{"id":1601,"date":"2022-03-22T08:47:01","date_gmt":"2022-03-22T08:47:01","guid":{"rendered":"https:\/\/www.ipcpu.com\/?p=1601"},"modified":"2022-07-22T09:00:00","modified_gmt":"2022-07-22T09:00:00","slug":"gitlab-ci-dind-dood","status":"publish","type":"post","link":"https:\/\/c.ipcpu.com\/2022\/03\/gitlab-ci-dind-dood\/","title":{"rendered":"\u5728gitlabCI\u4e2d\u6784\u5efadocker\u955c\u50cfDinD\u548cDooD"},"content":{"rendered":"

\u4e00\u3001\u6982\u8ff0<\/h2>\n

\u5728\u4f7f\u7528gitlab CICD\u7684\u65f6\u5019\uff0c\u6709\u4e00\u9879\u662f\u7ed5\u4e0d\u5f00\u7684\u5c31\u662f\u9700\u8981\u5728\u6784\u5efa\u8fc7\u7a0b\u5f53\u4e2d\u6267\u884cdocker build\u547d\u4ee4\uff0c\u6784\u5efa\u65b0\u7684docker\u955c\u50cf\u3002<\/p>\n

gitlab\u5b98\u65b9\u7ed9\u51fa\u4e863\u79cd\u65b9\u6cd5<\/p>\n

\n
    \n
  1. The shell executor<\/li>\n
  2. The Docker executor with the Docker image (Docker-in-Docker)<\/li>\n
  3. Docker socket binding<\/li>\n<\/ol>\n<\/blockquote>\n

    \u7b2c\u4e00\u79cd\u65b9\u6cd5\u5c31\u4e0d\u591a\u8bf4\u4e86\uff0c\u5c31\u662f\u5728\u64cd\u4f5c\u7cfb\u7edf\u4e2d\u5b89\u88c5\u4e86\u4e00\u4e2agitlab runner shell executor \uff0c\u53ef\u4ee5\u6267\u884c\u5f53\u524d\u64cd\u4f5c\u7cfb\u7edf\u7684\u547d\u4ee4\uff0c\u5171\u4eab\u5f53\u524d\u64cd\u4f5c\u7cfb\u7edf\u7684\u6240\u6709\u8d44\u6e90\u3002
    \n\u7b2c\u4e8c\u548c\u7b2c\u4e09\u79cd\u65b9\u6cd5\u90fd\u662f\u5728docker\u5bb9\u5668\u4e2d\u6267\u884cdocker build\u547d\u4ee4\uff0c\u533a\u522b\u5728\u4e8e\u7b2c\u4e8c\u79cd\u662fDockerinDocker\uff0c\u5c42\u6b21\u4e0a\u66f4\u52a0\u6df1\uff0c\u66f4\u72ec\u7acb\u3002\u6211\u4eec\u63a5\u4e0b\u6765\u91cd\u70b9\u8ba8\u8bba\u8fd9\u4e24\u79cd\u3002<\/p>\n

    \u4e8c\u3001DinD(Docker in Docker)<\/h2>\n

    DinD(Docker in Docker)\uff0c\u6307\u7684\u662f\u5728\u4e00\u4e2a\u5b89\u88c5\u6709Docker engine\u7684\u5bb9\u5668\u5185\u4ee5\u7279\u6743\u6a21\u5f0f\u548c\u4e0e\u4e4b--link\u7684docker daemon\u8fdb\u884c\u901a\u4fe1\uff0c\u5e76\u5728\u5bb9\u5668\u5185\u6784\u5efa\u65b0\u7684Docker\u955c\u50cf\u3002\uff08\u5d4c\u5957\uff0cnested\uff09\uff0c\u5982\u4e0b\u56fe\u5c55\u793a
    \n
    \n\u4f7f\u7528dind\u7684\u65b9\u5f0f\uff0c\u9700\u8981\u5b89\u88c5\u5982\u4e0b\u65b9\u6cd5\u6ce8\u518crunner<\/p>\n

