2019-09-04 21:01:54 +05:30
---
2020-06-23 00:09:42 +05:30
stage: Verify
group: Runner
2021-02-22 17:27:13 +05:30
info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments
2019-09-04 21:01:54 +05:30
type: concepts, howto
---
2017-09-10 17:25:29 +05:30
# Using Docker images
2015-09-25 12:07:36 +05:30
2020-04-22 19:07:51 +05:30
GitLab CI/CD in conjunction with [GitLab Runner ](../runners/README.md ) can use
2015-12-23 02:04:40 +05:30
[Docker Engine ](https://www.docker.com/ ) to test and build any application.
2015-09-25 12:07:36 +05:30
2021-03-08 18:12:59 +05:30
Docker is an open-source project that has predefined images you can use to
run applications in independent "containers." These containers run in a single Linux
instance. [Docker Hub ](https://hub.docker.com/ ) is a database of pre-built images you can
use to test and build your applications.
When you use Docker with GitLab CI/CD, Docker runs each job in a separate and isolated
container. You specify the container image in the project's
[`.gitlab-ci.yml` ](../yaml/README.md ) file.
Docker containers provide a reproducible build environment that
can run on your workstation. When a Docker container is running, you can test
commands from your shell, rather than having to
2015-12-23 02:04:40 +05:30
test them on a dedicated CI server.
2017-09-10 17:25:29 +05:30
## Register Docker Runner
2015-12-23 02:04:40 +05:30
2020-11-24 15:15:51 +05:30
To use GitLab Runner with Docker you need to [register a new runner ](https://docs.gitlab.com/runner/register/ )
2017-09-10 17:25:29 +05:30
to use the `docker` executor.
2021-03-08 18:12:59 +05:30
In this example, we first set up a temporary template to supply the services:
2020-05-24 23:13:21 +05:30
```shell
cat > /tmp/test-config.template.toml < < EOF
[[runners]]
[runners.docker]
[[runners.docker.services]]
name = "postgres:latest"
[[runners.docker.services]]
name = "mysql:latest"
EOF
```
2021-03-08 18:12:59 +05:30
Then use this template to register the runner:
2015-09-25 12:07:36 +05:30
2020-03-13 15:44:24 +05:30
```shell
2017-09-10 17:25:29 +05:30
sudo gitlab-runner register \
--url "https://gitlab.example.com/" \
2015-09-25 12:07:36 +05:30
--registration-token "PROJECT_REGISTRATION_TOKEN" \
2020-03-13 15:44:24 +05:30
--description "docker-ruby:2.6" \
2015-09-25 12:07:36 +05:30
--executor "docker" \
2020-05-24 23:13:21 +05:30
--template-config /tmp/test-config.template.toml \
--docker-image ruby:2.6
2015-09-25 12:07:36 +05:30
```
2020-10-24 23:57:45 +05:30
The registered runner uses the `ruby:2.6` Docker image and runs two
services, `postgres:latest` and `mysql:latest` , both of which are
2015-12-23 02:04:40 +05:30
accessible during the build process.
2015-09-25 12:07:36 +05:30
2017-08-17 22:00:37 +05:30
## What is an image
2015-09-25 12:07:36 +05:30
2017-09-10 17:25:29 +05:30
The `image` keyword is the name of the Docker image the Docker executor
2020-10-24 23:57:45 +05:30
runs to perform the CI tasks.
2015-09-25 12:07:36 +05:30
2021-03-08 18:12:59 +05:30
By default, the executor pulls images only from [Docker Hub ](https://hub.docker.com/ ).
However, you can configure the location in the `gitlab-runner/config.toml` file. For example,
you can set the [Docker pull policy ](https://docs.gitlab.com/runner/executors/docker.html#how-pull-policies-work )
to use local images.
2015-09-25 12:07:36 +05:30
2021-03-08 18:12:59 +05:30
For more information about images and Docker Hub, read
2020-04-22 19:07:51 +05:30
the [Docker Fundamentals ](https://docs.docker.com/engine/understanding-docker/ ) documentation.
2017-08-17 22:00:37 +05:30
## What is a service
2015-09-25 12:07:36 +05:30
2021-03-08 18:12:59 +05:30
The `services` keyword defines another Docker image that's run during
your job. It's linked to the Docker image that the `image` keyword defines,
which allows you to access the service image during build time.
2015-09-25 12:07:36 +05:30
2015-12-23 02:04:40 +05:30
The service image can run any application, but the most common use case is to
2020-10-24 23:57:45 +05:30
run a database container, for example, `mysql` . It's easier and faster to use an
2021-03-08 18:12:59 +05:30
existing image and run it as an additional container than to install `mysql` every
2015-12-23 02:04:40 +05:30
time the project is built.
2015-09-25 12:07:36 +05:30
2021-03-08 18:12:59 +05:30
You're not limited to only database services. You can add as many
2017-09-10 17:25:29 +05:30
services you need to `.gitlab-ci.yml` or manually modify `config.toml` .
2020-04-22 19:07:51 +05:30
Any image found at [Docker Hub ](https://hub.docker.com/ ) or your private Container Registry can be
2017-09-10 17:25:29 +05:30
used as a service.
2019-02-15 15:39:39 +05:30
Services inherit the same DNS servers, search domains, and additional hosts as
the CI container itself.
2015-12-23 02:04:40 +05:30
You can see some widely used services examples in the relevant documentation of
2021-03-11 19:13:27 +05:30
[CI services examples ](../services/index.md ).
2015-09-25 12:07:36 +05:30
2017-08-17 22:00:37 +05:30
### How services are linked to the job
2015-09-25 12:07:36 +05:30
2021-03-08 18:12:59 +05:30
To better understand how container linking works, read
2020-04-22 19:07:51 +05:30
[Linking containers together ](https://docs.docker.com/engine/userguide/networking/default_network/dockerlinks/ ).
2015-09-25 12:07:36 +05:30
2021-03-08 18:12:59 +05:30
If you add `mysql` as service to your application, the image is
used to create a container that's linked to the job container.
2015-09-25 12:07:36 +05:30
2020-10-24 23:57:45 +05:30
The service container for MySQL is accessible under the hostname `mysql` .
