The Docker executor when used with GitLab CI, connects to Docker Engine and runs each build in a separate and isolated container. The image for the job is :
- either the predefined image set up in the runner configuration (config.toml)
- or the image set up in .gitlab-ci.yml
Using docker on CICD jobs in GitLab means using Docker-in-Docker (dind):
- using docker executor and
- using docker official image for the job
NOTE: please look ar cons/pros of using dind in CI environment.
There are two possibilities to use docker commands withing a CI job:
- use the daemon of the host (where runner is installed)
- use the daemon of the Docker GiLab CI service
Using host's docker daemon within a container running CICD job is achieved via Docker socket binding Runner's configuration (config.toml) must set docker volume to share the host's docker.sock:
[[runners]]
[runners.docker]
image = "docker:19.03.12"
privileged = false
volumes = ["/var/run/docker.sock:/var/run/docker.sock", "/cache"]
Running docker daemon within docker. This option needs docker privileged mode.
When you do this, you are effectively disabling all of the security mechanisms of containers and exposing your host to privilege escalation. Doing this can lead to container breakout.
[[runners]]
executor = "docker"
[runners.docker]
tls_verify = false
image = "docker:19.03.12"
privileged = true
disable_cache = false
volumes = ["/certs/client", "/cache"]
More on Docker priviledged mode on docker blog.
In this case we will use docker:dind service ina job:
image: docker:20.03
variables:
# instruct Docker to talk to the daemon started within a service. Starting from docker:19.03, this is done authomatically if
# the variable is not set
# https://github.com/docker-library/docker/blob/d45051476babc297257df490d22cbd806f1b11e4/19.03/docker-entrypoint.sh#L23-L29
DOCKER_HOST: tcp://localhost:2376
services:
- docker:20.03-dind