Run your CI/CD jobs in Docker containers
DETAILS: Tier: Free, Premium, Ultimate Offering: GitLab.com, Self-managed, GitLab Dedicated
You can run your CI/CD jobs in Docker containers hosted on dedicated CI/CD build servers or your local machine.
To run CI/CD jobs in a Docker container, you need to:
- Register a runner and configure it to use the Docker executor.
- Specify the container image where you want to run the CI/CD jobs in the
.gitlab-ci.yml
file. - Optional. Run other services, like MySQL, in containers. Do this by specifying services
in your
.gitlab-ci.yml
file.
Register a runner that uses the Docker executor
To use GitLab Runner with Docker you need to register a runner that uses the Docker executor.
This example shows how to set up a temporary template to supply services:
cat > /tmp/test-config.template.toml << EOF
[[runners]]
[runners.docker]
[[runners.docker.services]]
name = "postgres:latest"
[[runners.docker.services]]
name = "mysql:latest"
EOF
Then use this template to register the runner:
sudo gitlab-runner register \
--url "https://gitlab.example.com/" \
--token "$RUNNER_TOKEN" \
--description "docker-ruby:2.6" \
--executor "docker" \
--template-config /tmp/test-config.template.toml \
--docker-image ruby:3.3
The registered runner uses the ruby:2.6
Docker image and runs two
services, postgres:latest
and mysql:latest
, both of which are
accessible during the build process.
What is an image
The image
keyword is the name of the Docker image the Docker executor
uses to run CI/CD jobs.
By default, the executor pulls images from Docker Hub.
However, you can configure the registry location in the gitlab-runner/config.toml
file.
For example, you can set the Docker pull policy
to use local images.
For more information about images and Docker Hub, see the Docker overview.
Image requirements
Any image used to run a CI/CD job must have the following applications installed:
-
sh
orbash
grep
image
in the .gitlab-ci.yml
file
Define You can define an image that's used for all jobs, and a list of services that you want to use during runtime:
default:
image: ruby:2.6
services:
- postgres:11.7
before_script:
- bundle install
test:
script:
- bundle exec rake spec
The image name must be in one of the following formats:
-
image: <image-name>
(Same as using<image-name>
with thelatest
tag) image: <image-name>:<tag>
image: <image-name>@<digest>
Extended Docker configuration options
- Introduced in GitLab and GitLab Runner 9.4.
You can use a string or a map for the image
or services
entries:
- Strings must include the full image name (including the registry, if you want to download the image from a registry other than Docker Hub).
- Maps must contain at least the
name
option, which is the same image name as used for the string setting.
For example, the following two definitions are equal:
-
A string for
image
andservices
:image: "registry.example.com/my/image:latest" services: - postgresql:14.3 - redis:latest
-
A map for
image
andservices
. Theimage:name
is required:image: name: "registry.example.com/my/image:latest" services: - name: postgresql:14.3 - name: redis:latest
Where scripts are executed
When a CI job runs in a Docker container, the before_script
, script
, and after_script
commands run in the /builds/<project-path>/
directory. Your image may have a different default WORKDIR
defined. To move to your WORKDIR
, save the WORKDIR
as an environment variable so you can reference it in the container during the job's runtime.
Override the entrypoint of an image
- Introduced in GitLab and GitLab Runner 9.4. Read more about the extended configuration options.
Before explaining the available entrypoint override methods, let's describe how the runner starts. It uses a Docker image for the containers used in the CI/CD jobs:
- The runner starts a Docker container using the defined entrypoint. The default
from
Dockerfile
that may be overridden in the.gitlab-ci.yml
file. - The runner attaches itself to a running container.
- The runner prepares a script (the combination of
before_script
,script
, andafter_script
). - The runner sends the script to the container's shell
stdin
and receives the output.
To override the entrypoint of a Docker image,
in the .gitlab-ci.yml
file:
- For Docker 17.06 and later, set
entrypoint
to an empty value. - For Docker 17.03 and earlier, set
entrypoint
to/bin/sh -c
,/bin/bash -c
, or an equivalent shell available in the image.
The syntax of image:entrypoint
is similar to Dockerfile ENTRYPOINT
.