2021-03-08 18:12:59 +05:30
To access your database service, connect to the host named `mysql` instead of a
socket or `localhost` . Read more in [accessing the services ](#accessing-the-services ).
2015-09-25 12:07:36 +05:30
2018-05-09 12:01:36 +05:30
### How the health check of services works
2021-03-08 18:12:59 +05:30
Services are designed to provide additional features which are **network accessible** .
They may be a database like MySQL, or Redis, and even `docker:stable-dind` which
allows you to use Docker-in-Docker. It can be practically anything that's
required for the CI/CD job to proceed, and is accessed by network.
2018-05-09 12:01:36 +05:30
2020-11-24 15:15:51 +05:30
To make sure this works, the runner:
2018-05-09 12:01:36 +05:30
2019-09-04 21:01:54 +05:30
1. Checks which ports are exposed from the container by default.
1. Starts a special container that waits for these ports to be accessible.
2018-05-09 12:01:36 +05:30
2021-03-08 18:12:59 +05:30
If the second stage of the check fails, it prints the warning: `*** WARNING: Service XYZ probably didn't start properly` .
This issue can occur because:
- There is no opened port in the service.
- The service was not started properly before the timeout, and the port is not
responding.
2018-05-09 12:01:36 +05:30
2020-10-24 23:57:45 +05:30
In most cases it affects the job, but there may be situations when the job
still succeeds even if that warning was printed. For example:
2018-05-09 12:01:36 +05:30
2021-03-08 18:12:59 +05:30
- The service was started shortly after the warning was raised, and the job is
2019-09-04 21:01:54 +05:30
not using the linked service from the beginning. In that case, when the
2018-05-09 12:01:36 +05:30
job needed to access the service, it may have been already there waiting for
connections.
- The service container is not providing any networking service, but it's doing
something with the job's directory (all services have the job directory mounted
2020-10-24 23:57:45 +05:30
as a volume under `/builds` ). In that case, the service does its job, and
2021-03-08 18:12:59 +05:30
because the job is not trying to connect to it, it does not fail.
2018-05-09 12:01:36 +05:30
### What services are not for
2021-03-08 18:12:59 +05:30
As mentioned before, this feature is designed to provide **network accessible**
2018-05-09 12:01:36 +05:30
services. A database is the simplest example of such a service.
2021-03-08 18:12:59 +05:30
The services feature is not designed to, and does not, add any software from the
2018-05-09 12:01:36 +05:30
defined `services` image(s) to the job's container.
For example, if you have the following `services` defined in your job, the `php` ,
2021-03-08 18:12:59 +05:30
`node` or `go` commands are **not** available for your script, and the job fails:
2018-05-09 12:01:36 +05:30
```yaml
job:
services:
2020-07-28 23:09:34 +05:30
- php:7
- node:latest
- golang:1.10
2018-05-09 12:01:36 +05:30
image: alpine:3.7
script:
2020-07-28 23:09:34 +05:30
- php -v
- node -v
- go version
2018-05-09 12:01:36 +05:30
```
If you need to have `php` , `node` and `go` available for your script, you should
either:
2019-09-04 21:01:54 +05:30
- Choose an existing Docker image that contains all required tools.
2021-03-08 18:12:59 +05:30
- Create your own Docker image, with all the required tools included,
2019-09-04 21:01:54 +05:30
and use that in your job.
2018-05-09 12:01:36 +05:30
2017-09-10 17:25:29 +05:30
### Accessing the services
2015-09-25 12:07:36 +05:30
2017-09-10 17:25:29 +05:30
Let's say that you need a Wordpress instance to test some API integration with
2021-03-08 18:12:59 +05:30
your application. You can then use for example the
[`tutum/wordpress` ](https://hub.docker.com/r/tutum/wordpress/ ) image in your
`.gitlab-ci.yml` file:
2015-09-25 12:07:36 +05:30
2017-09-10 17:25:29 +05:30
```yaml
services:
2020-07-28 23:09:34 +05:30
- tutum/wordpress:latest
2017-09-10 17:25:29 +05:30
```
2015-09-25 12:07:36 +05:30
2018-03-17 18:26:18 +05:30
If you don't [specify a service alias ](#available-settings-for-services ),
2021-03-08 18:12:59 +05:30
when the job runs, `tutum/wordpress` is started. You have
access to it from your build container under two hostnames:
2017-09-10 17:25:29 +05:30
- `tutum-wordpress`
- `tutum__wordpress`
2021-03-08 18:12:59 +05:30
Hostnames with underscores are not RFC valid and may cause problems in third-party
2017-09-10 17:25:29 +05:30
applications.
The default aliases for the service's hostname are created from its image name
following these rules:
2019-09-04 21:01:54 +05:30
- Everything after the colon (`:`) is stripped.
2017-09-10 17:25:29 +05:30
- Slash (`/`) is replaced with double underscores (`__`) and the primary alias
2019-09-04 21:01:54 +05:30
is created.
2017-09-10 17:25:29 +05:30
- Slash (`/`) is replaced with a single dash (`-`) and the secondary alias is
2019-09-04 21:01:54 +05:30
created (requires GitLab Runner v1.1.0 or higher).
2017-09-10 17:25:29 +05:30
To override the default behavior, you can
2018-03-17 18:26:18 +05:30
[specify a service alias ](#available-settings-for-services ).
