4

I am trying to set up a job with gitlab CI to build a docker image from a dockerfile, but I am behind a proxy.

My .gitlab-ci.yml is as follows:

image: docker:stable

variables:
  DOCKER_HOST: tcp://docker:2375
  DOCKER_DRIVER: overlay2
  HTTP_PROXY: $http_proxy
  HTTPS_PROXY: $http_proxy
  http_proxy: $http_proxy
  https_proxy: $http_proxy

services:
  - docker:dind

before_script:
  - wget -O - www.google.com # just to test
  - docker search node # just to test
  - docker info # just to test

build:
  stage: build
  script:
    - docker build -t my-docker-image .

wget works, meaning that proxy setup is correct, in theory

But the commands docker search, docker info and docker build do not work, apparently because of a proxy issue.

An excerpt from the job output:

$ docker search node
Warning: failed to get default registry endpoint from daemon (Error response from  daemon:
    [and here comes a huge raw HTML output including the following message: "504 - server did not respond to proxy"]

It appears docker does not read from the environment variables to setup proxy.

Note: I am indeed using a runner in --privileged mode, as the documentation instructs to do.

How do I fix this?

Pedro A
  • 3,989
  • 3
  • 32
  • 56

3 Answers3

6

If you want to be able to use docker-in-docker (dind) in gitlab CI behind proxy, you will also need to setup no_proxy variable in your gitlab-ci.yml file. NO_PROXY for host "docker".

This is the gitlab-ci.yml that works with my dind:

image: docker:19.03.12

variables:
  DOCKER_TLS_CERTDIR: "/certs"
  HTTPS_PROXY: "http://my_proxy:3128"
  HTTP_PROXY: "http://my_proxy:3128"
  NO_PROXY: "docker"

services:
  - docker:19.03.12-dind
  
before_script:
  - docker info

build:
  stage: build
  script:
    - docker run  hello-world

Good luck!

Robert
  • 61
  • 1
  • 3
2

Oddly, the solution was to use a special dind (docker-in-docker) image provided by gitlab instead, and it works without setting up services and anything. The .gitlab-ci.yml that worked was as follows:

image: gitlab/dind:latest

before_script:
  - wget -O - www.google.com
  - docker search node
  - docker info

build:
  stage: build
  script:
    - docker build -t my-docker-image .

Don't forget that the gitlab-runner must be registered with the --privileged flag.

Pedro A
  • 3,989
  • 3
  • 32
  • 56
  • 1
    Be aware that `gitlab/dind` is now deprecated - Gitlab recommend you use the standard "docker/dind" images instead. – RB. Aug 11 '20 at 23:06
  • @RB. Thanks for the info. I no longer need this though... But I wonder if nowadays `docker/dind` would work. Hopefully yes otherwise it would be a step backwards – Pedro A Aug 12 '20 at 00:26
  • It's....not working well based on my testing - I'm behind a simple proxy (no auth). The main solution (on top of settting the env vars) is to pass the env vars to the build command: `docker build --build-arg http_proxy=$http_proxy --build_arg HTTP_PROXY=$HTTP_PROXY etc.etc.` but that's not working for me - docker build still can't pull the `FROM` image. – RB. Aug 12 '20 at 08:09
  • I ended up using [kaniko](https://docs.gitlab.com/ee/ci/docker/using_kaniko.html) and it worked flawlessly with just normal proxy configuration, without having to run docker in privileged mode. Docker-in-docker just feels like a hacky world-of-pain now :) – RB. Aug 12 '20 at 09:48
  • 1
    Ah, cool!! Nice. If you want to add an answer with this info, I would upvote :) – Pedro A Aug 12 '20 at 11:16
  • I've added an answer :) – RB. Aug 12 '20 at 11:55
1

I was unable to get docker-in-docker (dind) working behind our corporate proxy.

In particular, even when following the instructions here a docker build command would still fail when executing FROM <some_image> as it was not able to download the image.

I had far more success using kaniko which appears to be Gitlabs current recommendation for doing Docker builds.

A simple build script for a .NET Core project then looks like:

build:
  stage: build
  image: $BUILD_IMAGE
  script:
    - dotnet build 
    - dotnet publish Console--output publish
  artifacts:
    # Upload all build artifacts to make them available for the deploy stage.
    when: always
    paths:
      - "publish/*"
    expire_in: 1 week

kaniko:
  stage: dockerise
  image:
    name: gcr.io/kaniko-project/executor:debug
    entrypoint: [""]
  script:
    # Construct a docker-file
    - echo "FROM $RUNTIME_IMAGE" > Dockerfile
    - echo "WORKDIR /app" >> Dockerfile
    - echo "COPY /publish ." >> Dockerfile
    - echo "CMD [\"dotnet\", \"Console.dll\"]" >> Dockerfile

    # Authenticate against the Gitlab Docker repository.
    - echo "{\"auths\":{\"$CI_REGISTRY\":{\"username\":\"$CI_REGISTRY_USER\",\"password\":\"$CI_REGISTRY_PASSWORD\"}}}" > /kaniko/.docker/config.json

    # Run kaniko
    - /kaniko/executor --context . --dockerfile Dockerfile --destination $CI_REGISTRY_IMAGE:$VersionSuffix
RB.
  • 36,301
  • 12
  • 91
  • 131