GitLab CI/CD Docker Integration and Image Orchestration

Published by TechMarmot Editorail Staff on | Category GitLab CI

The convergence of GitLab CI/CD and Docker represents a paradigm shift in how modern software is built, tested, and deployed. By leveraging containerization within a continuous integration and continuous delivery framework, developers can eliminate the "it works on my machine" phenomenon, ensuring that the environment used for the initial build is identical to the one used in production. This synergy allows for the automation of the entire lifecycle of a Docker image, from the initial trigger of a code push to the final storage of a versioned artifact in a container registry. This process is supported across various GitLab tiers, including Free, Premium, and Ultimate, and is available regardless of whether the instance is GitLab.com, GitLab Self-Managed, or GitLab Dedicated.

Core Architectures for Docker Command Execution

To execute Docker commands within a GitLab CI/CD pipeline, the underlying infrastructure—specifically the GitLab Runner—must be configured to support the Docker daemon. There are two primary paths to achieving this: using a shell executor or a Docker executor with privileged mode.

The shell executor approach involves installing the GitLab Runner directly on a host machine. In this scenario, the gitlab-runner user executes commands directly on the host's shell. For this to function, the Docker Engine must be installed on the same server. The registration process for such a runner typically follows this command structure:

sudo gitlab-runner register -n \ --url "https://gitlab.com/" \ --registration-token REGISTRATION_TOKEN \ --executor shell \ --description "My Runner"

This method provides direct access to the host's Docker daemon, but it requires the gitlab-runner user to have the necessary permissions to interact with the Docker socket.

Alternatively, the Docker executor can be used, which is common when runners are managed in a containerized environment. However, running Docker commands inside a Docker container (Docker-in-Docker or DinD) requires privileged mode. This is a security-sensitive configuration that grants the container root-level access to the host kernel. A runner registered with these capabilities is created using:

sudo gitlab-runner register -n \ --url "https://gitlab.com/" \ --registration-token REGISTRATION_TOKEN \ --executor docker \ --description "My Docker Runner" \ --tag-list "no-tls-docker-runner" \ --docker-image "docker:24.0.5-cli" \ --docker-privileged

The resulting config.toml file for such a runner includes specific directives to ensure the environment is capable of building images:

toml [[runners]] url = "https://gitlab.com/" token = TOKEN executor = "docker" [runners.docker] tls_verify = false image = "docker:24.0.5-cli" privileged = true disable_cache = false volumes = ["/cache"] [runners.cache] [runners.cache.s3] [runners.cache.gcs]

Implementing Docker-in-Docker (DinD) Workflows

When utilizing the Docker executor and privileged mode, the most common pattern is the use of the Docker-in-Docker (DinD) service. This architecture separates the Docker CLI (used to send commands) from the Docker Daemon (which performs the actual building and pulling of images).

To implement this in a .gitlab-ci.yml file, the docker:24.0.5-cli image is used as the base, while the docker:24.0.5-dind service provides the background daemon. Because the daemon is running in a separate service container, the CLI must be told to communicate via a network connection rather than the standard Unix socket.

The following configuration demonstrates a complete build stage:

```yaml
default:
image: docker:24.0.5-cli
services:
- docker:24.0.5-dind
beforescript:
- docker info
variables:
DOCKERHOST: tcp://docker:2375
DOCKERTLSCERTDIR: ""

build:
stage: build
tags:
- no-tls-docker-runner
script:
- docker build -t my-docker-image .
```

In this setup, DOCKER_HOST: tcp://docker:2375 redirects the CLI to the service container. The DOCKER_TLS_CERTDIR: "" variable is critical as it instructs Docker not to use TLS for the connection, which is necessary when the no-tls-docker-runner tag is used.

Managing Container Image Requirements and Definitions

Every image utilized to run a CI/CD job must adhere to specific runtime requirements to ensure the GitLab Runner can execute scripts. Specifically, the image must have the following binaries installed:

  • sh or bash
  • grep

Without these, the runner cannot execute the before_script or script sections of the pipeline, resulting in job failure.

Images can be defined globally or per job in the .gitlab-ci.yml file. The definition supports three distinct formats to allow for precise versioning and security:

  • Name only: image: <image-name> (defaults to the latest tag).
  • Tagged version: image: <image-name>:<tag> (e.g., ruby:2.6).
  • Digest: image: <image-name>@<digest> (used for immutable builds).

Beyond simple strings, GitLab allows for map-based definitions for images and services, which provide more granular control. For example, a string definition like image: "registry.example.com/my/image:latest" is functionally equivalent to a map that contains a name option with the same value.

Authentication and Registry Access Strategies

Accessing private images requires a robust authentication mechanism to ensure that the GitLab Runner can pull protected images from a registry.