2017-09-10 17:25:29 +05:30
## Define `image` and `services` from `.gitlab-ci.yml`
2015-12-23 02:04:40 +05:30
2021-03-08 18:12:59 +05:30
You can define an image that's used for all jobs, and a list of
2017-09-10 17:25:29 +05:30
services that you want to use during build time:
2015-12-23 02:04:40 +05:30
```yaml
2019-09-30 21:07:59 +05:30
default:
2020-03-13 15:44:24 +05:30
image: ruby:2.6
2015-12-23 02:04:40 +05:30
2019-09-30 21:07:59 +05:30
services:
2020-05-24 23:13:21 +05:30
- postgres:11.7
2015-12-23 02:04:40 +05:30
2019-09-30 21:07:59 +05:30
before_script:
- bundle install
2015-12-23 02:04:40 +05:30
2015-09-25 12:07:36 +05:30
test:
script:
2020-07-28 23:09:34 +05:30
- bundle exec rake spec
2015-09-25 12:07:36 +05:30
```
2020-05-24 23:13:21 +05:30
The image name must be in one of the following formats:
- `image: <image-name>` (Same as using `<image-name>` with the `latest` tag)
- `image: <image-name>:<tag>`
- `image: <image-name>@<digest>`
2020-10-24 23:57:45 +05:30
It's also possible to define different images and services per job:
2015-12-23 02:04:40 +05:30
```yaml
2019-09-30 21:07:59 +05:30
default:
before_script:
- bundle install
2015-09-25 12:07:36 +05:30
2020-03-13 15:44:24 +05:30
test:2.6:
image: ruby:2.6
2015-09-25 12:07:36 +05:30
services:
2020-07-28 23:09:34 +05:30
- postgres:11.7
2015-09-25 12:07:36 +05:30
script:
2020-07-28 23:09:34 +05:30
- bundle exec rake spec
2015-09-25 12:07:36 +05:30
2020-03-13 15:44:24 +05:30
test:2.7:
image: ruby:2.7
2015-09-25 12:07:36 +05:30
services:
2020-07-28 23:09:34 +05:30
- postgres:12.2
2015-09-25 12:07:36 +05:30
script:
2020-07-28 23:09:34 +05:30
- bundle exec rake spec
2015-09-25 12:07:36 +05:30
```
2017-09-10 17:25:29 +05:30
Or you can pass some [extended configuration options ](#extended-docker-configuration-options )
for `image` and `services` :
```yaml
2019-09-30 21:07:59 +05:30
default:
image:
2020-03-13 15:44:24 +05:30
name: ruby:2.6
2019-09-30 21:07:59 +05:30
entrypoint: ["/bin/bash"]
services:
2020-07-28 23:09:34 +05:30
- name: my-postgres:11.7
alias: db-postgres
entrypoint: ["/usr/local/bin/db-postgres"]
command: ["start"]
2019-09-30 21:07:59 +05:30
before_script:
2020-07-28 23:09:34 +05:30
- bundle install
2019-09-30 21:07:59 +05:30
test:
script:
2020-07-28 23:09:34 +05:30
- bundle exec rake spec
2019-09-30 21:07:59 +05:30
```
2021-03-11 19:13:27 +05:30
## Passing CI/CD variables to services
2019-09-30 21:07:59 +05:30
2021-03-11 19:13:27 +05:30
You can also pass custom CI/CD [variables ](../variables/README.md )
2019-09-30 21:07:59 +05:30
to fine tune your Docker `images` and `services` directly in the `.gitlab-ci.yml` file.
2021-03-11 19:13:27 +05:30
For more information, read about [`.gitlab-ci.yml` defined variables ](../variables/README.md#gitlab-ciyml-defined-variables ).
2019-09-30 21:07:59 +05:30
```yaml
2020-10-24 23:57:45 +05:30
# The following variables are automatically passed down to the Postgres container
2019-09-30 21:07:59 +05:30
# as well as the Ruby container and available within each.
variables:
HTTPS_PROXY: "https://10.1.1.1:8090"
HTTP_PROXY: "https://10.1.1.1:8090"
POSTGRES_DB: "my_custom_db"
POSTGRES_USER: "postgres"
POSTGRES_PASSWORD: "example"
PGDATA: "/var/lib/postgresql/data"
POSTGRES_INITDB_ARGS: "--encoding=UTF8 --data-checksums"
services:
2020-07-28 23:09:34 +05:30
- name: postgres:11.7
alias: db
entrypoint: ["docker-entrypoint.sh"]
command: ["postgres"]
2019-09-30 21:07:59 +05:30
2017-09-10 17:25:29 +05:30
image:
2020-03-13 15:44:24 +05:30
name: ruby:2.6
2017-09-10 17:25:29 +05:30
entrypoint: ["/bin/bash"]
before_script:
2020-07-28 23:09:34 +05:30
- bundle install
2017-09-10 17:25:29 +05:30
test:
script:
2020-07-28 23:09:34 +05:30
- bundle exec rake spec
2017-09-10 17:25:29 +05:30
```
## Extended Docker configuration options
2018-03-17 18:26:18 +05:30
> Introduced in GitLab and GitLab Runner 9.4.
2017-09-10 17:25:29 +05:30
When configuring the `image` or `services` entries, you can use a string or a map as
options:
2021-03-08 18:12:59 +05:30
- When using a string as an option, it must be the full name of the image to use
2017-09-10 17:25:29 +05:30
(including the Registry part if you want to download the image from a Registry
2021-03-08 18:12:59 +05:30
other than Docker Hub).
- When using a map as an option, then it must contain at least the `name`
option, which is the same name of the image as used for the string setting.
2017-09-10 17:25:29 +05:30
For example, the following two definitions are equal:
1. Using a string as an option to `image` and `services` :
2019-10-12 21:52:04 +05:30
```yaml
image: "registry.example.com/my/image:latest"
2017-09-10 17:25:29 +05:30
2019-10-12 21:52:04 +05:30
services:
2020-07-28 23:09:34 +05:30
- postgresql:9.4
- redis:latest
2019-10-12 21:52:04 +05:30
```
2017-09-10 17:25:29 +05:30
1. Using a map as an option to `image` and `services` . The use of `image:name` is
required:
2019-10-12 21:52:04 +05:30
```yaml
image:
name: "registry.example.com/my/image:latest"
2017-09-10 17:25:29 +05:30
2019-10-12 21:52:04 +05:30
services:
2020-07-28 23:09:34 +05:30
- name: postgresql:9.4
- name: redis:latest
2019-10-12 21:52:04 +05:30
```
2017-09-10 17:25:29 +05:30
### Available settings for `image`
2018-03-17 18:26:18 +05:30
> Introduced in GitLab and GitLab Runner 9.4.
