Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Build and deploy docker containers with GitLab CI
image: an-image-with-docker-and-docker-compose
variables:
DOCKER_TLS_VERIFY: "1"
DOCKER_CERT_PATH: ".docker"
before_script:
- mkdir -p $DOCKER_CERT_PATH
- echo "$DOCKER_CA" > $DOCKER_CERT_PATH/ca.pem
- echo "$DOCKER_CERT" > $DOCKER_CERT_PATH/cert.pem
- echo "$DOCKER_KEY" > $DOCKER_CERT_PATH/key.pem
- docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY
after_script:
- docker logout $CI_REGISTRY
- rm -rf $DOCKER_CERT_PATH
.dedicated-runner: &dedicated-runner
tags:
- docker
- linux
build:
<<: *dedicated-runner
stage: build
variables:
DOCKER_HOST: "tcp://docker-host-for-build:2376"
# Define which docker-compose files should be used for build
#COMPOSE_FILE: "docker-compose.yml:docker-compose.build.yml"
script:
- docker build --pull -t "$CI_REGISTRY_IMAGE" .
- docker push "$CI_REGISTRY_IMAGE"
# Or use docker-compose if you have to build and push multiple images:
#- docker-compose build --pull
#- docker-compose push
deploy:dh01:
<<: *dedicated-runner
stage: deploy
variables:
DOCKER_HOST: "tcp://docker-host-to-run:2376"
script:
- docker-compose pull
- docker-compose up -d

Build and deploy docker containers with GitLab CI

Prepare your runner

Possible solutions:

  1. Shell executer https://docs.gitlab.com/ee/ci/docker/using_docker_build.html#use-shell-executor
    • Pro:
      • Easy setup
      • Runner can be added on system, group and on project level
    • Con:
      • Maintain additional runner for docker builds
      • Tags for all runner and jobs to avoid running jobs on wrong runner if not already
  2. dind
    https://docs.gitlab.com/ee/ci/docker/using_docker_build.html#use-docker-in-docker-executor
    • Pro:
      • Easy setup
    • Con:
      • No access control who can build
  3. Docker Socket binding
    https://docs.gitlab.com/ee/ci/docker/using_docker_build.html#use-docker-socket-binding
    • Pro:
      • Easy setup
    • Con:
      • No access control who can build
      • Everyone can control the docker daemon of the host!!!
  4. Docker TLS
    https://docs.docker.com/engine/security/https/
    https://docs.docker.com/config/daemon/#troubleshoot-conflicts-between-the-daemonjson-and-startup-scripts
    • Pro:
      • Just projects / developer with access to the keys can control the docker daemon
    • Con:
      • Setup is more complex as you need a CA and a workflow to distribute the keys
  5. kaniko since GitLab 11.2
    https://about.gitlab.com/2018/08/22/gitlab-11-2-released/#securely-build-docker-images-with-kaniko
    https://docs.gitlab.com/ee/ci/docker/using_kaniko.html Not tested by myself yet!
    • Con:
      • No docker-compose support ATM

Prepare your docker host

  1. https://docs.docker.com/engine/security/https/ (https://docs.docker.com/config/daemon/#troubleshoot-conflicts-between-the-daemonjson-and-startup-scripts)

Prepare your .gitlab-ci.yml

The environment variables contain all necessary stuff to login to your GitLab Docker registry and to set the right image name for the project... https://docs.gitlab.com/ce/ci/variables/.
To structure multiple services just add a level to the image name, e.g. ${CI_REGISTRY_IMAGE}/web.
You just have to add

  • DOCKER_CA
  • DOCKER_CERT
  • DOCKER_KEY

as (protected) (group) vars to authenticate at your docker host. Protected vars are only available for builds of protected branches. So just users with the permission to merge to a protected branch can trigger a build/deployment.

version: '3.5'
services:
web:
build:
context: .
dockerfile: Dockerfile.Web
typo3:
build:
context: .
dockerfile: Dockerfile.TYPO3
version: '3.5'
services:
web:
image: ${CI_REGISTRY_IMAGE}/web
typo3:
image: ${CI_REGISTRY_IMAGE}/typo3
{
"hosts": [
"fd://",
"tcp://0.0.0.0:2376"
],
"tls": true,
"tlscacert": "/etc/docker/ca.pem",
"tlscert": "/etc/docker/server-cert.pem",
"tlskey": "/etc/docker/server-key.pem",
"tlsverify": true
}
# https://docs.docker.com/config/daemon/#troubleshoot-conflicts-between-the-daemonjson-and-startup-scripts
[Service]
ExecStart=
ExecStart=/usr/bin/dockerd
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment