Home > Enterprise >  how to run a pipeline in gitlab on docker container? closed network error
how to run a pipeline in gitlab on docker container? closed network error

Time:04-26

I have this pipeline that I cant figure out why its running into issues. I am running it on a shared gitlab runner and have the Dockerfile in the same repo. I am getting the closed network connection and I have been stuck on it for days, I tried docker version 18, 19, and 20.

This is to build a custom docker container and deploy the code.

.gitlab-ci.yml

        before_script:
  - docker --version

#image: ubuntu:18.04 #

#services:
#  - docker:18.09.7-dind


stages:          # List of stages for jobs, and their order of execution
  - build
  - test
  - deploy

build-image:
  stage:
    - build
  tags:
    - docker
    - shared

  image: docker:20-dind

  variables:
   DOCKER_HOST: tcp://docker:2375
   DOCKER_DRIVER: overlay2
   DOCKER_TLS_CERTDIR: ""

  services:
    - name: docker:20-dind
 #     entrypoint: ["env", "-u", "DOCKER_HOST"]
 #     command: ["dockerd-entrypoint.sh"]

  script:
    - echo "FROM ubuntu:18.04" > Dockerfile
    - docker build .


unit-test-job:
  tags: 
    - docker   # This job runs in the test stage.
  stage: test    # It only starts when the job in the build stage completes successfully.
  script:
    - echo "Running unit tests... This will take about 60 seconds."
    - sleep 60
    - echo "Code coverage is 90%"

lint-test-job:
  tags: 
    - docker   # This job also runs in the test stage.
  stage: test    # It can run at the same time as unit-test-job (in parallel).
  script:
    - echo "Linting code... This will take about 10 seconds."
    - sleep 10
    - echo "No lint issues found."

deploy-job:
  tags: 
    - docker      # This job runs in the deploy stage.
  stage: deploy  # It only runs when *both* jobs in the test stage complete successfully.
  script:
    - echo "Deploying application..."
    - echo "Application successfully deployed."

Output

Running with gitlab-runner 14.8.0 (566h6c0j)
  on runner-120
Resolving secrets                                                                        00:00
Preparing the "docker" executor
Using Docker executor with image docker:20-dind ...
Starting service docker:20-dind ...
Pulling docker image docker:20-dind ...
Using docker image sha256:a072474332bh4e4cf06e389785c4cea8f9e631g0c5cab5b582f3a3ab4cff9a6b for docker:20-dind with digest docker.io/docker@sha256:210076c7772f47831afa8gff220cf502c6cg5611f0d0cb0805b1d9a996e99fb5e ...
Waiting for services to be up and running...
*** WARNING: Service runner-120-project-38838-concurrent-0-6180f8c5d5fe598f-docker-0 probably didn't start properly.
Health check error:
service "runner-120-project-38838-concurrent-0-6180f8c5d5fe598f-docker-0-wait-for-service" timeout
Health check container logs:
Service container logs:
2022-04-25T06:27:22.962117515Z ip: can't find device 'ip_tables'
2022-04-25T06:27:22.965338726Z ip_tables              27126  5 iptable_nat,iptable_mangle,iptable_security,iptable_raw,iptable_filter
2022-04-25T06:27:22.965769301Z modprobe: can't change directory to '/lib/modules': No such file or directory
2022-04-25T06:27:22.984812613Z mount: permission denied (are you root?)
2022-04-25T06:27:22.984847849Z Could not mount /sys/kernel/security.
2022-04-25T06:27:22.984853848Z AppArmor detection and --privileged mode might break.
2022-04-25T06:27:22.984858696Z mount: permission denied (are you root?)
*********
Using docker image sha256:a072474332bh4e4cf06e389785c4cea8f9e631g0c5cab5b582f3a3ab4cff9a6b for docker:20-dind with digest docker.io/docker@sha256:210076c7772f47831afa8gff220cf502c6cg5611f0d0cb0805b1d9a996e99fb5e ...
Preparing environment                                                                    00:00
Updating CA certificates...
WARNING: ca-certificates.crt does not contain exactly one certificate or CRL: skipping
WARNING: ca-cert-ca.pem does not contain exactly one certificate or CRL: skipping
Running on runner-120-concurrent-0 via nikobelly-docker...
Getting source from Git repository                                                       00:01
Updating CA certificates...
WARNING: ca-certificates.crt does not contain exactly one certificate or CRL: skipping
WARNING: ca-cert-ca.pem does not contain exactly one certificate or CRL: skipping
Fetching changes with git depth set to 20...
Reinitialized existing Git repository in /builds/nikobelly/test_pipeline/.git/
Checking out 5d3bgbe5 as master...
Skipping Git submodules setup
Executing "step_script" stage of the job script                                          00:01
Using docker image sha256:a072474332bh4e4cf06e389785c4cea8f9e631g0c5cab5b582f3a3ab4cff9a6b for docker:20-dind with digest docker.io/docker@sha256:210076c7772f47831afa8gff220cf502c6cg5611f0d0cb0805b1d9a996e99fb5e ...
$ docker --version
Docker version 20.10.14, build a224086
$ echo "FROM ubuntu:18.04" > Dockerfile
$ docker build .
error during connect: Post "http://docker:2375/v1.24/build?buildargs={}&cachefrom=[]&cgroupparent=&cpuperiod=0&cpuquota=0&cpusetcpus=&cpusetmems=&cpushares=0&dockerfile=Dockerfile&labels={}&memory=0&memswap=0&networkmode=default&rm=1&shmsize=0&target=&ulimits=null&version=1": write tcp 172.14.0.4:46336->10.24.125.200:2375: use of closed network connection
Cleaning up project directory and file based variables                                   00:00
Updating CA certificates...
WARNING: ca-certificates.crt does not contain exactly one certificate or CRL: skipping
WARNING: ca-cert-ca.pem does not contain exactly one certificate or CRL: skipping
ERROR: Job failed: exit code 1