2017-09-10 17:25:29 +05:30
2018-03-17 18:26:18 +05:30
| Setting | Required | GitLab version | Description |
|------------|----------|----------------| ----------- |
2021-03-08 18:12:59 +05:30
| `name` | yes, when used with any other option | 9.4 |Full name of the image to use. It should contain the Registry part if needed. |
| `entrypoint` | no | 9.4 |Command or script to execute as the container's entrypoint. It's translated to Docker's `--entrypoint` option while creating the container. The syntax is similar to [`Dockerfile`'s `ENTRYPOINT` ](https://docs.docker.com/engine/reference/builder/#entrypoint ) directive, where each shell token is a separate string in the array. |
2017-09-10 17:25:29 +05:30
### Available settings for `services`
2018-03-17 18:26:18 +05:30
> Introduced in GitLab and GitLab Runner 9.4.
2017-09-10 17:25:29 +05:30
2018-03-17 18:26:18 +05:30
| Setting | Required | GitLab version | Description |
|------------|----------|----------------| ----------- |
2021-03-08 18:12:59 +05:30
| `name` | yes, when used with any other option | 9.4 | Full name of the image to use. It should contain the Registry part if needed. |
| `entrypoint` | no | 9.4 |Command or script to execute as the container's entrypoint. It's translated to Docker's `--entrypoint` option while creating the container. The syntax is similar to [`Dockerfile`'s `ENTRYPOINT` ](https://docs.docker.com/engine/reference/builder/#entrypoint ) directive, where each shell token is a separate string in the array. |
2020-10-24 23:57:45 +05:30
| `command` | no | 9.4 |Command or script that should be used as the container's command. It's translated to arguments passed to Docker after the image's name. The syntax is similar to [`Dockerfile`'s `CMD` ](https://docs.docker.com/engine/reference/builder/#cmd ) directive, where each shell token is a separate string in the array. |
2021-01-03 14:25:43 +05:30
| `alias` (1) | no | 9.4 |Additional alias that can be used to access the service from the job's container. Read [Accessing the services ](#accessing-the-services ) for more information. |
2017-09-10 17:25:29 +05:30
2021-01-03 14:25:43 +05:30
(1) Alias support for the Kubernetes executor was [introduced ](https://gitlab.com/gitlab-org/gitlab-runner/-/issues/2229 ) in GitLab Runner 12.8, and is only available for Kubernetes version 1.7 or later.
2020-03-13 15:44:24 +05:30
2017-09-10 17:25:29 +05:30
### Starting multiple services from the same image
2020-04-22 19:07:51 +05:30
> Introduced in GitLab and GitLab Runner 9.4. Read more about the [extended configuration options](#extended-docker-configuration-options).
2018-03-17 18:26:18 +05:30
2017-09-10 17:25:29 +05:30
Before the new extended Docker configuration options, the following configuration
would not work properly:
```yaml
services:
2020-07-28 23:09:34 +05:30
- mysql:latest
- mysql:latest
2017-09-10 17:25:29 +05:30
```
2021-03-08 18:12:59 +05:30
The runner would start two containers, each that uses the `mysql:latest` image.
However, both of them would be added to the job's container with the `mysql` alias, based on
2017-09-10 17:25:29 +05:30
the [default hostname naming ](#accessing-the-services ). This would end with one
of the services not being accessible.
After the new extended Docker configuration options, the above example would
look like:
```yaml
services:
2020-07-28 23:09:34 +05:30
- name: mysql:latest
alias: mysql-1
- name: mysql:latest
alias: mysql-2
2017-09-10 17:25:29 +05:30
```
2020-11-24 15:15:51 +05:30
The runner still starts two containers using the `mysql:latest` image,
2020-10-24 23:57:45 +05:30
however now each of them are also accessible with the alias configured
2017-09-10 17:25:29 +05:30
in `.gitlab-ci.yml` file.
### Setting a command for the service
2020-04-22 19:07:51 +05:30
> Introduced in GitLab and GitLab Runner 9.4. Read more about the [extended configuration options](#extended-docker-configuration-options).
2018-03-17 18:26:18 +05:30
2017-09-10 17:25:29 +05:30
Let's assume you have a `super/sql:latest` image with some SQL database
2021-03-08 18:12:59 +05:30
in it. You would like to use it as a service for your job. Let's also
2020-10-24 23:57:45 +05:30
assume that this image does not start the database process while starting
2021-03-08 18:12:59 +05:30
the container. The user needs to manually use `/usr/bin/super-sql run` as
2017-09-10 17:25:29 +05:30
a command to start the database.
2021-03-08 18:12:59 +05:30
Before the new extended Docker configuration options, you would need to:
2017-09-10 17:25:29 +05:30
2021-03-08 18:12:59 +05:30
- Create your own image based on the `super/sql:latest` image.
- Add the default command.
- Use the image in the job's configuration:
2017-09-10 17:25:29 +05:30
2021-03-08 18:12:59 +05:30
```dockerfile
# my-super-sql:latest image's Dockerfile
2017-09-10 17:25:29 +05:30
2021-03-08 18:12:59 +05:30
FROM super/sql:latest
CMD ["/usr/bin/super-sql", "run"]
```
2017-09-10 17:25:29 +05:30
2021-03-08 18:12:59 +05:30
```yaml
# .gitlab-ci.yml
services:
- my-super-sql:latest
```
2017-09-10 17:25:29 +05:30
2021-03-08 18:12:59 +05:30
After the new extended Docker configuration options, you can
set a `command` in the `.gitlab-ci.yml` file instead:
2017-09-10 17:25:29 +05:30
```yaml
# .gitlab-ci.yml
services:
2020-07-28 23:09:34 +05:30
- name: super/sql:latest
command: ["/usr/bin/super-sql", "run"]
2017-09-10 17:25:29 +05:30
```
2021-03-08 18:12:59 +05:30
The syntax of `command` is similar to [Dockerfile's `CMD` ](https://docs.docker.com/engine/reference/builder/#cmd ).
2017-09-10 17:25:29 +05:30
### Overriding the entrypoint of an image
2020-04-22 19:07:51 +05:30
> Introduced in GitLab and GitLab Runner 9.4. Read more about the [extended configuration options](#extended-docker-configuration-options).
