GitLab Containerized CI/CD Orchestration and Registry Management

Published by TechMarmot Editorail Staff on | Category GitLab CI

The integration of Docker into the GitLab Continuous Integration and Continuous Delivery (CI/CD) pipeline transforms a standard code repository into a robust, isolated execution environment. By leveraging containerization, developers can ensure that the environment where code is tested and built is identical to the environment where it is deployed, effectively eliminating the "it works on my machine" phenomenon. This architectural approach is supported across all GitLab tiers—Free, Premium, and Ultimate—and is available regardless of whether the instance is hosted on GitLab.com, a self-managed server, or a dedicated GitLab deployment. The core of this functionality relies on the ability to run jobs within specific Docker images, providing a consistent, reproducible, and scalable foundation for the entire software development lifecycle.

Docker Executor Configuration and Job Execution

To implement CI/CD jobs within Docker containers, a specific infrastructure setup is required. The primary requirement is the registration of a GitLab Runner configured to use the Docker executor. The Docker executor is the component responsible for spinning up a new container for every job defined in the pipeline, ensuring a clean state for every execution.

Once the runner is configured, the user must specify the desired container image within the .gitlab-ci.yml file. This file serves as the blueprint for the pipeline, instructing GitLab which image to pull from a registry to serve as the runtime environment.

Beyond the primary job image, GitLab allows for the execution of optional sidecar services. For example, if a job requires a database for integration testing, a MySQL container can be run alongside the primary job container. This creates a multi-container environment where the application code and its dependencies can interact in a networked space, simulating a production-like environment.

GitLab Container Registry Integration

GitLab provides a built-in Container Registry that allows organizations to store and manage their own Docker images privately. This is a critical feature for optimizing CI/CD runtime environments. Instead of downloading a suite of tools and dependencies every time a job runs—which increases pipeline duration and consumes bandwidth—developers can build custom Docker images containing all necessary pre-installed tools.

For instance, a project might utilize the Itch.io Butler for distributing indie games. Rather than installing the Butler tool in every single pipeline run, a developer can create a custom image with the Butler pre-installed, push it to the GitLab Container Registry, and then reference that image in the .gitlab-ci.yml file.

The workflow for this optimization follows a specific sequence:

  • Build the custom image containing the required tools.
  • Tag the image according to the registry's naming convention.
  • Push the image to the project's private container registry.
  • Use the resulting image as the image: definition for subsequent CI/CD jobs.

To access the Container Registry within the GitLab interface, users should navigate to the project or group level and select the Packages & Registries > Container Registry menu option.

Registry Authentication and Credential Management

Authentication is a pivotal aspect of utilizing private registries, whether using the internal GitLab registry or an external provider like Amazon Elastic Container Registry (ECR).

When utilizing the internal GitLab Container Registry on the same instance where the pipeline is running, GitLab simplifies the process by providing default credentials. The CI_JOB_TOKEN is utilized for authentication. However, this is subject to specific permission constraints:

  • The user initiating the job must possess a role of Developer, Maintainer, or Owner for the project hosting the private image.
  • The project hosting the image must explicitly allow the requesting project to authenticate via the job token, as this access is disabled by default.

For external registries, such as AWS ECR, GitLab Runner requires specific configurations to handle private images. If an image is located at <aws_account_id>.dkr.ecr.<region>.amazonaws.com/private/image:latest, the runner must be configured with a credential helper.

The process for enabling AWS ECR access involves:

  • Ensuring the docker-credential-ecr-login binary is available in the GitLab Runner $PATH.
  • Configuring the necessary AWS credentials so the GitLab Runner Manager can acquire and pass them to the active runners.

In scenarios where a mix of private registry images and public Docker Hub images are used, a conflict may arise. The Docker daemon may attempt to use the same credentials for all registries, leading to failures when pulling from Docker Hub. To resolve this, credential helpers or specific configuration files must be employed.

