问Docker中的Docker/Podman作为GitLab CI工作失败
EN

Server Fault用户

提问于 2021-11-01 05:50:02

回答 1查看 1.1K关注 0票数 3

上下文

我使用额外的CI服务器运行我自己的GitLab实例。如果这关系到我的主机，gitlab运行程序有CentOS 8，gitlab运行程序是14.4.0版本，gitlab实例运行14.4.1。我目前正在CI服务器上使用shell执行器，但希望切换到停靠器执行器。

Gitlab运行程序Config

我的/etc/gitlab-runner/config.toml看起来是这样的：

concurrent = 1
check_interval = 0

[session_server]
  session_timeout = 1800

[[runners]]
  name = "the old shell executor"
  url = "https://XXXXXXXXXXXXXXXXXXXXXX/"
  token = "XXXXXXXXXXXXXXXXXXXX"
  executor = "shell"
  [runners.custom_build_dir]
  [runners.cache]
    [runners.cache.s3]
    [runners.cache.gcs]
    [runners.cache.azure]

[[runners]]
  name = "the new docker executor"
  url = "https://XXXXXXXXXXXXXXXXXXXXXX/"
  token = "XXXXXXXXXXXXXXXXXXXX"
  executor = "docker"
  [runners.custom_build_dir]
  [runners.cache]
    [runners.cache.s3]
    [runners.cache.gcs]
    [runners.cache.azure]
  [runners.docker]
    tls_verify = false
    image = "docker.io/centos:7"
    privileged = false
    disable_entrypoint_overwrite = false
    oom_kill_disable = false
    disable_cache = false
    volumes = ["/var/run/docker.sock:/var/run/docker.sock", "/cache"]
    network_mode = "host"
    shm_size = 0

外壳执行器被标记为shell，而停靠器执行器是标记docker，这样我就可以从gitlab-ci.yml文件中决定在哪里运行构建。

gitlab-ci.yml

.template:
  before_script:
    - cat /proc/sys/user/max_user_namespaces
  script:
    - $ENGINE login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" "$CI_REGISTRY"
    - $ENGINE build -f container/php-71.dockerfile -t "$CI_REGISTRY/$CI_PROJECT_NAMESPACE/$CI_PROJECT_NAME/$TAG:$CI_PIPELINE_ID" .
    - $ENGINE push "$CI_REGISTRY/$CI_PROJECT_NAMESPACE/$CI_PROJECT_NAME/$TAG:$CI_PIPELINE_ID"

build-with-docker-in-shell-executor:
  extends: .template
  variables:
    ENGINE: docker
    TAG: build-with-docker
  tags: [shell]
build-with-docker-in-docker-executor:
  extends: .template
  image: docker:dind
  variables:
    ENGINE: docker
    TAG: build-with-docker-in-docker
  tags: [docker]
build-with-podman-in-docker-executor:
  extends: .template
  image: quay.io/podman/stable
  variables:
    ENGINE: podman
    TAG: build-with-podman-in-docker
  tags: [docker]

我的container/php-71.dockerfile很简单，它使用centos:7并执行一系列yum install命令：

FROM docker.io/centos:7
RUN yum install -y epel-release centos-release-scl
RUN yum install -y rh-php71

第一个作业失败，因为我的gitlab runner用户无法访问坞套接字：

Got permission denied while trying to connect to the Docker
daemon socket at unix:///var/run/docker.sock: Post
"http://%2Fvar%2Frun%2Fdocker.sock/v1.24/auth": dial unix
/var/run/docker.sock: connect: permission denied

我认为这是可以的(或者现在是否应该授予非根用户对docker的访问权？)。所以这份工作只是供参考之用。

由于yum没有网络访问权限，码头作业中的停靠者失败：

Step 1/3 : FROM docker.io/centos:7
 ---> eeb6ee3f44bd
Step 2/3 : RUN yum install -y epel-release centos-release-scl
 ---> Running in 8e41cd05bcc1
Loaded plugins: fastestmirror, ovl
Determining fastest mirrors
Could not retrieve mirrorlist http://mirrorlist.centos.org/?release=7&arch=x86_64&repo=os&infra=container error was
12: Timeout on http://mirrorlist.centos.org/?release=7&arch=x86_64&repo=os&infra=container: (28, 'Resolving timed out after 30548 milliseconds')
 One of the configured repositories failed (Unknown),
 and yum doesn't have enough cached data to continue. At this point the only
 safe thing yum can do is fail. There are a few ways to work "fix" this:
     1. Contact the upstream for the repository and get them to fix the problem.
     2. Reconfigure the baseurl/etc. for the repository, to point to a working
        upstream. This is most often useful if you are using a newer
        distribution release than is supported by the repository (and the
        packages for the previous distribution release still work).
     3. Run the command with the repository temporarily disabled
            yum --disablerepo= ...
     4. Disable the repository permanently, so yum won't use it by default. Yum
        will then just ignore the repository until you permanently enable it
        again or use --enablerepo for temporary usage:
            yum-config-manager --disable 
        or
            subscription-manager repos --disable=
     5. Configure the failing repository to be skipped, if it is unavailable.
        Note that yum will try to contact the repo. when it runs most commands,
        so will have to try and fail each time (and thus. yum will be be much
        slower). If it is a very temporary problem though, this is often a nice
        compromise:
            yum-config-manager --save --setopt=.skip_if_unavailable=true
Cannot find a valid baseurl for repo: base/7/x86_64
The command '/bin/sh -c yum install -y epel-release centos-release-scl' returned a non-zero code: 1

而坞中的podman是其中最奇怪的错误，它已经在podman login命令中失败了：

time="2021-11-01T13:34:31Z" level=warning msg="\"/\" is not a shared mount, this could cause issues or missing mounts with rootless containers"
cannot clone: Operation not permitted
Error: cannot re-exec process

问题

我想使用泊人在码头或码头码头，以建立我的形象。我可以采取哪些步骤来调试和修复这个问题？

docker

gitlab

continuous-integration

回答 1

Server Fault用户

回答已采纳

发布于 2023-03-22 08:41:23

在某种程度上，我已经找到了卡尼科，现在正在用它构建容器。我的gitlab CI模板如下所示：

.build-container-with-kaniko:

  stage: build-containers

  image:
    name: gcr.io/kaniko-project/executor:debug
    entrypoint: [""]

  script:
    - mkdir -p /kaniko/.docker
    # this is needed to push the final image back to the container registry on gitlab
    - AUTH="$(printf "%s:%s" "${CI_REGISTRY_USER}" "${CI_REGISTRY_PASSWORD}" | base64 | tr -d '\n')"
    - echo "{\"auths\":{\"${CI_REGISTRY}\":{\"auth\":\"${AUTH}\"}}}" > /kaniko/.docker/config.json
    - >-
      /kaniko/executor
      --context "${CI_PROJECT_DIR}"
      --dockerfile "${CI_PROJECT_DIR}/${DOCKERFILE}"
      --destination "${CI_REGISTRY_IMAGE}/${IMAGE_NAME}:${CI_PIPELINE_ID}"
      --destination "${CI_REGISTRY_IMAGE}/${IMAGE_NAME}:${CI_COMMIT_TAG:-latest}"
      ${EXTRA_ARGS}

  variables:
    DOCKERFILE: Dockerfile
    IMAGE_NAME: generic-image
    EXTRA_ARGS: ""

  tags:
    - docker