2018-03-17 18:26:18 +05:30
2021-03-08 18:12:59 +05:30
Before showing the available entrypoint override methods, let's describe
how the runner starts. It uses a Docker image for the containers used in the
CI/CD jobs:
2018-03-17 18:26:18 +05:30
2020-11-24 15:15:51 +05:30
1. The runner starts a Docker container using the defined entrypoint (default
2018-03-17 18:26:18 +05:30
from `Dockerfile` that may be overridden in `.gitlab-ci.yml` )
2020-11-24 15:15:51 +05:30
1. The runner attaches itself to a running container.
1. The runner prepares a script (the combination of
2021-01-29 00:20:46 +05:30
[`before_script` ](../yaml/README.md#before_script ),
2018-03-17 18:26:18 +05:30
[`script` ](../yaml/README.md#script ),
2021-01-29 00:20:46 +05:30
and [`after_script` ](../yaml/README.md#after_script )).
2021-03-08 18:12:59 +05:30
1. The runner sends the script to the container's shell `stdin` and receives the
2018-03-17 18:26:18 +05:30
output.
2021-03-08 18:12:59 +05:30
To override the entrypoint of a Docker image, you should
2020-11-24 15:15:51 +05:30
define an empty `entrypoint` in `.gitlab-ci.yml` , so the runner does not start
2020-10-24 23:57:45 +05:30
a useless shell layer. However, that does not work for all Docker versions, and
2021-03-08 18:12:59 +05:30
you should check which one your runner is using:
2018-03-17 18:26:18 +05:30
2021-03-08 18:12:59 +05:30
- _If Docker 17.06 or later is used,_ the `entrypoint` can be set to an empty value.
- _If Docker 17.03 or previous versions are used,_ the `entrypoint` can be set to
2018-03-17 18:26:18 +05:30
`/bin/sh -c` , `/bin/bash -c` or an equivalent shell available in the image.
2020-04-22 19:07:51 +05:30
The syntax of `image:entrypoint` is similar to [Dockerfile's `ENTRYPOINT` ](https://docs.docker.com/engine/reference/builder/#entrypoint ).
2018-03-17 18:26:18 +05:30
2021-03-08 18:12:59 +05:30
Let's assume you have a `super/sql:experimental` image with a SQL database
in it. You want to use it as a base image for your job because you
2017-09-10 17:25:29 +05:30
want to execute some tests with this database binary. Let's also assume that
2021-03-08 18:12:59 +05:30
this image is configured with `/usr/bin/super-sql run` as an entrypoint. When
the container starts without additional options, it runs
the database's process. The runner expects that the image has no
2018-03-17 18:26:18 +05:30
entrypoint or that the entrypoint is prepared to start a shell command.
2017-09-10 17:25:29 +05:30
2021-03-08 18:12:59 +05:30
With the extended Docker configuration options, instead of:
- Creating your own image based on `super/sql:experimental` .
- Setting the `ENTRYPOINT` to a shell.
- Using the new image in your CI job.
You can now define an `entrypoint` in the `.gitlab-ci.yml` file.
2017-09-10 17:25:29 +05:30
2018-03-17 18:26:18 +05:30
**For Docker 17.06+:**
2017-09-10 17:25:29 +05:30
```yaml
2018-03-17 18:26:18 +05:30
image:
name: super/sql:experimental
entrypoint: [""]
2017-09-10 17:25:29 +05:30
```
2018-03-17 18:26:18 +05:30
**For Docker =< 17.03: * *
2017-09-10 17:25:29 +05:30
```yaml
image:
name: super/sql:experimental
2018-03-17 18:26:18 +05:30
entrypoint: ["/bin/sh", "-c"]
2017-09-10 17:25:29 +05:30
```
2015-12-23 02:04:40 +05:30
## Define image and services in `config.toml`
Look for the `[runners.docker]` section:
2019-09-04 21:01:54 +05:30
```toml
2015-09-25 12:07:36 +05:30
[runners.docker]
2020-04-08 14:13:33 +05:30
image = "ruby:latest"
2015-12-23 02:04:40 +05:30
services = ["mysql:latest", "postgres:latest"]
2015-09-25 12:07:36 +05:30
```
2021-03-08 18:12:59 +05:30
The image and services defined this way are added to all jobs run by
2015-12-23 02:04:40 +05:30
that runner.
2017-09-10 17:25:29 +05:30
## Define an image from a private Container Registry
2015-12-23 02:04:40 +05:30
2019-09-04 21:01:54 +05:30
To access private container registries, the GitLab Runner process can use:
- [Statically defined credentials ](#using-statically-defined-credentials ). That is, a username and password for a specific registry.
2021-03-08 18:12:59 +05:30
- [Credentials Store ](#using-credentials-store ). For more information, read [the relevant Docker documentation ](https://docs.docker.com/engine/reference/commandline/login/#credentials-store ).
- [Credential Helpers ](#using-credential-helpers ). For more information, read [the relevant Docker documentation ](https://docs.docker.com/engine/reference/commandline/login/#credential-helpers ).
2019-09-04 21:01:54 +05:30
To define which should be used, the GitLab Runner process reads the configuration in the following order:
- `DOCKER_AUTH_CONFIG` variable provided as either:
2021-03-11 19:13:27 +05:30
- A [CI/CD variable ](../variables/README.md ) in `.gitlab-ci.yml` .
2019-09-04 21:01:54 +05:30
- A project's variables stored on the projects **Settings > CI/CD** page.
2020-11-24 15:15:51 +05:30
- `DOCKER_AUTH_CONFIG` variable provided as environment variable in `config.toml` of the runner.
2019-09-30 21:07:59 +05:30
- `config.json` file placed in `$HOME/.docker` directory of the user running GitLab Runner process.
2019-09-04 21:01:54 +05:30
If the `--user` flag is provided to run the GitLab Runner child processes as unprivileged user,
2020-10-24 23:57:45 +05:30
the home directory of the main GitLab Runner process user is used.
2019-09-04 21:01:54 +05:30
2019-09-30 21:07:59 +05:30
GitLab Runner reads this configuration **only** from `config.toml` and ignores it if
2020-03-13 15:44:24 +05:30
it's provided as an environment variable. This is because GitLab Runner uses **only**
2021-03-08 18:12:59 +05:30
`config.toml` configuration and does not interpolate **any** environment variables at
2019-09-04 21:01:54 +05:30
runtime.
2019-12-04 20:38:33 +05:30
### Requirements and limitations
- This feature requires GitLab Runner **1.8** or higher.
