2019年7月22日,docker发布了新的版本19.03。
在新版本的更新(docker:dink会自动生成TLS证书并要求使用证书来使用docker服务)会影响GitLAB CI/CD中docker:dind有关服务。
官方说明:
Starting in 18.09+, the dind variants of this image will automatically generate TLS certificates in the directory specified by the DOCKER_TLS_CERTDIR environment variable. Warning: in 18.09, this behavior is disabled by default (for compatibility). If you use –network=host, shared network namespaces (as in Kubernetes pods), or otherwise have network access to the container (including containers started within the dind instance via their gateway interface), this is a potential security issue (which can lead to access to the host system, for example). It is recommended to enable TLS by setting the variable to an appropriate value (-e DOCKER_TLS_CERTDIR=/certs or similar). In 19.03+, this behavior is enabled by default.
当你使用docker:dind(更新到最新docker版本)服务时,也许会遇见以下错误:
docker: Cannot connect to the Docker daemon at tcp://docker:2375. Is the docker daemon running?.
有两个解决方法:
1. 配置GitLab Runner使用TLS
2. 关闭TLS
GiLab Runner中配置TLS:
* 配置文件添加volumes=["/certs/client","/cache"]。因为服务docker:dind会创建证书,我们只需要挂载证书到容器。
比如:
[[runners]]
name="My Docker Runner"
url="http://gitlab.com"
token=""executor="docker"
[runners.custom_build_dir]
[runners.docker]
privileged=true
volumes=["/certs/client","/cache"]
* 在 .gitlab-ci.yml 中添加新variables DOCKER_TLS_CERTDIR:"/certs"
2. 关闭TLS
* 在 .gitlab-ci.yml 中添加新variables DOCKER_TLS_CERTDIR:""
Reference:
https://about.gitlab.com/2019/07/31/docker-in-docker-with-docker-19-dot-03/
网友评论