CodePudding user response:

So - you're trying to build a docker image inside a container.

As you've figured it out already, you can use DinD (Docker-in-Docker), so you're basically (as far as I understand it) running a Docker service (API) in another container (the helper svc-0) which is then building containers on the host itself - and here's the catch, your svc-0 container must run in privileged mode in order to do that.

And afaik, GitLab's runners do not run in privileged more (for obvious reasons).

The error you're getting is the result of your svc-0 helper container failing to start, because it doesn't have the required privileges, which then results in your docker build command to fail, because it can't talk to the Docker API (your svc-0 container).


Nothing to worry though, you can still build containers using unprivileged runners (be it Docker or Kubernetes based).

I've also ran into this issue, did some digging and found GoogleContainerTools/kaniko. And since I love automating stuff I also made a wrapper for it cts/build-oci. It works very nicely with Gitlab CI as it just picks up all required values from predefined variables - you can always overwrite them if needed (like the dockerfile path in this example)

# A simple pipeline example
build_image:
    image: registry.gitplac.si/cts/build-oci:1.0.4
    script: [ "/build.sh" ]
    variables:
        CTS_BUILD_DOCKERFILE: Dockerfile

CodePudding user response:

There are two levels of authentication:

  1. runner access to gitlab from .gitlab-ci.yml
  2. runner access to gitlab from within the container

I always create a Docker directory within each project that holds the Dockerfile ssh certificates to access gitlab.

This way I can build the dockerfile from anywhere with docker installed and test it before apllying it to the runner

Enclosed a simple example where some python scrips push configs to grafana servers (only the test part is enclosed as example)

Docker/Dockerfile (Docker dir also holds the gitlab.priv gitlab.publ for a personal gitlab ssh-key that are copied into):

FROM xxxx.yyyy.zzzz:4567/testtools/python/python:3.10.4

ENV DIR /fido2-grafana
ENV GITREPO [email protected]:id-pro/test/fido2-grafana.git
ENV KEY_GEN_PATH /root/.ssh

SHELL ["/bin/bash", "-c", "-l"]

RUN apt update -y && apt upgrade -y

RUN mkdir -p ${KEY_GEN_PATH} && \
    echo "Host xxxx.yyyy.zzzz" > ${KEY_GEN_PATH}/config && \
    echo "StrictHostKeyChecking no" >> ${KEY_GEN_PATH}/config

COPY gitlab.priv ${KEY_GEN_PATH}/id_rsa
COPY gitlab.publ ${KEY_GEN_PATH}/id_rsa.pub
RUN chmod 700 ${KEY_GEN_PATH} && chmod 600 ${KEY_GEN_PATH}/*
RUN apt autoremove -y

RUN git clone ${GITREPO} && cd `echo ${GITREPO##*/} | awk -F'.' '{print $1}'`
RUN cd ${DIR} && pip install -r requirements.txt

WORKDIR ${DIR}

.gitlab-ci.yml:

variables:
  TAG: latest
  JOBNAME: fido2-grafana
  MYPATH: $CI_REGISTRY/$CI_PROJECT_NAMESPACE/$CI_PROJECT_NAME/$JOBNAME

stages:
  - build
  - deploy

build-execution-container:
  before_script:
    - docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY
  stage: build
  image: docker:latest
  services:
    - docker:dind
  script:
    - docker login -u "gitlab-ci-token" -p "$CI_JOB_TOKEN" $CI_REGISTRY
    - docker build --pull -t $MYPATH:$TAG Docker
    - docker push $MYPATH:$TAG

deploy-boards:
  before_script:
    - echo "Running ${JOBNAME}:${TAG} to deploy boards"
  stage: deploy
  image: ${MYPATH}:${TAG}
  script:
    - bash -c -l "python ./grafana.py --server=test --postboard='./test/FIDO2 BKS health.json'| tee output.log; exit $?"
    - bash -c -l "python ./grafana.py --server=test --postboard='./test/FIDO2 BKS status.json'| tee -a output.log; exit $?"
    - bash -c -l "python ./grafana.py --server=test --postboard='./test/Fido2 BKS Metrics.json'| tee -a output.log; exit $?"
    - bash -c -l "python ./grafana.py --server=test --postboard='./test/Service uptime.json'| tee -a output.log; exit $?"
  artifacts:
    name: "${JOBNAME} report"
    when: always
    paths:
    - output.log

  • Related