- For GitLab Runner versions ** >= 0.6, < 1.8 ** there was a partial
support for using private registries, which required manual configuration
2020-11-24 15:15:51 +05:30
of credentials on runner's host. We recommend to upgrade your runner to
2019-12-04 20:38:33 +05:30
at least version **1.8** if you want to use private registries.
2020-07-28 23:09:34 +05:30
- Available for [Kubernetes executor ](https://docs.gitlab.com/runner/executors/kubernetes.html )
in GitLab Runner 13.1 and later.
2021-03-08 18:12:59 +05:30
- [Credentials Store ](#using-credentials-store ) and [Credential Helpers ](#using-credential-helpers ) require binaries to be added to the GitLab Runner's `$PATH` , and require access to do so. Therefore, these features are not available on shared runners, or any other runner where the user does not have access to the environment where the runner is installed.
2019-12-04 20:38:33 +05:30
2019-09-04 21:01:54 +05:30
### Using statically-defined credentials
2019-10-12 21:52:04 +05:30
2019-09-30 21:07:59 +05:30
There are two approaches that you can take in order to access a
private registry. Both require setting the environment variable
2020-04-22 19:07:51 +05:30
`DOCKER_AUTH_CONFIG` with appropriate authentication information.
2019-09-30 21:07:59 +05:30
1. Per-job: To configure one job to access a private registry, add
`DOCKER_AUTH_CONFIG` as a job variable.
2020-11-24 15:15:51 +05:30
1. Per-runner: To configure a runner so all its jobs can access a
2019-09-30 21:07:59 +05:30
private registry, add `DOCKER_AUTH_CONFIG` to the environment in the
2020-11-24 15:15:51 +05:30
runner's configuration.
2019-09-30 21:07:59 +05:30
See below for examples of each.
#### Determining your `DOCKER_AUTH_CONFIG` data
2021-01-29 00:20:46 +05:30
As an example, let's assume you want to use the `registry.example.com:5000/private/image:latest`
2021-03-08 18:12:59 +05:30
image. This image is private and requires you to sign in to a private container
2021-01-29 00:20:46 +05:30
registry.
2018-03-17 18:26:18 +05:30
2021-01-29 00:20:46 +05:30
Let's also assume that these are the sign-in credentials:
2018-03-17 18:26:18 +05:30
2019-09-04 21:01:54 +05:30
| Key | Value |
|:---------|:----------------------------|
| registry | `registry.example.com:5000` |
| username | `my_username` |
| password | `my_password` |
2018-03-17 18:26:18 +05:30
2021-01-29 00:20:46 +05:30
Use one of the following methods to determine the value of `DOCKER_AUTH_CONFIG` :
2019-09-30 21:07:59 +05:30
2021-01-29 00:20:46 +05:30
- Do a `docker login` on your local machine:
2019-09-30 21:07:59 +05:30
2020-03-13 15:44:24 +05:30
```shell
2019-10-12 21:52:04 +05:30
docker login registry.example.com:5000 --username my_username --password my_password
```
2019-09-30 21:07:59 +05:30
2019-10-12 21:52:04 +05:30
Then copy the content of `~/.docker/config.json` .
2015-12-23 02:04:40 +05:30
2019-10-12 21:52:04 +05:30
If you don't need access to the registry from your computer, you
can do a `docker logout` :
2015-12-23 02:04:40 +05:30
2020-03-13 15:44:24 +05:30
```shell
2019-10-12 21:52:04 +05:30
docker logout registry.example.com:5000
```
2019-09-30 21:07:59 +05:30
2021-01-29 00:20:46 +05:30
- In some setups, it's possible that Docker client uses the available system key
store to store the result of `docker login` . In that case, it's impossible to
2021-03-08 18:12:59 +05:30
read `~/.docker/config.json` , so you must prepare the required
2021-01-29 00:20:46 +05:30
base64-encoded version of `${username}:${password}` and create the Docker
configuration JSON manually. Open a terminal and execute the following command:
2018-03-17 18:26:18 +05:30
2020-03-13 15:44:24 +05:30
```shell
2021-01-03 14:25:43 +05:30
# The use of "-n" - prevents encoding a newline in the password.
2019-10-12 21:52:04 +05:30
echo -n "my_username:my_password" | base64
2019-09-30 21:07:59 +05:30
2019-10-12 21:52:04 +05:30
# Example output to copy
bXlfdXNlcm5hbWU6bXlfcGFzc3dvcmQ=
```
2020-04-08 14:13:33 +05:30
2020-01-01 13:55:28 +05:30
Create the Docker JSON configuration content as follows:
```json
{
"auths": {
"registry.example.com:5000": {
"auth": "(Base64 content from above)"
}
}
}
```
2018-03-17 18:26:18 +05:30
2019-09-30 21:07:59 +05:30
#### Configuring a job
2018-03-17 18:26:18 +05:30
2019-09-30 21:07:59 +05:30
To configure a single job with access for `registry.example.com:5000` ,
follow these steps:
2015-12-23 02:04:40 +05:30
2021-03-11 19:13:27 +05:30
1. Create a [CI/CD variable ](../variables/README.md ) `DOCKER_AUTH_CONFIG` with the content of the
2017-09-10 17:25:29 +05:30
Docker configuration file as the value:
2015-12-23 02:04:40 +05:30
2019-10-12 21:52:04 +05:30
```json
{
"auths": {
"registry.example.com:5000": {
"auth": "bXlfdXNlcm5hbWU6bXlfcGFzc3dvcmQ="
}
}
}
```
2015-12-23 02:04:40 +05:30
2018-12-13 13:39:08 +05:30
1. You can now use any private image from `registry.example.com:5000` defined in
2018-03-17 18:26:18 +05:30
`image` and/or `services` in your `.gitlab-ci.yml` file:
2017-08-17 22:00:37 +05:30
2019-10-12 21:52:04 +05:30
```yaml
image: registry.example.com:5000/namespace/image:tag
```
2015-12-23 02:04:40 +05:30
2020-10-24 23:57:45 +05:30
In the example above, GitLab Runner looks at `registry.example.com:5000` for the
2019-10-12 21:52:04 +05:30
image `namespace/image:tag` .
