New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Docker inside the CI runner? #9
Comments
Yes it's possible ! I created this feature for my work. I think create an PR, please wait ;) |
@rubenv This can easily be achieved using the However, I would not recommend this as you can easily get access to the host filesystem like so: docker run -it --rm -v /:/hostfs ubuntu:14.04 bash So any individual who has access to the ci-runner will be able to do very very bas things to the host. Since gitlab-ci basically allows you to craft bash scripts for your tests, you can do all of this in a fancy web ui 😃 |
@rubenv Instead you should build a runner specifically designed for the software you want to test and assign it specific repo. |
I disagree ! I use Docker in my runners with wrapdocker sh from https://github.com/jpetazzo/dind. I created a common image runner with Docker and Fig installed. |
@cedvan My point is using I have not used dind and I am not aware with the security implications it might have. Maybe its safe, maybe its not. Whatever be the case whether you decide to use it or not is a decision you have to make. |
I use sh of dind since three month. My projects works in dev, preprod and prod with docker and fig. For now I am satisfied with this system |
dind isn't really much safer than exposing the host docker (you have There are some very serious downsides to dind, most notably the fact that The security side of this is something you should be aware of. In our case Thanks for the hint about mounting the socket. Simple but perfect.
|
@rubenv Oh Yes, I know problem storage. I have cron for clean every day containers stopped and images with tag in my runners dind. To force desired remove and run again runner container for clear the ROM. For size /var/lib/docker is a big problem of docker with garbage collector, independant of dind, show moby/moby#6802. Security is a problem with a big team effectively. |
So I do pull request with wrapdocker for run docker in runner ? |
Show #10 |
Probably shouldn't be the default.
|
Ok. I close PR. Gitlab CI Runner with support docker in runner (Work for release v5.0.0-2) : |
Link docker registry public : https://registry.hub.docker.com/u/cedvan/gitlab-ci-runner-dind/ |
You can too use runner with fig : |
@cedvan You should rather create a new image based on the
This will allow you to very easily update the image when new versions of the runner are released. |
Yes it's true. But this is impossible because the sh wrapdocker must call in the init script in function appStart before "exec /usr/bin/supervisord". Else supervisor keeps control... You see another solution ? |
@cedvan can't wrapdocker be executed using supervisor? |
Hum, I'll test ;) |
I'm currently investigating switching over to gitlab for our CI builds.
Our build heavily uses Docker containers: during the build (to start test environments) and as an end-result: a deployable docker container.
For this to work we'd need access to Docker. Is there a way to expose the host docker inside the CI runner, so that we can control it? I'm cool with elevated privileges etc, it's all in a trusted/controlled environment anyway.
The text was updated successfully, but these errors were encountered: