We have ci in docker executor with docker-dind on gitlab. Here it is:
docker-build-job:
stage: build
image: docker:20.10.6
scripts:
- docker login -u gitlab-ci-token -p $CI_BUILD_TOKEN registry.our.ru
config.toml:
[runners.docker]
image = "docker:20.10.6"
tls_verify = false
privileged = true
disable_entrypoint_overwrite = false
oom_kill_disable = false
disable_cache = false
volumes = ["/cache", "/certs/client", "/usr/share/ca-certificates:/certs"]
shm_size = 0
[[runners.docker.services]]
alias = "docker"
name = "docker:20.10.12-dind"
volumes = ["/cache", "/certs/client", "/etc/gitlab-runner/certs:/certs/ca:ro"]
command = ['/bin/sh', '-c', 'ls -alh /certs/client && dockerd-entrypoint.sh || exit']
I have following questions, help please:
- There is docker:20.10.12-dind in runners.docker.services section of config.toml. As far as I understand scripts of all ci jobs will be executed inside docker-dind container, and it doesn’t depend on absence of ‘services: docker:19.03.12-dind’ instruction in ci job. Am I right?
So, will this [[runners.docker.services]] filled section automatically execute job scripts inside dind container?
- As far as I understood this command is executed in dind container:
- docker login -u gitlab-ci-token -p $CI_BUILD_TOKEN registry.our.ru
The following error appears: Error response from daemon: Get "https://registry.our.ru/v2/": x509: certificate signed by unknown authority
I also execute this command openssl s_client -showcerts -connect registry.our.ru:443
and get response with ‘Verification: OK’. I understand that all my certificates are right. I can login registry.our.ru from my gitlab-runner computer with no problem.
Tell me , please, What I do wrong.
- There is following text in docker registry config file (config.yml):
auth:
token:
realm: https://gitlab.our.ru/jwt/auth
service: container_registry
issuer: omnibus-gitlab-issuer
rootcertbundle: /etc/docker/registry/ssl/gitlab-registry.crt
Do I understand correctly that $CI_BUILD_TOKEN is involved in the creation of the certificate? Where should this certificate be located in the dind container? is this certificate verified by the root certificate located at /etc/docker/registry/ssl/gitlab-registry.crt?
Thank u in advance!