Let's assume you have a super/sql:experimental
image with a SQL database
in it. You want to use it as a base image for your job because you
want to execute some tests with this database binary. Let's also assume that
this image is configured with /usr/bin/super-sql run
as an entrypoint. When
the container starts without additional options, it runs
the database's process. The runner expects that the image has no
entrypoint or that the entrypoint is prepared to start a shell command.
With the extended Docker configuration options, instead of:
- Creating your own image based on
super/sql:experimental
. - Setting the
ENTRYPOINT
to a shell. - Using the new image in your CI job.
You can now define an entrypoint
in the .gitlab-ci.yml
file.
For Docker 17.06 and later:
image:
name: super/sql:experimental
entrypoint: [""]
For Docker 17.03 and earlier:
image:
name: super/sql:experimental
entrypoint: ["/bin/sh", "-c"]
config.toml
Define image and services in In the config.toml
file, you can define:
- In the
[runners.docker]
section, the container image used to run CI/CD jobs - In the
[[runners.docker.services]]
section, the services container
[runners.docker]
image = "ruby:latest"
services = ["mysql:latest", "postgres:latest"]
The image and services defined this way are added to all jobs run by that runner.
Access an image from a private container registry
To access private container registries, the GitLab Runner process can use:
- Statically defined credentials. That is, a username and password for a specific registry.
- Credentials Store. For more information, see the relevant Docker documentation.
- Credential Helpers. For more information, see the relevant Docker documentation.
To define which option should be used, the runner process reads the configuration in this order:
- A
DOCKER_AUTH_CONFIG
CI/CD variable. - A
DOCKER_AUTH_CONFIG
environment variable set in the runner'sconfig.toml
file. - A
config.json
file in$HOME/.docker
directory of the user running the process. If the--user
flag is provided to run the child processes as unprivileged user, the home directory of the main runner process user is used.
Requirements and limitations
- Available for Kubernetes executor in GitLab Runner 13.1 and later.
-
Credentials Store and Credential Helpers
require binaries to be added to the GitLab Runner
$PATH
, and require access to do so. Therefore, these features are not available on instance runners, or any other runner where the user does not have access to the environment where the runner is installed.
Use statically-defined credentials
There are two approaches that you can take to access a
private registry. Both require setting the CI/CD variable
DOCKER_AUTH_CONFIG
with appropriate authentication information.
- Per-job: To configure one job to access a private registry, add
DOCKER_AUTH_CONFIG
as a CI/CD variable. - Per-runner: To configure a runner so all its jobs can access a
private registry, add
DOCKER_AUTH_CONFIG
as an environment variable in the runner's configuration.
See below for examples of each.
DOCKER_AUTH_CONFIG
data
Determine your As an example, let's assume you want to use the registry.example.com:5000/private/image:latest
image. This image is private and requires you to sign in to a private container
registry.
Let's also assume that these are the sign-in credentials:
Key | Value |
---|---|
registry | registry.example.com:5000 |
username | my_username |
password | my_password |
Use one of the following methods to determine the value for DOCKER_AUTH_CONFIG
:
-
Do a
docker login
on your local machine:docker login registry.example.com:5000 --username my_username --password my_password
Then copy the content of
~/.docker/config.json
.If you don't need access to the registry from your computer, you can do a
docker logout
:docker logout registry.example.com:5000
-
In some setups, it's possible the Docker client uses the available system key store to store the result of
docker login
. In that case, it's impossible to read~/.docker/config.json
, so you must prepare the required base64-encoded version of${username}:${password}
and create the Docker configuration JSON manually. Open a terminal and execute the following command:# The use of printf (as opposed to echo) prevents encoding a newline in the password. printf "my_username:my_password" | openssl base64 -A # Example output to copy bXlfdXNlcm5hbWU6bXlfcGFzc3dvcmQ=
NOTE:
If your username includes special characters like @
, you must escape them with a backslash (\
) to prevent authentication problems.
Create the Docker JSON configuration content as follows:
{
"auths": {
"registry.example.com:5000": {
"auth": "(Base64 content from above)"
}
}
}
Configure a job
To configure a single job with access for registry.example.com:5000
,
follow these steps:
-
Create a CI/CD variable
DOCKER_AUTH_CONFIG
with the content of the Docker configuration file as the value:{ "auths": { "registry.example.com:5000": { "auth": "bXlfdXNlcm5hbWU6bXlfcGFzc3dvcmQ=" } } }
-
You can now use any private image from
registry.example.com:5000
defined inimage
orservices
in your.gitlab-ci.yml
file:image: registry.example.com:5000/namespace/image:tag
In the example above, GitLab Runner looks at
registry.example.com:5000
for the imagenamespace/image:tag
.
