Containerization Orchestration in GitLab CI/CD via Docker and Podman

Published by TechMarmot Editorail Staff on | Category GitLab CI

The integration of containerization workflows within GitLab CI/CD represents a cornerstone of modern DevOps engineering. As organizations transition from monolithic architectures to microservices, the ability to automate the construction, validation, and distribution of container images becomes a non-negotiable requirement. However, the intersection of GitLab CI and Docker introduces a structural paradox: GitLab CI jobs are fundamentally designed to execute within isolated Docker containers, yet the task of building a Docker image requires the presence of a Docker daemon to process the build instructions. This architectural collision necessitates specific strategies to provide the containerized job with the requisite permissions and tools to interact with a container engine.

Achieving seamless image builds involves navigating various execution environments, ranging from high-privilege Docker-in-Docker (DinD) setups to daemonless alternatives like Podman. The choice of method impacts security postures, runner configuration complexity, and the overall speed of the CI/CD pipeline. By mastering these methodologies—including the use of multistage Dockerfiles to optimize image layers—engineers can create robust, reproducible, and secure deployment pipelines that serve as the backbone of continuous delivery.

The Architectural Paradox of Containerized Builds

At the heart of the difficulty in building Docker images within GitLab CI lies the relationship between the Command Line Interface (CLI) and the Docker daemon (dockerd).

The Docker CLI is essentially a client that sends instructions to a background service known as the Docker daemon. The daemon is the entity responsible for the heavy lifting: managing images, containers, networks, and volumes. In a standard local development environment, the CLI and the daemon coexist on the same host.

In a GitLab CI/CD environment, the runner typically spawns a container to execute the job. This container holds the environment where your script runs. Because the job is already encapsulated within a container, attempting to run docker build results in a failure unless that container has a way to communicate with a functional Docker daemon. Without a daemon to receive the instructions, the CLI has no engine to perform the actual image construction.

To resolve this, engineers must implement one of several architectural patterns:

  • Docker-in-Docker (DinD): Running a secondary Docker daemon inside the container executing the job.
  • Shell Executor: Bypassing containerization for the job itself and running commands directly on the host machine.
  • Daemonless Alternatives: Using tools like Podman that do not require a persistent background daemon.
  • Specialized Builders: Utilizing tools like Kaniko, which are designed specifically for building images within unprivileged container environments.

Implementation Strategies for Docker-in-Docker (DinD)

The Docker-in-Docker (DinD) approach is a classic solution to the containerization paradox. It involves running a sidecar service that provides the necessary Docker daemon to the job container.

Configuring the DinD Service

To utilize DinD, the .gitlab-ci.yml configuration must be instructed to pull and run a specific Docker image that contains the daemon. This is achieved through the services keyword.

Component Function
services Defines additional containers that run alongside the main job container.
docker:dind The specific image containing the Docker daemon required for builds.
alias Provides a network hostname so the CLI can locate the daemon service.

A typical configuration utilizes an alias to facilitate network communication between the job container and the service container. For example:

yaml dind-build: services: - name: docker:dind alias: dockerdaemon

Environment Variable Configuration

Once the service is running, the job container needs to know where the daemon is located on the network. This is managed via the DOCKER_HOST environment variable. Without this instruction, the Docker CLI will attempt to look for a local Unix socket, which does not exist within the job container.

To ensure successful communication and performance, several variables must be defined:

  • DOCKER_HOST: Set to tcp://dockerdaemon:2375/ (where dockerdaemon is the alias defined in the service).
  • Additional variables: Used to facilitate connectivity and speed up the build process.

The complete job configuration might look like this:

yaml dind-build: variables: DOCKER_HOST: tcp://dockerdaemon:2375/ services: - name: docker:dind alias: dockerdaemon script: - docker build -t my-image .

Note that using DinD often requires the GitLab Runner to be configured in privileged mode. This is a significant security consideration, as privileged mode grants the container nearly all the capabilities of the host machine, increasing the attack surface of the infrastructure.

The Podman Alternative: A Daemonless Approach

Podman offers a fundamentally different architecture compared to Docker. While Docker relies on a centralized daemon, Podman is daemonless. The Podman CLI handles the container operations directly, performing the work itself rather than delegating it to a background service.

This architectural difference simplifies the GitLab CI configuration significantly because it removes the need for a separate service or privileged mode to run a daemon.

Direct Podman Implementation

Using Podman in GitLab CI allows for a much cleaner .gitlab-ci.yml file. Since the CLI performs all the work, no services block or DOCKER_HOST configuration is required.

Feature Docker (DinD) Podman
Architecture Daemon-based Daemonless
Complexity High (requires services/privileged mode) Low (direct CLI execution)
Security Lower (requires privileged mode) Higher (daemonless/unprivileged)

A standard Podman build job is defined as follows:

```yaml
stages:
- build

podman-build:
stage: build
image:
name: quay.io/podman/stable
script:
- podman login -u "$CIREGISTRYUSER" -p "$CIREGISTRYPASSWORD" "$CIREGISTRY"
- podman build -t "$CIREGISTRYIMAGE:podman" .
- podman push "$CIREGISTRY_IMAGE:podman"
```

Emulating Docker with Podman

Because Podman is designed to be a drop-in replacement for Docker, it supports nearly identical command-line options. This allows teams to transition from Docker to Podman with minimal changes to their existing scripts. One can even create a symbolic link within the container to allow existing docker commands to function using the Podman engine.

yaml podman-build: stage: build image: name: quay.io/podman/stable script: - ln -s /usr/bin/podman /usr/bin/docker - docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" "$CI_REGISTRY" - docker build -t "$CI_REGISTRY_IMAGE:podman" . - docker push "$CI_REGISTRY_IMAGE:podman"

In this configuration, the ln -s command creates a link so that when the script calls docker, the system actually executes podman.