The GitLab Job Token

When using the GitLab Container Registry on the same instance as the project, GitLab simplifies authentication via the CI_JOB_TOKEN. This token is automatically provided to the job. However, two conditions must be met for this to work:

  • The user who triggers the job must possess the Developer, Maintainer, or Owner role for the project where the image is hosted.
  • The project hosting the private image must explicitly allow the other project to authenticate using the job token, as this access is disabled by default.

Credential Helpers and Stores

For external registries, such as Amazon ECR, credential helpers are used. This requires the helper binary (e.g., docker-credential-ecr-login) to be present in the GitLab Runner's $PATH. The runner manager acquires the AWS credentials and passes them to the runner.

To configure these helpers, the runner process looks for authentication data in a specific order of precedence:

  1. A config.json file located in the /root/.docker directory.
  2. A DOCKER_AUTH_CONFIG CI/CD variable.
  3. A DOCKER_AUTH_CONFIG environment variable defined in the runner's config.toml.
  4. A config.json file in the $HOME/.docker directory of the user running the process (or the home directory of the main runner process if the --user flag is used).

For self-managed runners, the JSON configuration can be placed directly in ${GITLAB_RUNNER_HOME}/.docker/config.json. A typical configuration for a credential store looks like this:

json { "credsStore": "osxkeychain" }

A critical limitation exists when mixing registries: if both private registry images and public Docker Hub images are used, pulling from Docker Hub may fail because the Docker daemon attempts to use the same credentials for all registries.

Practical Pipeline Implementation Example

Creating a functional pipeline involves three primary components: the project setup, the Dockerfile, and the .gitlab-ci.yml configuration.

Project Initialization

The process begins by creating a new blank project in GitLab, such as "DockerCIPipeline," and setting the appropriate visibility levels.

The Dockerfile

A Dockerfile defines the environment and dependencies. For a Python-based application, a standard Dockerfile would look like this:

```dockerfile

Use an official Python runtime as a parent image

FROM python:3.8-slim

Set the working directory

WORKDIR /app

Copy what's in app.py

COPY . .
```

Pipeline Configuration and Execution

The .gitlab-ci.yml file orchestrates the build and push process. To push to the GitLab registry, the pipeline utilizes predefined variables:

  • CI_REGISTRY_USER: The username of the user triggering the pipeline.
  • CI_REGISTRY_PASSWORD: The access token generated from the GitLab profile settings.

The complete workflow involves:

  1. Adding the Dockerfile and .gitlab-ci.yml to the repository.
  2. Executing git add, git commit -m "Add Dockerfile and CI/CD pipeline configuration", and git push origin main.
  3. Monitoring the progress under CI/CD > Pipelines.
  4. Verifying the resulting image under Packages & Registries > Container Registry.

Comparative Analysis of Docker Commands in CI/CD

The following table outlines the essential Docker commands utilized within GitLab CI/CD pipelines and their specific roles in the automation process.

Command Purpose Impact on Pipeline
docker build Creates an image from a Dockerfile Converts source code into a portable artifact
docker images Lists local images Used for debugging and verifying image existence
docker ps Lists running containers Validates that services are active during test stages
docker info Displays system-wide Docker info Used in before_script to verify daemon connectivity

Analysis of Containerization Benefits in GitLab CI/CD

The integration of Docker into GitLab CI/CD provides several systemic advantages that improve software quality and deployment speed.

Consistency is the primary benefit. By defining the environment in a Dockerfile, the exact same version of the operating system, language runtime, and system libraries are used across development, testing, and production. This eliminates the variance that typically occurs when different developers use different OS versions.

Scalability is achieved through the lightweight nature of containers. Because Docker images are isolated and portable, GitLab can spin up multiple runners in parallel, each running the same image, allowing for horizontal scaling of test suites.

Isolation improves security and stability. Each container runs in its own isolated space, meaning a failure in one job's environment does not affect other jobs or the host machine. This is particularly important when testing applications that require specific system configurations that might conflict with other projects.

Conclusion

The implementation of Docker within GitLab CI/CD is a comprehensive process that requires precise alignment between the runner configuration, the authentication layer, and the pipeline definition. Whether using the shell executor for direct host access or the Docker executor with privileged mode for DinD, the goal is to create a repeatable, immutable path from code to container. The use of CI_JOB_TOKEN for internal registries and credential helpers for external ones like AWS ECR ensures that security is maintained without sacrificing automation. As pipelines evolve, the shift toward multi-stage builds and the integration of complex testing frameworks will further leverage these foundations to create highly resilient software delivery engines.

Sources

  1. Using Docker to build Docker images
  2. Using Docker images
  3. Introduction to Docker Integration in GitLab CI/CD Pipelines

Related Posts