search

sameersbn / docker-gitlab-ci-runner

Dockerfile to build a base GitLab CI Runner container image.
MIT License
98 stars 37 forks source link

Docker inside the CI runner? #9

Closed rubenv closed 9 years ago

rubenv commented 9 years ago

I'm currently investigating switching over to gitlab for our CI builds.

Our build heavily uses Docker containers: during the build (to start test environments) and as an end-result: a deployable docker container.

For this to work we'd need access to Docker. Is there a way to expose the host docker inside the CI runner, so that we can control it? I'm cool with elevated privileges etc, it's all in a trusted/controlled environment anyway.

cedvan commented 9 years ago

Yes it's possible ! I created this feature for my work. I think create an PR, please wait ;)

sameersbn commented 9 years ago

@rubenv This can easily be achieved using the -v /var/run/docker.sock:/run/docker.sock -v $(which docker):/bin/docker options while starting the ci-runner. With these options you will be able to control the host docker from inside the container.

However, I would not recommend this as you can easily get access to the host filesystem like so:

docker run -it --rm -v /:/hostfs ubuntu:14.04 bash

So any individual who has access to the ci-runner will be able to do very very bas things to the host. Since gitlab-ci basically allows you to craft bash scripts for your tests, you can do all of this in a fancy web ui :smiley:

sameersbn commented 9 years ago

@rubenv Instead you should build a runner specifically designed for the software you want to test and assign it specific repo.

cedvan commented 9 years ago

I disagree !

I use Docker in my runners with wrapdocker sh from https://github.com/jpetazzo/dind. All my projects use Docker and Fig, so specific runner is useless.

I created a common image runner with Docker and Fig installed. Next I created a container runner by project using this image docker.

sameersbn commented 9 years ago

@cedvan My point is using -v /var/run/docker.sock:/run/docker.sock -v $(which docker):/bin/docker option for getting access to the host docker is not safe as you can very easily gain access to the host filesystem.

I have not used dind and I am not aware with the security implications it might have. Maybe its safe, maybe its not. Whatever be the case whether you decide to use it or not is a decision you have to make.

cedvan commented 9 years ago

I use sh of dind since three month. I still found no error.

My projects works in dev, preprod and prod with docker and fig. My Gitlab-CI from your images (Thank you again) and run multiple runners dind for run my tests.

For now I am satisfied with this system

rubenv commented 9 years ago

dind isn't really much safer than exposing the host docker (you have elevated privileges in both cases so it's possible to escape the container).

There are some very serious downsides to dind, most notably the fact that it will fall back to devicemapper and keeps growing in disk size.

The security side of this is something you should be aware of. In our case it's all trusted code with a known audit trail through git. If someone does bad things, we'll know.

Thanks for the hint about mounting the socket. Simple but perfect. On 23 Dec 2014 09:39, "Cédric Vanet" notifications@github.com wrote:

I use sh of dind since three month. I still found no error.

My projects works in dev, preprod and prod with docker and fig. My Gitlab-CI from your images (Thank you again) and run multiple runners dind for run my tests.

For now I am satisfied with this system

— Reply to this email directly or view it on GitHub https://github.com/sameersbn/docker-gitlab-ci-runner/issues/9#issuecomment-67931114 .

cedvan commented 9 years ago

@rubenv Oh Yes, I know problem storage. I have cron for clean every day containers stopped and images with tag in my runners dind. To force desired remove and run again runner container for clear the ROM.

For size /var/lib/docker is a big problem of docker with garbage collector, independant of dind, show https://github.com/docker/docker/issues/6802.

Security is a problem with a big team effectively.

cedvan commented 9 years ago

So I do pull request with wrapdocker for run docker in runner ?

cedvan commented 9 years ago

Show https://github.com/sameersbn/docker-gitlab-ci-runner/pull/10

rubenv commented 9 years ago

Probably shouldn't be the default. On 24 Dec 2014 08:56, "Cédric Vanet" notifications@github.com wrote:

Show #10 https://github.com/sameersbn/docker-gitlab-ci-runner/pull/10

— Reply to this email directly or view it on GitHub https://github.com/sameersbn/docker-gitlab-ci-runner/issues/9#issuecomment-68034542 .

cedvan commented 9 years ago

Ok. I close PR.

Gitlab CI Runner with support docker in runner (Work for release v5.0.0-2) : https://github.com/cedvan/docker-gitlab-ci-runner-dind

cedvan commented 9 years ago

Link docker registry public : https://registry.hub.docker.com/u/cedvan/gitlab-ci-runner-dind/

cedvan commented 9 years ago

You can too use runner with fig : https://github.com/cedvan/docker-gitlab-ci-runner-dind-fig https://registry.hub.docker.com/u/cedvan/gitlab-ci-runner-dind-fig

sameersbn commented 9 years ago

@cedvan You should rather create a new image based on the sameersbn/gitlab-ci-runner image. i.e.

FROM sameersbn/gitlab-ci-runner:5.0.0-1

This will allow you to very easily update the image when new versions of the runner are released.

cedvan commented 9 years ago

Yes it's true.

But this is impossible because the sh wrapdocker must call in the init script in function appStart before "exec /usr/bin/supervisord". Else supervisor keeps control...

You see another solution ?

sameersbn commented 9 years ago

@cedvan can't wrapdocker be executed using supervisor?

cedvan commented 9 years ago

Hum, I'll test ;)