Using the Shell Executor

If the security constraints of privileged mode prevent the use of DinD, or if the overhead of running a sidecar container is too high, the Shell Executor provides an alternative.

The Shell Executor runs the GitLab CI jobs directly on the host machine where the GitLab Runner is installed. In this scenario, the job is not isolated in a container; instead, the gitlab-runner user executes commands directly on the host's shell.

Configuration and Requirements

To use this method, the runner must be registered specifically with the shell executor.

  1. Install GitLab Runner on the target server.
  2. Register the runner using the registration token provided by GitLab.

The registration command would look like this:

bash sudo gitlab-runner register \ --url "https://gitlab.com/" \ --registration-token REGISTRATION_TOKEN \ --executor shell \ --description "My Runner"

Once registered, the server must have the Docker Engine installed locally. The gitlab-runner user must also be granted the necessary permissions to execute Docker commands, typically by being added to the docker group.

Container Registry Authentication and Image Management

Once an image is built, it must be pushed to a container registry to be usable for deployment. GitLab provides a built-in Container Registry for its users.

Authentication Workflow

Before any build or push operation can occur, the CI job must authenticate with the registry. GitLab provides built-in environment variables to facilitate this without manual credential management.

  • $CI_REGISTRY_USER: The username for the registry.
  • $CI_REGISTRY_PASSWORD: The password or token for the registry.
  • $CI_REGISTRY: The address of the GitLab Container Registry.

The authentication and push process follows these steps:

  1. Authenticate via docker login or podman login.
  2. Build the image with a specific tag.
  3. Push the image to the registry.

Optimization and Best Practices

To ensure efficient pipelines, several best practices should be followed when managing container images:

  • Use --pull: When running docker build --pull, the builder fetches the latest version of the base images, ensuring that security patches in the parent image are included.
  • Explicit docker pull: When using multiple runners, the local cache may become stale. Performing an explicit docker pull before a docker run ensures the most recent version of a previously built image is used.
  • Unique Tagging: Using the Git SHA (e.g., $CI_COMMIT_SHA) as the image tag ensures that every single job produces a unique, traceable image, preventing the accidental use of stale or overwritten images.
Command Purpose
docker build -t <name> . Builds an image from a Dockerfile in the current directory.
docker push <name> Uploads the built image to the remote registry.
docker build --pull Forces the builder to pull updated base images.

Streamlining Pipelines with Multistage Dockerfiles

A highly effective way to reduce the complexity of a GitLab CI pipeline is to move the build logic out of the CI configuration and into the Dockerfile itself using multistage builds.

In a traditional pipeline, one might have a "build" stage that compiles code and a "package" stage that creates the image. This requires passing artifacts between stages, which can be cumbersome. Multistage builds consolidate these steps into a single docker build command.

The Multistage Mechanism

A multistage Dockerfile uses multiple FROM instructions. Each FROM instruction begins a new stage of the build. You can copy files from one stage to another using the COPY --from command.

Consider a Node.js application build process:

```dockerfile

Stage 1: The Builder

FROM node:8 as builder
WORKDIR /usr/src/app
COPY package.json .
RUN npm install
COPY ./src /usr/src/app/
RUN npm run build

Stage 2: The Production Image

FROM node:8-alpine
WORKDIR /usr/src/app
COPY package.json .
RUN npm install --production
COPY --from=builder /usr/src/app/dist /usr/src/app/dist
COPY --from=builder /usr/src/app/server.js /usr/src/app/server.js
CMD ["node", "server.js"]
```

Impact of Multistage Builds

The benefits of this approach are profound for DevOps workflows:

  • Reduced CI Complexity: The .gitlab-ci.yml no longer needs to manage complex build dependencies or multi-step scripts; it simply executes docker build.
  • Smaller Image Size: The final production image only contains the compiled artifacts and the runtime dependencies, not the heavy build tools (like compilers or npm caches) used in the builder stage.
  • Enhanced Security: The attack surface is minimized because the production container does not contain the source code or build-time tools.
  • Layer Optimization: Docker creates image layers for the builder stage, but only the final stage's layers constitute the resulting image sent to the registry.

Analytical Conclusion

The evolution of GitLab CI containerization strategies reflects the broader industry shift toward security and simplicity. While Docker-in-Docker remains a widely used method, its reliance on privileged mode introduces significant security vulnerabilities that modern infrastructure-as-code practices seek to avoid. The emergence of Podman provides a compelling, daemonless alternative that aligns more closely with the principle of least privilege, allowing for simpler configurations and more secure execution environments.

The transition toward multistage Dockerfiles further demonstrates the maturation of these workflows. By delegating the build logic to the Dockerfile, engineers decouple the application's construction requirements from the CI/CD orchestration logic. This results in pipelines that are not only easier to maintain but also produce more efficient, smaller, and more secure container images. Ultimately, the choice between DinD, Podman, or the Shell Executor depends on the specific security requirements and runner availability of the organization, but the direction of the industry is clearly moving toward daemonless, unprivileged, and highly optimized container workflows.

Sources

  1. PythonSpeed: Building Docker images on GitLab CI
  2. GitLab Documentation: Use Docker to build Docker images
  3. Snorre.io: Building Docker images with GitLab CI
  4. GitLab Documentation: Build and push container images

Related Posts