LeoniePhiline/.gitlab-ci.yml

## .gitlab-ci.yml
image: an-image-with-docker-and-docker-compose

variables:
  DOCKER_TLS_VERIFY: "1"
  DOCKER_CERT_PATH: ".docker"

before_script:
- mkdir -p $DOCKER_CERT_PATH
- echo "$DOCKER_CA" > $DOCKER_CERT_PATH/ca.pem
- echo "$DOCKER_CERT" > $DOCKER_CERT_PATH/cert.pem
- echo "$DOCKER_KEY" > $DOCKER_CERT_PATH/key.pem
- docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY

after_script:
- docker logout $CI_REGISTRY
- rm -rf $DOCKER_CERT_PATH

.dedicated-runner: &dedicated-runner
  tags:
  - docker
  - linux

build:
  <<: *dedicated-runner
  stage: build
  variables:
    DOCKER_HOST: "tcp://docker-host-for-build:2376"
    # Define which docker-compose files should be used for build
    #COMPOSE_FILE: "docker-compose.yml:docker-compose.build.yml"
  script:
  - docker build --pull -t "$CI_REGISTRY_IMAGE" .
  - docker push "$CI_REGISTRY_IMAGE"
  # Or use docker-compose if you have to build and push multiple images:
  #- docker-compose build --pull
  #- docker-compose push

deploy:dh01:
  <<: *dedicated-runner
  stage: deploy
  variables:
    DOCKER_HOST: "tcp://docker-host-to-run:2376"
  script:
  - docker-compose pull
  - docker-compose up -d

## Readme.md

      
    Raw
  

              Readme.md
            
          
    Build and deploy docker containers with GitLab CI

Prepare your runner

Possible solutions:

Shell executer
https://docs.gitlab.com/ee/ci/docker/using_docker_build.html#use-shell-executor

Pro:

Easy setup
Runner can be added on system, group and on project level


Con:

Maintain additional runner for docker builds
Tags for all runner and jobs to avoid running jobs on wrong runner if not already


dind

https://docs.gitlab.com/ee/ci/docker/using_docker_build.html#use-docker-in-docker-executor

Pro:

Easy setup


Con:

No access control who can build


Docker Socket binding

https://docs.gitlab.com/ee/ci/docker/using_docker_build.html#use-docker-socket-binding

Pro:

Easy setup


Con:

No access control who can build
Everyone can control the docker daemon of the host!!!


Docker TLS

https://docs.docker.com/engine/security/https/

https://docs.docker.com/config/daemon/#troubleshoot-conflicts-between-the-daemonjson-and-startup-scripts

Pro:

Just projects / developer with access to the keys can control the docker daemon


Con:

Setup is more complex as you need a CA and a workflow to distribute the keys


kaniko since GitLab 11.2

https://about.gitlab.com/2018/08/22/gitlab-11-2-released/#securely-build-docker-images-with-kaniko

https://docs.gitlab.com/ee/ci/docker/using_kaniko.html
Not tested by myself yet!

Con:

No docker-compose support ATM


Prepare your docker host


https://docs.docker.com/engine/security/https/ (https://docs.docker.com/config/daemon/#troubleshoot-conflicts-between-the-daemonjson-and-startup-scripts)

Prepare your .gitlab-ci.yml

The environment variables contain all necessary stuff to login to your GitLab Docker registry and to set the right image name for the project... https://docs.gitlab.com/ce/ci/variables/.

To structure multiple services just add a level to the image name, e.g. ${CI_REGISTRY_IMAGE}/web.

You just have to add

DOCKER_CA
DOCKER_CERT
DOCKER_KEY

as (protected) (group) vars to authenticate at your docker host.
Protected vars are only available for builds of protected branches. So just users with the permission to merge to a protected branch can trigger a build/deployment.

  
## docker-compose.build.yml
version: '3.5'
services:
  web:
    build:
      context: .
      dockerfile: Dockerfile.Web

  typo3:
    build:
      context: .
      dockerfile: Dockerfile.TYPO3

## docker-compose.yml
version: '3.5'
services:
  web:
    image: ${CI_REGISTRY_IMAGE}/web

  typo3:
    image: ${CI_REGISTRY_IMAGE}/typo3

## etc_docker_daemon.json
{
  "hosts": [
    "fd://",
    "tcp://0.0.0.0:2376"
  ],
  "tls": true,
  "tlscacert": "/etc/docker/ca.pem",
  "tlscert": "/etc/docker/server-cert.pem",
  "tlskey": "/etc/docker/server-key.pem",
  "tlsverify": true
}

## etc_systemd_system_docker.service.d_docker.conf
# https://docs.docker.com/config/daemon/#troubleshoot-conflicts-between-the-daemonjson-and-startup-scripts
[Service]
ExecStart=
ExecStart=/usr/bin/dockerd
	image: an-image-with-docker-and-docker-compose

	variables:
	DOCKER_TLS_VERIFY: "1"
	DOCKER_CERT_PATH: ".docker"

	before_script:
	- mkdir -p $DOCKER_CERT_PATH
	- echo "$DOCKER_CA" > $DOCKER_CERT_PATH/ca.pem
	- echo "$DOCKER_CERT" > $DOCKER_CERT_PATH/cert.pem
	- echo "$DOCKER_KEY" > $DOCKER_CERT_PATH/key.pem
	- docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY

	after_script:
	- docker logout $CI_REGISTRY
	- rm -rf $DOCKER_CERT_PATH

	.dedicated-runner: &dedicated-runner
	tags:
	- docker
	- linux

	build:
	<<: *dedicated-runner
	stage: build
	variables:
	DOCKER_HOST: "tcp://docker-host-for-build:2376"
	# Define which docker-compose files should be used for build
	#COMPOSE_FILE: "docker-compose.yml:docker-compose.build.yml"
	script:
	- docker build --pull -t "$CI_REGISTRY_IMAGE" .
	- docker push "$CI_REGISTRY_IMAGE"
	# Or use docker-compose if you have to build and push multiple images:
	#- docker-compose build --pull
	#- docker-compose push

	deploy:dh01:
	<<: *dedicated-runner
	stage: deploy
	variables:
	DOCKER_HOST: "tcp://docker-host-to-run:2376"
	script:
	- docker-compose pull
	- docker-compose up -d
	version: '3.5'
	services:
	web:
	build:
	context: .
	dockerfile: Dockerfile.Web

	typo3:
	build:
	context: .
	dockerfile: Dockerfile.TYPO3
	{
	"hosts": [
	"fd://",
	"tcp://0.0.0.0:2376"
	],
	"tls": true,
	"tlscacert": "/etc/docker/ca.pem",
	"tlscert": "/etc/docker/server-cert.pem",
	"tlskey": "/etc/docker/server-key.pem",
	"tlsverify": true
	}
	# https://docs.docker.com/config/daemon/#troubleshoot-conflicts-between-the-daemonjson-and-startup-scripts
	[Service]
	ExecStart=
	ExecStart=/usr/bin/dockerd