You can add configuration for as many registries as you want, adding more
registries to the "auths"
hash as described above.
The full hostname:port
combination is required everywhere
for the runner to match the DOCKER_AUTH_CONFIG
. For example, if
registry.example.com:5000/namespace/image:tag
is specified in the .gitlab-ci.yml
file,
then the DOCKER_AUTH_CONFIG
must also specify registry.example.com:5000
.
Specifying only registry.example.com
does not work.
Configuring a runner
If you have many pipelines that access the same registry, you should set up registry access at the runner level. This allows pipeline authors to have access to a private registry just by running a job on the appropriate runner. It also helps simplify registry changes and credential rotations.
This means that any job on that runner can access the registry with the same privilege, even across projects. If you need to control access to the registry, you need to be sure to control access to the runner.
To add DOCKER_AUTH_CONFIG
to a runner:
-
Modify the runner's
config.toml
file as follows:[[runners]] environment = ["DOCKER_AUTH_CONFIG={\"auths\":{\"registry.example.com:5000\":{\"auth\":\"bXlfdXNlcm5hbWU6bXlfcGFzc3dvcmQ=\"}}}"]
- The double quotes included in the
DOCKER_AUTH_CONFIG
data must be escaped with backslashes. This prevents them from being interpreted as TOML. - The
environment
option is a list. Your runner may have existing entries and you should add this to the list, not replace it.
- The double quotes included in the
-
Restart the runner service.
Use a Credentials Store
To configure a Credentials Store:
-
To use a Credentials Store, you need an external helper program to interact with a specific keychain or external store. Make sure the helper program is available in the GitLab Runner
$PATH
. -
Make GitLab Runner use it. There are two ways to accomplish this. Either:
-
Create a CI/CD variable
DOCKER_AUTH_CONFIG
with the content of the Docker configuration file as the value:{ "credsStore": "osxkeychain" }
-
Or, if you're running self-managed runners, add the above JSON to
${GITLAB_RUNNER_HOME}/.docker/config.json
. GitLab Runner reads this configuration file and uses the needed helper for this specific repository.
-
credsStore
is used to access all the registries.
If you use both images from a private registry and public images from Docker Hub,
pulling from Docker Hub fails. Docker daemon tries to use the same credentials for all the registries.
Use Credential Helpers
- Introduced in GitLab Runner 12.0.
As an example, let's assume that you want to use the <aws_account_id>.dkr.ecr.<region>.amazonaws.com/private/image:latest
image. This image is private and requires you to sign in to a private container registry.
To configure access for <aws_account_id>.dkr.ecr.<region>.amazonaws.com
, follow these steps:
-
Make sure
docker-credential-ecr-login
is available in the GitLab Runner$PATH
. -
Have any of the following AWS credentials setup. Make sure that GitLab Runner can access the credentials.
-
Make GitLab Runner use it. There are two ways to accomplish this. Either:
-
Create a CI/CD variable
DOCKER_AUTH_CONFIG
with the content of the Docker configuration file as the value:{ "credHelpers": { "<aws_account_id>.dkr.ecr.<region>.amazonaws.com": "ecr-login" } }
This configures Docker to use the Credential Helper for a specific registry.
Instead, you can configure Docker to use the Credential Helper for all Amazon Elastic Container Registry (ECR) registries:
{ "credsStore": "ecr-login" }
NOTE: If you use
{"credsStore": "ecr-login"}
, set the region explicitly in the AWS shared configuration file (~/.aws/config
), because the region must be specified when the ECR Credential Helper retrieves the authorization token. -
Or, if you're running self-managed runners, add the previous JSON to
${GITLAB_RUNNER_HOME}/.docker/config.json
. GitLab Runner reads this configuration file and uses the needed helper for this specific repository.
