonaws.com` defined in
2019-09-04 21:01:54 +05:30
`image` and/or `services` in your `.gitlab-ci.yml` file:
2019-10-12 21:52:04 +05:30
```yaml
2022-03-02 08:16:31 +05:30
image: <aws_account_id>.dkr.ecr.<region>.amazonaws.com/private/image:latest
2019-10-12 21:52:04 +05:30
```
2019-09-04 21:01:54 +05:30
2022-03-02 08:16:31 +05:30
In the example, GitLab Runner looks at `<aws_account_id>.dkr.ecr.<region>.amazonaws.com` for the
2019-10-12 21:52:04 +05:30
image `private/image:latest`.
2019-09-04 21:01:54 +05:30
You can add configuration for as many registries as you want, adding more
2021-04-29 21:17:54 +05:30
registries to the `"credHelpers"` hash.
2022-04-04 11:22:00 +05:30
### Use checksum to keep your image secure
We recommend using the image checksum in your job definition in your `.gitlab-ci.yml` file to verify the integrity of the image. A failed image integrity verification will prevent you from using a modified container.
To use the image checksum you have to append the checksum at the end:
```yaml
image: ruby:2.6.8@sha256:d1dbaf9665fe8b2175198e49438092fdbcf4d8934200942b94425301b17853c7
```
To get the image checksum, on the image `TAG` tab, view the `DIGEST` column.
For example, view the [Ruby image](https://hub.docker.com/_/ruby?tab=tags).
The checksum is a random string, like `6155f0235e95`.
You can also get the checksum of any image on your system with the command `docker images --digests`:
```shell
docker images --digests
REPOSITORY TAG DIGEST (...)
gitlab/gitlab-ee latest sha256:723aa6edd8f122d50cae490b1743a616d54d4a910db892314d68470cc39dfb24 (...)
gitlab/gitlab-runner latest sha256:4a18a80f5be5df44cb7575f6b89d1fdda343297c6fd666c015c0e778b276e726 (...)
```