    \n
    gitlab-runner register -n \\\n  --url https:\/\/gitlab.com\/ \\\n  --registration-token REGISTRATION_TOKEN \\\n  --executor docker \\\n  --description \"My Docker Runner\" \\\n  --docker-image \"docker:19.03.12\" \\\n  --docker-privileged \\\n  --docker-volumes \"\/certs\/client\"<\/code><\/pre>\n<\/div>\n
    \u5728gitlab\u4e2d\u7684.gitlab-ci.yml\u6587\u4ef6\u4e2d\u8fd9\u6837\u914d\u7f6e<\/p>\n
    \n
    dockerbuild:\n  stage: build\n  image: docker:stable\n  services:\n    - name: docker:dind\n      command: [\"--mtu=1450\", \"--registry-mirror\", \"https:\/\/mirror.baidubce.com\"]\n  variables:\n    DOCKER_TLS_CERTDIR: \"\/certs\"\n    DOCKER_DRIVER: overlay2    \n  before_script:\n    - docker  info    \n  script:\n    - docker login -u xxx reg.ipcpu.com \n    - docker  build -t docker build -t my-docker-image  .\n    - docker  push my-docker-image<\/code><\/pre>\n<\/div>\n
    \u4e09\u3001DooD(Docker-outside-of-Docker)<\/h2>\n
    DooD(Docker-outside-of-Docker) \uff0c\u5c31\u662f\u901a\u8fc7\u6302\u8f7d\u5377\u7684\u65b9\u5f0f\u5c06-p \/var\/run\/docker.sock:\/var\/run\/docker.sock\u6302\u8f7d\u5230\u5bb9\u5668\u5185\uff0c\u901a\u8fc7\u5bb9\u5668\u5185\u90e8\u7684docker engine\u4e0e\u8fd9\u4e2a\u88ab\u6302\u8f7d\u8fdb\u6765\u7684docker.sock\u8fdb\u884c\u901a\u4fe1\uff0c\u751f\u6210\u65b0\u7684docker\u5bb9\u5668\u3002 
    \n 
    \n\u4f7f\u7528dood\u7684\u65b9\u5f0f\uff0c\u9700\u8981\u5b89\u88c5\u5982\u4e0b\u65b9\u6cd5\u6ce8\u518crunner<\/p>\n
    \n
    gitlab-runner register -n \\\n  --url https:\/\/gitlab.com\/ \\\n  --registration-token REGISTRATION_TOKEN \\\n  --executor docker \\\n  --description \"My Docker Runner\" \\\n  --docker-image \"docker:19.03.12\" \\\n  --docker-volumes \/var\/run\/docker.sock:\/var\/run\/docker.sock<\/code><\/pre>\n<\/div>\n
    \u5728gitlab\u4e2d\u7684.gitlab-ci.yml\u6587\u4ef6\u914d\u7f6e\u5982\u4e0b<\/p>\n
    \n
    image: docker:19.03.12\n\nbefore_script:\n  - docker info\n\nbuild:\n  stage: build\n  script:\n    - docker build -t my-docker-image .\n    - docker push my-docker-image <\/code><\/pre>\n<\/div>\n
    \u56db\u3001\u4e09\u79cd\u65b9\u6cd5\u4f18\u7f3a\u70b9\u5206\u6790<\/h2>\n
      \n
    1. shell executor\u65b9\u6cd5\u9700\u8981\u4e00\u53f0\u72ec\u7acb\u670d\u52a1\u5668(\u5f53\u7136\u53ef\u4ee5\u5171\u7528\uff0c\u4f46\u5b58\u5728\u98ce\u9669)\uff0c\u6700\u7075\u6d3b\uff0c\u53ef\u4ee5\u50cf\u4f7f\u7528shell\u4e00\u6837\uff0c\u6267\u884c\u673a\u5668\u4e0a\u7684\u4efb\u4f55\u7a0b\u5e8f\u3002\u4f46\u662f\u5728CICD\u65f6\u5019\uff0c\u4f1a\u5b58\u5728\u4e00\u4e9b\u51b2\u7a81\uff0c\u4f8b\u5982A\u9879\u76ee\u4f9d\u8d56\u8f6f\u4ef6B\u7248\u672c\u4e0d\u80fd\u5347\u7ea7\uff0c\u4f46\u662fB\u9879\u76ee\u4f9d\u8d56\u8f6f\u4ef6B\u7248\u672c\u9700\u8981\u7528\u6700\u65b0\u7684\uff0c\u5728\u6784\u5efa\u65f6\u5c31\u4f1a\u5b58\u5728\u95ee\u9898\uff0c\u4e3b\u8981\u539f\u56e0\u8fd8\u662f\u73af\u5883\u9694\u79bb\u6027\u4e0d\u591f\u5f15\u8d77\u7684\u3002<\/li>\n