-
-
You can now use any private image from
<aws_account_id>.dkr.ecr.<region>.amazonaws.com
defined inimage
and/orservices
in your.gitlab-ci.yml
file:image: <aws_account_id>.dkr.ecr.<region>.amazonaws.com/private/image:latest
In the example, GitLab Runner looks at
<aws_account_id>.dkr.ecr.<region>.amazonaws.com
for the imageprivate/image:latest
.
You can add configuration for as many registries as you want, adding more
registries to the "credHelpers"
hash.
Use checksum to keep your image secure
We recommend using the image checksum in your job definition in your .gitlab-ci.yml
file to verify the integrity of the image. A failed image integrity verification prevents you from using a modified container.
To use the image checksum you have to append the checksum at the end:
image: ruby:2.6.8@sha256:d1dbaf9665fe8b2175198e49438092fdbcf4d8934200942b94425301b17853c7
To get the image checksum, on the image TAG
tab, view the DIGEST
column.
For example, view the Ruby image.
The checksum is a random string, like 6155f0235e95
.
You can also get the checksum of any image on your system with the command docker images --digests
:
❯ docker images --digests
REPOSITORY TAG DIGEST (...)
gitlab/gitlab-ee latest sha256:723aa6edd8f122d50cae490b1743a616d54d4a910db892314d68470cc39dfb24 (...)
gitlab/gitlab-runner latest sha256:4a18a80f5be5df44cb7575f6b89d1fdda343297c6fd666c015c0e778b276e726 (...)
Creating a Custom GitLab Runner Docker Image
You can create a custom GitLab Runner Docker image to package AWS CLI and Amazon ECR Credential Helper. This setup facilitates secure and streamlined interactions with AWS services, especially for containerized applications. For example, to reduce time and error-prone manual configurations, teams who deploy microservices on AWS can use this setup to manage, deploy, and update Docker images on Amazon ECR, without using manual credential management.
-
Create a
Dockerfile
with the following content:# Control package versions ARG GITLAB_RUNNER_VERSION=v17.3.0 ARG AWS_CLI_VERSION=2.17.36 # AWS CLI and Amazon ECR Credential Helper FROM amazonlinux as aws-tools RUN set -e \ && yum update -y \ && yum install -y --allowerasing git make gcc curl unzip \ && curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" --output "awscliv2.zip" \ && unzip awscliv2.zip && ./aws/install -i /usr/local/bin \ && yum clean all # Download and install ECR Credential Helper RUN curl --location --output /usr/local/bin/docker-credential-ecr-login "https://github.com/awslabs/amazon-ecr-credential-helper/releases/latest/download/docker-credential-ecr-login-linux-amd64" RUN chmod +x /usr/local/bin/docker-credential-ecr-login # Configure the ECR Credential Helper RUN mkdir -p /root/.docker RUN echo '{ "credsStore": "ecr-login" }' > /root/.docker/config.json # Final image based on GitLab Runner FROM gitlab/gitlab-runner:${GITLAB_RUNNER_VERSION} # Install necessary packages RUN apt-get update \ && apt-get install -y --no-install-recommends jq procps curl unzip groff libgcrypt20 tar gzip less openssh-client \ && apt-get clean && rm -rf /var/lib/apt/lists/* # Copy AWS CLI and Amazon ECR Credential Helper binaries COPY --from=aws-tools /usr/local/bin/ /usr/local/bin/ # Copy ECR Credential Helper Configuration COPY --from=aws-tools /root/.docker/config.json /root/.docker/config.json
-
To build the custom GitLab Runner Docker image within a
.gitlab-ci.yml
, include the following example below:variables: DOCKER_DRIVER: overlay2 IMAGE_NAME: $CI_REGISTRY_IMAGE:$CI_COMMIT_REF_NAME GITLAB_RUNNER_VERSION: v17.3.0 AWS_CLI_VERSION: 2.17.36 stages: - build build-image: stage: build script: - echo "Logging into GitLab container registry..." - docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY - echo "Building Docker image..." - docker build --build-arg GITLAB_RUNNER_VERSION=${GITLAB_RUNNER_VERSION} --build-arg AWS_CLI_VERSION=${AWS_CLI_VERSION} -t ${IMAGE_NAME} . - echo "Pushing Docker image to GitLab container registry..." - docker push ${IMAGE_NAME} rules: - changes: - Dockerfile