2015-12-23 02:04:40 +05:30
2017-09-10 17:25:29 +05:30
You can add configuration for as many registries as you want, adding more
registries to the `"auths"` hash as described above.
2015-12-23 02:04:40 +05:30
2019-09-04 21:01:54 +05:30
The full `hostname:port` combination is required everywhere
2020-11-24 15:15:51 +05:30
for the runner to match the `DOCKER_AUTH_CONFIG` . For example, if
2018-12-13 13:39:08 +05:30
`registry.example.com:5000/namespace/image:tag` is specified in `.gitlab-ci.yml` ,
then the `DOCKER_AUTH_CONFIG` must also specify `registry.example.com:5000` .
2020-10-24 23:57:45 +05:30
Specifying only `registry.example.com` does not work.
2018-12-13 13:39:08 +05:30
2020-11-24 15:15:51 +05:30
### Configuring a runner
2019-09-30 21:07:59 +05:30
2020-10-24 23:57:45 +05:30
If you have many pipelines that access the same registry, it is
probably better to set up registry access at the runner level. This
2019-09-30 21:07:59 +05:30
allows pipeline authors to have access to a private registry just by
running a job on the appropriate runner. It also makes registry
changes and credential rotations much simpler.
Of course this means that any job on that runner can access the
registry with the same privilege, even across projects. If you need to
2020-10-24 23:57:45 +05:30
control access to the registry, you need to be sure to control
2019-09-30 21:07:59 +05:30
access to the runner.
2020-11-24 15:15:51 +05:30
To add `DOCKER_AUTH_CONFIG` to a runner:
2019-09-30 21:07:59 +05:30
2020-11-24 15:15:51 +05:30
1. Modify the runner's `config.toml` file as follows:
2019-09-30 21:07:59 +05:30
2019-10-12 21:52:04 +05:30
```toml
[[runners]]
environment = ["DOCKER_AUTH_CONFIG={\"auths\":{\"registry.example.com:5000\":{\"auth\":\"bXlfdXNlcm5hbWU6bXlfcGFzc3dvcmQ=\"}}}"]
```
2019-09-30 21:07:59 +05:30
2021-01-03 14:25:43 +05:30
- The double quotes included in the `DOCKER_AUTH_CONFIG`
data must be escaped with backslashes. This prevents them from being
interpreted as TOML.
- The `environment` option is a list. Your runner may
have existing entries and you should add this to the list, not replace
it.
2019-09-30 21:07:59 +05:30
2021-01-03 14:25:43 +05:30
1. Restart the runner service.
2019-09-04 21:01:54 +05:30
### Using Credentials Store
> Support for using Credentials Store was added in GitLab Runner 9.5.
To configure credentials store, follow these steps:
1. To use a credentials store, you need an external helper program to interact with a specific keychain or external store.
2021-03-08 18:12:59 +05:30
Make sure the helper program is available in GitLab Runner `$PATH` .
2019-09-04 21:01:54 +05:30
1. Make GitLab Runner use it. There are two ways to accomplish this. Either:
2019-10-12 21:52:04 +05:30
2019-09-30 21:07:59 +05:30
- Create a
2021-03-11 19:13:27 +05:30
[CI/CD variable ](../variables/README.md )
2019-09-04 21:01:54 +05:30
`DOCKER_AUTH_CONFIG` with the content of the
2019-10-12 21:52:04 +05:30
Docker configuration file as the value:
2019-09-04 21:01:54 +05:30
2019-10-12 21:52:04 +05:30
```json
{
"credsStore": "osxkeychain"
}
```
2019-09-04 21:01:54 +05:30
2020-11-24 15:15:51 +05:30
- Or, if you're running self-managed runners, add the above JSON to
2020-10-24 23:57:45 +05:30
`${GITLAB_RUNNER_HOME}/.docker/config.json` . GitLab Runner reads this configuration file
and uses the needed helper for this specific repository.
2019-09-04 21:01:54 +05:30
2021-03-08 18:12:59 +05:30
`credsStore` is used to access **all** the registries.
If you use both images from a private registry and public images from Docker Hub,
pulling from Docker Hub fails. Docker daemon tries to use the same credentials for **all** the registries.
2019-09-04 21:01:54 +05:30
### Using Credential Helpers
> Support for using Credential Helpers was added in GitLab Runner 12.0
As an example, let's assume that you want to use the `aws_account_id.dkr.ecr.region.amazonaws.com/private/image:latest`
2021-03-08 18:12:59 +05:30
image. This image is private and requires you to log in into a private container registry.
2019-09-04 21:01:54 +05:30
To configure access for `aws_account_id.dkr.ecr.region.amazonaws.com` , follow these steps:
1. Make sure `docker-credential-ecr-login` is available in GitLab Runner's `$PATH` .
2020-06-23 00:09:42 +05:30
1. Have any of the following [AWS credentials setup ](https://github.com/awslabs/amazon-ecr-credential-helper#aws-credentials ).
Make sure that GitLab Runner can access the credentials.
2019-09-04 21:01:54 +05:30
1. Make GitLab Runner use it. There are two ways to accomplish this. Either:
2019-10-12 21:52:04 +05:30
2021-03-11 19:13:27 +05:30
- Create a [CI/CD variable ](../variables/README.md )
2019-09-04 21:01:54 +05:30
`DOCKER_AUTH_CONFIG` with the content of the
2019-10-12 21:52:04 +05:30
Docker configuration file as the value:
2019-09-04 21:01:54 +05:30
2019-10-12 21:52:04 +05:30
```json
{
"credHelpers": {
"aws_account_id.dkr.ecr.region.amazonaws.com": "ecr-login"
}
}
```
2019-09-04 21:01:54 +05:30
2020-06-23 00:09:42 +05:30
This configures Docker to use the credential helper for a specific registry.
or
```json
{
"credsStore": "ecr-login"
}
```
2021-03-08 18:12:59 +05:30
This configures Docker to use the credential helper for all Amazon Elastic Container Registry (ECR) registries.
2020-06-23 00:09:42 +05:30
2020-11-24 15:15:51 +05:30
- Or, if you're running self-managed runners,
2019-09-04 21:01:54 +05:30
add the above JSON to `${GITLAB_RUNNER_HOME}/.docker/config.json` .