    2. DinD\u7684\u65b9\u6cd5\u5b9e\u73b0\u4e86\u5404\u4e2a\u73af\u5883\u7684\u5b8c\u5168\u9694\u79bb\uff0c\u4f46\u662frunner\u5bb9\u5668\u4f7f\u7528\u4e86 privileged\u6743\u9650\uff0c\u5b58\u5728\u4e00\u5b9a\u5b89\u5168\u95ee\u9898\u3002\u53e6\u5916\u5b9e\u9645\u4f7f\u7528\u4e2d\u53d1\u73b0DinD\u4ea7\u751f\u7684\u5bb9\u5668\u5b8c\u5168\u662f\u7a7a\u767d\u7684\uff0c\u8fd8\u4e0d\u80fd\u6302\u8f7d\u5bbf\u4e3b\u673a\u8d44\u6e90(\u9694\u4e86\u4e00\u5c42)\uff0c\u78b0\u4e0a\u9700\u8981\u4f7f\u7528\u7f13\u5b58\u7684\u5730\u65b9(\u4f8b\u5982nodejs\u7684\u7f13\u5b58\u76ee\u5f55)\uff0c\u6027\u80fd\u4f1a\u7279\u522b\u5dee\uff0c\u5bfc\u81f4\u6784\u5efa\u7279\u522b\u8017\u8d39\u65f6\u95f4\u3002<\/li>\n
    3. DooD\u7684\u65b9\u6cd5\u4f7f\u7528\u5bbf\u4e3b\u7684socket\u521b\u5efa\u5bb9\u5668\uff0c\u4e5f\u5b9e\u73b0\u5404\u4e2a\u73af\u5883\u7684\u5b8c\u5168\u9694\u79bb\uff0c\u5e76\u4e14\u53ef\u4ee5\u4f7f\u7528\u6302\u8f7d\u5171\u4eab\u76ee\u5f55\u7684\u65b9\u5f0f\u5171\u4eab\u5bbf\u4e3b\u8d44\u6e90\uff0c\u5b9e\u73b0\u7f13\u5b58\u4ee5\u53ca\u955c\u50cf\u7684\u5171\u4eab\uff0c\u4e00\u5b9a\u7a0b\u5ea6\u4e0a\u53ef\u4ee5\u52a0\u5feb\u901f\u5ea6\u3002\u4f46\u662f\u76f4\u63a5\u5171\u4eab\u4e86socket\u6587\u4ef6\uff0c\u76f8\u5f53\u4e8e\u7ed9\u51fa\u4e86\u6700\u9ad8docker\u6743\u9650\uff0c\u5b89\u5168\u6027\u4e5f\u662f\u5927\u95ee\u9898\u3002\u53e6\u5916\u5982\u679c\u9700\u8981\u521b\u5efa\u76f8\u540c\u540d\u5b57\u7684docker\u5bb9\u5668\uff0c\u4f1a\u4ea7\u751f\u51b2\u7a81\u3002<\/li>\n<\/ol>\n
      \u5728\u4f7f\u7528\u4e86\u4e00\u6bb5\u65f6\u95f4\u7684DinD\u4ee5\u540e\uff0c\u6211\u4eec\u6295\u5165\u4e86DooD\u7684\u6000\u62b1\uff0c\u7406\u7531\u5f88\u7b80\u5355\uff0c\u6211\u4eec\u7684nodejs\u9700\u8981\u5171\u4eab\u7f13\u5b58\u76ee\u5f55\uff0c\u6765\u63d0\u5347\u7f16\u8bd1\u6548\u7387\u3002<\/p>\n
      \u4e94\u3001\u6539\u5584DinD\u7279\u6743\u6a21\u5f0f\u7684\u5b89\u5168\u95ee\u9898<\/h2>\n
      gitlab\u4e0a\u6709\u4e2a\u9879\u76ee\u53eb\uff0csysbox\uff0c https:\/\/github.com\/nestybox\/sysbox<\/a> \u6539\u5584\u4e86\u8fd9\u4e2a\u95ee\u9898\u3002 
      \nSecuring CI\/CD pipelines by enabling Docker-in-Docker (DinD) or Kubernetes-in-Docker (KinD) without insecure privileged containers or host Docker socket mounts.<\/p>\n
      \u53e6\u5916Google\u5f00\u6e90\u4e86kaniko\uff0c https:\/\/github.com\/GoogleContainerTools\/kaniko<\/a>\u3002 
      \nkaniko \u4f7f\u7528 Docker-in-Docker \u6784\u5efa \u65b9\u6cd5\u89e3\u51b3\u4e86\u4e24\u4e2a\u95ee\u9898\uff1a<\/p>\n
      \n
      Docker-in-Docker \u9700\u8981\u7279\u6743\u6a21\u5f0f\u624d\u80fd\u8fd0\u884c\uff0c\u8fd9\u662f\u4e00\u4e2a\u91cd\u8981\u7684\u5b89\u5168\u95ee\u9898\u3002 
      \n  Docker-in-Docker \u901a\u5e38\u4f1a\u5bfc\u81f4\u6027\u80fd\u635f\u5931\u5e76\u4e14\u901f\u5ea6\u53ef\u80fd\u975e\u5e38\u6162\u3002<\/p>\n<\/blockquote>\n
      \u53c2\u8003\u8d44\u6599<\/h2>\n
      https:\/\/docs.gitlab.com\/ee\/ci\/docker\/using_docker_build.html<\/a> 
      \nhttps:\/\/jpetazzo.github.io\/2015\/09\/03\/do-not-use-docker-in-docker-for-ci\/<\/p>\n
      \u6765\u81ea\u4e3a\u77e5\u7b14\u8bb0(Wiz)<\/a><\/div>\n
