Optimizing Docker Image Orchestration within GitLab CI/CD Pipelines

Published by TechMarmot Editorail Staff on | Category GitLab CI

The integration of Docker into GitLab CI/CD represents a fundamental shift in how modern software is delivered, moving from simple script-based deployments to a fully containerized lifecycle. Implementing a robust Docker build process within GitLab requires a nuanced understanding of the interaction between the GitLab Runner, the Docker Engine, and the container registry. The evolution of this process has moved from fragmented workarounds—utilizing the GitLab CI cache to move binaries between jobs—to the adoption of sophisticated multi-stage Dockerfiles and the Docker-in-Docker (DinD) architecture. By leveraging these tools, organizations can ensure that their production images are lean, secure, and reproducible, while simultaneously minimizing the overhead associated with build artifacts and network latency.

The Architectural Evolution of Docker Builds in GitLab CI

In the early stages of GitLab CI adoption, creating a clean production image was a fragmented process. Before the introduction of multi-stage builds in Docker 17.05, developers faced a significant challenge: the "build environment" required a full set of compilers and dependencies, but the "production environment" needed to be as small as possible to reduce the attack surface and improve startup times.

The initial approach to solving this involved using the GitLab CI cache feature. In this paradigm, a build job would compile the application and store the resulting binaries in the CI cache. A subsequent containerize job would then pull those files from the cache and execute a docker build command, referencing those files in the Dockerfile. However, this method was fraught with issues, primarily regarding state management and reliability, as caches can be volatile and are not guaranteed to be present across different runners.

The transition to the artifacts-based approach marked a significant improvement. By using the artifacts directive, developers could instruct the GitLab Runner to archive specific directories, such as dist or server.js, and upload them to the GitLab server. This ensured that the output of a build stage was guaranteed to be available to the subsequent containerization stage.

Example of the artifacts-based pipeline configuration:

```yaml
stages:
build
containerize

build:
stage: build
image: node:8
script:
- npm install
- npm run build
artifacts:
paths:
- dist
- server.js
expire_in: 1 hour

containerize:
stage: containerize
image: docker:17
script:
- # A few lines to set DOCKER_HOST and certificates and log in.
- docker build -t user/my-typescript-image:latest
- docker push user/my-typescript-image:latest
```

The impact of moving to artifacts was the elimination of collision issues and the introduction of the expire_in option, which allowed for the automatic cleanup of old build files. However, this method introduced a performance bottleneck. Because the runner must archive and upload files at the end of the build job and then download and extract them at the start of the containerize job, large builds suffered from significant latency. Furthermore, artifacts are unique per pipeline, meaning they do not assist with dependency caching across different pipeline runs.

Mastering Multi-Stage Docker Builds

The introduction of Docker 17.05 revolutionized the pipeline by introducing multi-stage builds. This feature allows the entire build process to occur within a single docker build command, effectively merging the "build" and "containerize" stages of a GitLab pipeline into one.

In a multi-stage Dockerfile, one or more stages are designated as "builder" stages. These stages use a full-featured image to compile the code. The final stage then starts from a minimal base image (such as Alpine Linux) and selectively copies only the necessary compiled binaries from the builder stage.

Example of a multi-stage Dockerfile for a Node.js application:

```dockerfile
FROM node:8 as builder
WORKDIR /usr/src/app
COPY package.json
RUN npm install
COPY ./src /usr/src/app/
RUN npm run build

FROM node:8-alpine
WORKDIR /usr/src/app
COPY package.json
RUN npm install --production
COPY --from=builder /usr/src/app/dist /usr/src/app/
COPY --from=builder /usr/src/app/server.js /usr/src/app/
CMD ["node" "server.js"]
```

The contextual layer of this approach is that it removes the need for GitLab CI to manage the transfer of files between jobs. The COPY --from=builder instruction allows the Docker engine to handle the movement of files internally. This reduces the complexity of the .gitlab-ci.yml file, as the build stage and the containerize stage are collapsed into a single operation. The real-world consequence is a faster pipeline, reduced storage usage on the GitLab server, and a significantly smaller final image size.

Implementing Docker-in-Docker (DinD) and the Container Registry

To build Docker images within a GitLab pipeline, the runner needs access to a Docker daemon. The most common implementation is using Docker-in-Docker (DinD). This involves running a Docker daemon inside a container, which in turn can run other containers.

When configuring a pipeline for the GitLab Container Registry, the .gitlab-ci.yml must specify the correct images and services to ensure the client can communicate with the daemon.

