gitlab runner throws error when i trying to build docker image
gitlab-ci.yml
container_scanning:
stage: test
image:
name: $CI_REGISTRY/devops/trivy/trivy:0.20.1
variables:
GIT_STRATEGY: none
FULL_IMAGE_NAME: $CI_REGISTRY_IMAGE:$CI_COMMIT_REF_SLUG
# Tell docker CLI how to talk to Docker daemon.
DOCKER_HOST: tcp://localhost:2375/
# Use the overlayfs driver for improved performance.
DOCKER_DRIVER: overlay2
# Disable TLS since we're running inside local network.
DOCKER_TLS_CERTDIR: ""
script:
- docker build -t testdocker .
Dockerfile
FROM
Test.dev/devops/aquasec/trivy:0.16.0
RUN trivy filesystem --skip-update --exit-code 1 --no-progress /
error
/bin/sh: eval: line 138: docker: not found
$ docker build -t testdocker .
I have chcked the docker image history, the entry point is ENTRYPOINT ["trivy"] :
~$ docker image history --no-trunc aquasec/trivy:latest
IMAGE CREATED CREATED BY SIZE COMMENT
sha256:9a0e347a8cda3c2bdf3f4d7aa24ccfb3e5dce8763bf6064526fdecd06aafd711 4 days ago ENTRYPOINT ["trivy"] 0B buildkit.dockerfile.v0
<missing> 4 days ago COPY contrib/*.tpl contrib/ # buildkit 14.7kB buildkit.dockerfile.v0
<missing> 4 days ago COPY trivy /usr/local/bin/trivy # buildkit 39.3MB buildkit.dockerfile.v0
<missing> 4 days ago RUN /bin/sh -c apk --no-cache add ca-certificates git # buildkit 13.5MB buildkit.dockerfile.v0
<missing> 7 weeks ago /bin/sh -c #(nop) CMD ["/bin/sh"] 0B
<missing> 7 weeks ago /bin/sh -c #(nop) ADD file:aad4290d27580cc1a094ffaf98c3ca2fc5d699fe695dfb8e6e9fac20f1129450 in / 5.6MB
CodePudding user response:
The problem is that you're telling GitLab to run the Pipeline within a container with the image trivy image, which I suppose it's a custom Dockerfile using aquasec/trivy as base image.
If you haven't installed the Docker CLI in your custom image, there is no reason for it to be there.
❯ docker pull aquasec/trivy
Using default tag: latest
latest: Pulling from aquasec/trivy
a0d0a0d46f8b: Already exists
330bb1eb9af6: Pull complete
de4b3e2cc536: Pull complete
65a5529ac0a6: Pull complete
Digest: sha256:c5e2a98e1c1a34f2f6d80f02b4f78fb25ddafbadb8f2b3962059b14c8da1d6f8
Status: Downloaded newer image for aquasec/trivy:latest
docker.io/aquasec/trivy:latest
❯ docker run --rm -it --entrypoint sh aquasec/trivy
/ # docker --version
sh: docker: not found
If I scan that image with docker scan I can see it uses alpine:3.14.2 as base image and apk as package manager; so, in order to use Docker within that container, your custom image (the one under $CI_REGISTRY/devops/trivy/trivy:0.20.1) should have the Docker CLI installed.
Dockerfile
FROM aquasec/trivy
RUN apk add docker-cli
And of course have defined in the Docker Runners configuration under configuration.toml that the used images perform a bind-mount of /var/run/docker.sock.
Another option is to use Docker-in-Docker (directly install the whole Docker within the container and start the daemon on it).
To use Docker in Docker you'd have to modify a little bit your job:
container_scanning:
stage: test
image:
name: $CI_REGISTRY/devops/trivy/trivy:0.20.1
services:
- docker:19.03.12-dind
variables:
GIT_STRATEGY: none
FULL_IMAGE_NAME: $CI_REGISTRY_IMAGE:$CI_COMMIT_REF_SLUG
# Tell docker CLI how to talk to Docker daemon.
DOCKER_HOST: tcp://localhost:2375/
# Use the overlayfs driver for improved performance.
DOCKER_DRIVER: overlay2
# Disable TLS since we're running inside local network.
DOCKER_TLS_CERTDIR: ""
script:
- docker build -t testdocker .
Keep in mind that in case you decide to use Docker in Docker instead of actually mount the socket, you'll have the following limitations: https://docs.gitlab.com/ee/ci/docker/using_docker_build.html#limitations-of-docker-in-docker