We have ci in docker executor with docker-dind on gitlab. Here it is:
docker-build-job: stage: build image: docker:20.10.6 scripts: - docker login -u gitlab-ci-token -p $CI_BUILD_TOKEN registry.our.ru
[runners.docker] image = "docker:20.10.6" tls_verify = false privileged = true disable_entrypoint_overwrite = false oom_kill_disable = false disable_cache = false volumes = ["/cache", "/certs/client", "/usr/share/ca-certificates:/certs"] shm_size = 0 [[runners.docker.services]] alias = "docker" name = "docker:20.10.12-dind" volumes = ["/cache", "/certs/client", "/etc/gitlab-runner/certs:/certs/ca:ro"] command = ['/bin/sh', '-c', 'ls -alh /certs/client && dockerd-entrypoint.sh || exit']
I have following questions, help please:
- There is docker:20.10.12-dind in runners.docker.services section of config.toml. As far as I understand scripts of all ci jobs will be executed inside docker-dind container, and it doesn’t depend on absence of ‘services: docker:19.03.12-dind’ instruction in ci job. Am I right?
So, will this [[runners.docker.services]] filled section automatically execute job scripts inside dind container?
- As far as I understood this command is executed in dind container:
- docker login -u gitlab-ci-token -p $CI_BUILD_TOKEN registry.our.ru
The following error appears:
Error response from daemon: Get "https://registry.our.ru/v2/": x509: certificate signed by unknown authority
I also execute this command
openssl s_client -showcerts -connect registry.our.ru:443 and get response with ‘Verification: OK’. I understand that all my certificates are right. I can login registry.our.ru from my gitlab-runner computer with no problem.
Tell me , please, What I do wrong.
- There is following text in docker registry config file (config.yml):
auth: token: realm: https://gitlab.our.ru/jwt/auth service: container_registry issuer: omnibus-gitlab-issuer rootcertbundle: /etc/docker/registry/ssl/gitlab-registry.crt
Do I understand correctly that $CI_BUILD_TOKEN is involved in the creation of the certificate? Where should this certificate be located in the dind container? is this certificate verified by the root certificate located at /etc/docker/registry/ssl/gitlab-registry.crt?
Thank u in advance!