Detailed Pipeline Configuration for Build, Test, and Release:

```yaml
default:
image: docker:24.0.5-cli
services:
- docker:24.0.5-dind
beforescript:
- echo "$CIREGISTRYPASSWORD" | docker login $CIREGISTRY -u $CIREGISTRYUSER --password-stdin

stages:
- build
- test
- release
- deploy

variables:
DOCKERHOST: tcp://docker:2376
DOCKERTLSCERTDIR: "/certs"
CONTAINERTESTIMAGE: $CIREGISTRYIMAGE:$CICOMMITREFSLUG
CONTAINERRELEASEIMAGE: $CIREGISTRYIMAGE:latest

build:
stage: build
script:
- docker build --pull -t $CONTAINERTESTIMAGE .
- docker push $CONTAINERTESTIMAGE

test1:
stage: test
script:
- docker pull $CONTAINERTESTIMAGE
- docker run $CONTAINERTESTIMAGE /script/to/run/tests

test2:
stage: test
script:
- docker pull $CONTAINERTESTIMAGE
- docker run $CONTAINERTESTIMAGE /script/to/run/another/test

release-image:
stage: release
script:
- docker pull $CONTAINERTESTIMAGE
- docker tag $CONTAINERTESTIMAGE $CONTAINERRELEASEIMAGE
- docker push $CONTAINERRELEASEIMAGE
rules:
- if: $CICOMMITBRANCH == "main"

deploy:
stage: deploy
script:
- ./deploy.sh
rules:
- if: $CICOMMITBRANCH == "main"
environment: production
```

The technical specifications of this configuration reveal several critical operational strategies:

  1. Use of --pull in docker build: This is essential when using multiple runners that cache images locally. It ensures that the latest base image is pulled from the registry, preventing the use of stale images.
  2. Tagging Strategy: The pipeline avoids building directly to the latest tag. Instead, it uses the $CI_COMMIT_REF_SLUG for the test image. This prevents race conditions where multiple simultaneous jobs might overwrite the latest tag, leading to the deployment of an incorrect version.
  3. Tagging Logic: The latest tag is only applied during the release-image stage, and only when the commit is on the main branch.

Advanced Registry Management and Dependency Proxying

For organizations utilizing their own registry or needing to optimize external pulls, GitLab provides options to customize the image and services directives.

When using a private GitLab container registry, the configuration should point to the specific registry path:

yaml build: image: $CI_REGISTRY/group/project/docker:24.0.5-cli services: - name: $CI_REGISTRY/group/project/docker:24.0.5-dind alias: docker stage: build script: - docker build -t my-docker-image . - docker run my-docker-image /script/to/run/tests

In this setup, the alias: docker is crucial as it allows the CLI to address the service as docker regardless of the full registry URL.

Additionally, the Dependency Proxy can be utilized to cache images from external registries like Docker Hub. This is particularly impactful for two reasons:
- Rate Limiting: It helps avoid the strict rate limits imposed by Docker Hub.
- Build Speed: By caching the image within the GitLab infrastructure, the pull time is significantly reduced.

Summary of Docker Build Methods in GitLab CI

The following table compares the different methodologies discussed for managing Docker builds within the CI/CD lifecycle.

Method Mechanism Primary Advantage Major Drawback Best Use Case
Cache-Based GitLab CI Cache Simple setup Volatile, unreliable Legacy systems
Artifact-Based GitLab Job Artifacts Reliable file transfer Upload/Download latency Complex build-to-run paths
Multi-Stage Dockerfile COPY --from Integrated, lean images Requires Docker 17.05+ Standard production apps
DinD + Registry Docker-in-Docker Full registry integration Complex network config Enterprise-scale CI/CD

Detailed Technical Analysis of Pipeline Performance

The shift from artifacts to multi-stage builds represents a move toward "Infrastructure as Code" (IaC) where the build logic is encapsulated within the Dockerfile rather than the CI configuration. When utilizing artifacts, the GitLab Runner is burdened with the overhead of zipping and unzipping files. In a large-scale TypeScript or Java project, the dist folder can be hundreds of megabytes. Moving these files over the network from the runner to the GitLab coordinator and back to a different runner adds minutes to the total pipeline time.

By using multi-stage builds, the "transfer" occurs within the Docker engine's local storage. This not only accelerates the build but also ensures that the production image does not contain the build tools (like the full Node.js SDK or Maven), which is a critical security requirement. The use of a specialized base image like node:8-alpine in the final stage further minimizes the image size, reducing the time required for docker push and docker pull operations during the test and deploy stages.

Furthermore, the use of the Git SHA or the commit reference slug for tagging prevents the "stale image" problem. If a developer rebuilds a specific commit after a dependency change has occurred in the base image, using a unique tag ensures that the new image is pushed and pulled, rather than relying on a cached version of a tag that might not have changed.

Conclusion

The transition of Docker image building within GitLab CI from a series of manual workarounds to a first-class experience highlights the importance of tight integration between the container runtime and the orchestration layer. The evolution from using the CI cache to utilizing artifacts, and finally to embracing multi-stage Dockerfiles, demonstrates a clear trajectory toward reducing pipeline complexity and increasing deployment velocity.

By implementing Docker-in-Docker (DinD) and leveraging the GitLab Container Registry, teams can create a seamless flow from code commit to production deployment. The strategic use of the --pull flag, the avoidance of immediate latest tagging, and the adoption of the Dependency Proxy are not merely optimizations but necessities for maintaining a stable and scalable CI/CD environment. The ultimate goal of these configurations is to ensure that the production image is an immutable artifact, meticulously tested in a mirrored environment, and deployed with absolute confidence.

Sources

  1. Building Docker images with Gitlab CI - Snorre.io
  2. Build and push images - GitLab Documentation

Related Posts