2020-10-24 23:57:45 +05:30
GitLab Runner reads this configuration file and uses the needed helper for this
2019-09-04 21:01:54 +05:30
specific repository.
1. You can now use any private image from `aws_account_id.dkr.ecr.region.amazonaws.com` defined in
`image` and/or `services` in your `.gitlab-ci.yml` file:
2019-10-12 21:52:04 +05:30
```yaml
image: aws_account_id.dkr.ecr.region.amazonaws.com/private/image:latest
```
2019-09-04 21:01:54 +05:30
2020-10-24 23:57:45 +05:30
In the example above, GitLab Runner looks at `aws_account_id.dkr.ecr.region.amazonaws.com` for the
2019-10-12 21:52:04 +05:30
image `private/image:latest` .
2019-09-04 21:01:54 +05:30
You can add configuration for as many registries as you want, adding more
registries to the `"credHelpers"` hash as described above.
2015-12-23 02:04:40 +05:30
## Configuring services
2021-03-08 18:12:59 +05:30
Many services accept environment variables, which you can use to change
database names or set account names, depending on the environment.
2015-12-23 02:04:40 +05:30
2021-03-11 19:13:27 +05:30
GitLab Runner 0.5.0 and up passes all YAML-defined CI/CD variables to the created
2015-12-23 02:04:40 +05:30
service containers.
2021-03-08 18:12:59 +05:30
For all possible configuration variables, check the documentation of each image
2015-12-23 02:04:40 +05:30
provided in their corresponding Docker hub page.
2021-03-11 19:13:27 +05:30
All CI/CD variables are passed to all services containers. It's not
2019-09-04 21:01:54 +05:30
designed to distinguish which variable should go where.
2015-12-23 02:04:40 +05:30
### PostgreSQL service example
2021-03-08 18:12:59 +05:30
Read the specific documentation for
2015-12-23 02:04:40 +05:30
[using PostgreSQL as a service ](../services/postgres.md ).
### MySQL service example
2021-03-08 18:12:59 +05:30
Read the specific documentation for
2015-12-23 02:04:40 +05:30
[using MySQL as a service ](../services/mysql.md ).
## How Docker integration works
2017-09-10 17:25:29 +05:30
Below is a high level overview of the steps performed by Docker during job
2015-12-23 02:04:40 +05:30
time.
2015-09-25 12:07:36 +05:30
1. Create any service container: `mysql` , `postgresql` , `mongodb` , `redis` .
2021-03-08 18:12:59 +05:30
1. Create a cache container to store all volumes as defined in `config.toml` and
2020-03-13 15:44:24 +05:30
`Dockerfile` of build image (`ruby:2.6` as in above example).
2021-03-08 18:12:59 +05:30
1. Create a build container and link any service container to build container.
1. Start the build container, and send a job script to the container.
1. Run the job script.
2015-09-25 12:07:36 +05:30
1. Checkout code in: `/builds/group-name/project-name/` .
1. Run any step defined in `.gitlab-ci.yml` .
2021-03-08 18:12:59 +05:30
1. Check the exit status of build script.
1. Remove the build container and all created service containers.
2015-09-25 12:07:36 +05:30
2017-08-17 22:00:37 +05:30
## How to debug a job locally
2015-12-23 02:04:40 +05:30
2019-09-04 21:01:54 +05:30
The following commands are run without root privileges. You should be
able to run Docker with your regular user account.
2015-12-23 02:04:40 +05:30
2016-11-03 12:29:30 +05:30
First start with creating a file named `build_script` :
2015-12-23 02:04:40 +05:30
2020-03-13 15:44:24 +05:30
```shell
2015-12-23 02:04:40 +05:30
cat < < EOF > build_script
2018-03-17 18:26:18 +05:30
git clone https://gitlab.com/gitlab-org/gitlab-runner.git /builds/gitlab-org/gitlab-runner
cd /builds/gitlab-org/gitlab-runner
2015-12-23 02:04:40 +05:30
make
2015-09-25 12:07:36 +05:30
EOF
```
2015-12-23 02:04:40 +05:30
Here we use as an example the GitLab Runner repository which contains a
2020-10-24 23:57:45 +05:30
Makefile, so running `make` executes the commands defined in the Makefile.
2021-03-08 18:12:59 +05:30
Instead of `make` , you could run the command which is specific to your project.
2015-12-23 02:04:40 +05:30
Then create some service containers:
2020-03-13 15:44:24 +05:30
```shell
2016-06-02 11:05:42 +05:30
docker run -d --name service-mysql mysql:latest
docker run -d --name service-postgres postgres:latest
2015-09-25 12:07:36 +05:30
```
2020-10-24 23:57:45 +05:30
This creates two service containers, named `service-mysql` and
2015-12-23 02:04:40 +05:30
`service-postgres` which use the latest MySQL and PostgreSQL images
2020-10-24 23:57:45 +05:30
respectively. They both run in the background (`-d`).
2015-12-23 02:04:40 +05:30
Finally, create a build container by executing the `build_script` file we
created earlier:
2020-03-13 15:44:24 +05:30
```shell
docker run --name build -i --link=service-mysql:mysql --link=service-postgres:postgres ruby:2.6 /bin/bash < build_script
2015-09-25 12:07:36 +05:30
```
2020-10-24 23:57:45 +05:30
The above command creates a container named `build` that's spawned from
2020-03-13 15:44:24 +05:30
the `ruby:2.6` image and has two services linked to it. The `build_script` is
2021-03-08 18:12:59 +05:30
piped using `stdin` to the bash interpreter which in turn executes the
2015-12-23 02:04:40 +05:30
`build_script` in the `build` container.
When you finish testing and no longer need the containers, you can remove them
with:
2020-03-13 15:44:24 +05:30
```shell
2015-09-25 12:07:36 +05:30
docker rm -f -v build service-mysql service-postgres
```
2015-12-23 02:04:40 +05:30
2020-10-24 23:57:45 +05:30
This forcefully (`-f`) removes the `build` container, the two service
2021-03-08 18:12:59 +05:30
containers, and all volumes (`-v`) that were created with the container
2015-12-23 02:04:40 +05:30
creation.