The GitLab Runner determines which authentication method to use by reading configurations in a strict hierarchical order:

  • The config.json file located in the /root/.docker directory.
  • The DOCKER_AUTH_CONFIG CI/CD variable.
  • The DOCKER_AUTH_CONFIG environment variable defined in the runner's config.toml file.
  • The config.json file in the $HOME/.docker directory of the user running the process. (If the --user flag is used for unprivileged processes, the home directory of the main runner process user is utilized).

Advanced Registry Configuration and Troubleshooting

Enabling the Docker registry in self-managed GitLab Community Edition (CE) or Enterprise Edition (EE) environments sometimes requires manual configuration via the gitlab.rb file. Users may encounter issues where the "Packages & Registries" tab does not show registry options, indicating the registry is not enabled at the system level.

For a self-managed instance located at mygitlab.local with a registry at myregistry.local:5000, the following configurations are applied in /etc/gitlab/gitlab.rb:

Setting Value Purpose
registry_external_url 'https://mygitlab.local:5000' Defines the external URL for registry access
gitlab_rails['registry_enabled'] true Enables the registry feature within Rails
gitlab_rails['registry_host'] "registry.mygitlab.local" Specifies the hostname of the registry
gitlab_rails['registry_port'] "5005" Defines the port for the registry
gitlab_rails['registry_path'] "/var/opt/gitlab/gitlab-rails/shared/registry" Sets the filesystem path for registry data
registry['enable'] true Activates the registry application component
registry['dir'] "/var/opt/gitlab/registry" Defines the registry application directory
registry['registry_http_addr'] "mygitlab.local:5000" Sets the internal HTTP address for the registry
registry['log_directory'] "/var/log/gitlab/registry" Specifies where registry logs are stored
registry['log_level'] "info" Sets the verbosity of the registry logs
registry['rootcertbundle'] "/var/opt/gitlab/registry/certificate.crt" Path to the SSL certificate bundle
registry['storage_delete_enabled'] true Allows the deletion of image storage

After modifying these settings, the command gitlab-ctl reconfigure must be executed to apply the changes. Failure to use sane values or incorrect paths can result in the GitLab service failing to start.

Deployment of GitLab CE via Docker

For those looking to deploy the entire GitLab platform using Docker, the GitLab Community Edition (CE) image based on the Omnibus package is the standard choice. This image provides a comprehensive installation of GitLab in a single container.

The current state of the gitlab/gitlab-ce:nightly image is characterized by:

  • Size: Approximately 1.2 GB.
  • Update Frequency: Frequently updated (e.g., updated within hours of current use).
  • Distribution: Available on Docker Hub.

To pull the nightly build of the community edition, the following command is used:

bash docker pull gitlab/gitlab-ce:nightly

Infrastructure Requirements and Limitations

The use of credential stores and helpers imposes specific requirements on the host machine where the GitLab Runner is installed. Since these helpers are external binaries, they must be explicitly added to the Runner's $PATH. Without this, the runner will be unable to execute the authentication handshake required to pull private images from cloud providers.

For those utilizing macOS-based runners or specific credential stores, the DOCKER_AUTH_CONFIG variable may be set as follows to utilize the OS keychain:

json { "credsStore": "osxkeychain" }

This JSON configuration can be placed in a CI/CD variable or directly in the ${GITLAB_RUNNER_HOME}/.docker/config.json file on self-managed runners.

Conclusion

The orchestration of Docker within GitLab CI/CD creates a powerful synergy that enables rapid, reliable, and scalable software delivery. By shifting from generic images to optimized, custom-built images stored in the GitLab Container Registry, teams can significantly reduce pipeline latency. The complexity of this system lies in the authentication layers—balancing the use of CI_JOB_TOKEN for internal registries against credential helpers for external cloud registries. Proper configuration of the gitlab.rb file is essential for self-managed instances to ensure the registry is visible and functional. Ultimately, the ability to define the exact runtime environment via Docker ensures that the path from a developer's commit to the production environment is seamless and predictable.

Sources

  1. GitLab Documentation - Using Docker Images
  2. GitLab Forum - Enable Docker Registry CI/CD
  3. Verifa Blog - Automatically Package Tools GitLab Container Registry
  4. Docker Hub - GitLab CE Image

Related Posts