      \u8f6c\u8f7d\u8bf7\u6ce8\u660e\uff1aIPCPU-\u7f51\u7edc\u4e4b\u8def<\/a> » \u5728gitlabCI\u4e2d\u6784\u5efadocker\u955c\u50cfDinD\u548cDooD<\/a><\/p>","protected":false},"excerpt":{"rendered":"
      \u4e00\u3001\u6982\u8ff0 \u5728\u4f7f\u7528gitlab CICD\u7684\u65f6\u5019\uff0c\u6709\u4e00\u9879\u662f\u7ed5\u4e0d\u5f00\u7684\u5c31\u662f\u9700\u8981\u5728\u6784\u5efa\u8fc7\u7a0b\u5f53\u4e2d\u6267\u884cdocker build\u547d\u4ee4\uff0c\u6784\u5efa\u65b0\u7684docker\u955c\u50cf\u3002 gitlab\u5b98\u65b9\u7ed9\u51fa\u4e863\u79cd\u65b9\u6cd5 The shell executor The Docker executor with the Docker image (Docker-in-Docker) Docker socket binding \u7b2c\u4e00\u79cd\u65b9\u6cd5\u5c31\u4e0d\u591a\u8bf4\u4e86\uff0c\u5c31\u662f\u5728\u64cd\u4f5c\u7cfb\u7edf\u4e2d\u5b89\u88c5\u4e86\u4e00\u4e2agitlab runner shell executor \uff0c\u53ef\u4ee5\u6267\u884c\u5f53\u524d\u64cd\u4f5c\u7cfb\u7edf\u7684\u547d\u4ee4\uff0c\u5171\u4eab\u5f53\u524d\u64cd\u4f5c\u7cfb\u7edf\u7684\u6240\u6709\u8d44\u6e90\u3002 \u7b2c\u4e8c\u548c\u7b2c\u4e09\u79cd\u65b9\u6cd5\u90fd\u662f\u5728docker\u5bb9\u5668\u4e2d\u6267\u884cdocker build\u547d\u4ee4\uff0c\u533a\u522b\u5728\u4e8e\u7b2c\u4e8c\u79cd\u662fDockerinDocker\uff0c\u5c42\u6b21\u4e0a\u66f4\u52a0\u6df1\uff0c\u66f4\u72ec\u7acb\u3002\u6211\u4eec\u63a5\u4e0b\u6765\u91cd\u70b9\u8ba8\u8bba\u8fd9\u4e24\u79cd\u3002 \u4e8c\u3001DinD(Docker in Docker) DinD(Docker in Docker)\uff0c\u6307\u7684\u662f\u5728\u4e00\u4e2a\u5b89\u88c5\u6709Docker engine\u7684\u5bb9\u5668\u5185\u4ee5\u7279\u6743\u6a21\u5f0f\u548c\u4e0e\u4e4b–link\u7684docker daemon\u8fdb\u884c\u901a\u4fe1\uff0c\u5e76\u5728\u5bb9\u5668\u5185\u6784\u5efa\u65b0\u7684Docker\u955c\u50cf\u3002\uff08\u5d4c\u5957\uff0cnested\uff09\uff0c\u5982\u4e0b\u56fe\u5c55\u793a \u4f7f\u7528dind\u7684\u65b9\u5f0f\uff0c\u9700\u8981\u5b89\u88c5\u5982\u4e0b\u65b9\u6cd5\u6ce8\u518crunner gitlab-runner register -n \\ –url https:\/\/gitlab.com\/ \\ –registration-token REGISTRATION_TOKEN \\ –executor docker \\ –description “My Docker Runner” \\ –docker-image “docker:19.03.12” […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[3,13],"tags":[234,233,68,232],"_links":{"self":[{"href":"https:\/\/c.ipcpu.com\/wp-json\/wp\/v2\/posts\/1601"}],"collection":[{"href":"https:\/\/c.ipcpu.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/c.ipcpu.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/c.ipcpu.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/c.ipcpu.com\/wp-json\/wp\/v2\/comments?post=1601"}],"version-history":[{"count":1,"href":"https:\/\/c.ipcpu.com\/wp-json\/wp\/v2\/posts\/1601\/revisions"}],"predecessor-version":[{"id":1602,"href":"https:\/\/c.ipcpu.com\/wp-json\/wp\/v2\/posts\/1601\/revisions\/1602"}],"wp:attachment":[{"href":"https:\/\/c.ipcpu.com\/wp-json\/wp\/v2\/media?parent=1601"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/c.ipcpu.com\/wp-json\/wp\/v2\/categories?post=1601"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/c.ipcpu.com\/wp-json\/wp\/v2\/tags?post=1601"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}