Building and pushing docker image from Gitlab-CI to Amazon AWS ECR

Question

I have a private Gitlab hosted on my own machine. I store my code in Gitlab and would like to build a Docker image from the Dockerfile and push it after that to my Amazon ECR registry. Unfortunately, this does not work because it throws an error:

Flag --email has been deprecated, will be removed in 1.13.
Cannot connect to the Docker daemon. Is the docker daemon running on this host?
/dev/mapper/control: open failed: Operation not permitted
Failure to communicate with kernel device-mapper driver.
Check that device-mapper is available in the kernel.
Command failed
mount: permission denied
Could not mount /sys/kernel/security.
AppArmor detection and --privileged mode might break.
mkdir: cannot create directory '/sys/fs/cgroup/name=systemd': Read-only file system
mount: mount point /sys/fs/cgroup/name=systemd is not a directory
ln: failed to create symbolic link '/sys/fs/cgroup/systemd/name=systemd': Read-only file system

Timed out trying to connect to internal docker host.

The gitlab-ci code looks like this:

stages:
  - build

build_airflow:
  stage: build
  only: [master, develop]
  image: gitlab/dind:latest
  services:
    - docker:dind
  script:
    - APP=airflow
    - sh ./scripts/login-ecs.sh my_fancy_project

The login-ecs.sh script is simply executing eval $(/usr/local/bin/aws ecr get-login --region eu-central-1), which should login the image to the ECR docker registry (source: https://blog.madisonhub.org/gitlab-ci-build-how-to-login-to-ecr/).

I can not find the problem, so I hope that you can help me.

Thank you in advance.

PS: If I execute the command from the aws ecr get-login locally, it works fine. So it should have to do something with the gitlab. Does I have to change some configurations that private registry logins are allowed?

Answer 1

Background:
You are basically trying to run a docker server within a docker container which is not available in gitlab-ci by default. You can check the status of the docker client and server by running:

docker version

in your gitlab-ci script. This is generally a good idea just to ensure that client and server are running correctly.

You will notice after you run this that the docker server is not running, which is why you got this error: Cannot connect to the Docker daemon. Is the docker daemon running on this host?

Solution:
There are a few ways to fix this issue you as described in detail in the Gitlab docs here:
https://docs.gitlab.com/ce/ci/docker/using_docker_build.html

The way we solved it is using the docker-in-docker executor which involves updating your Gitlab Runner configuration and run your build using the special docker-in-docker (dind) Docker Image.

You will need to update the runner so it runs in privileged mode. Here is a sample config.toml:

[[runners]]
  url = "https://gitlab.com/ci"
  token = TOKEN
  executor = "docker"
  [runners.docker]
    tls_verify = false
    image = "docker:latest"
    privileged = true
    disable_cache = false
    volumes = ["/cache"]
  [runners.cache]
    Insecure = false

And then use the use the docker:latest image and docker:dind service. Here is a sample gitlab-ci.yaml snippet:

image: docker:latest

# When using dind, it's wise to use the overlayfs driver for
# improved performance.
variables:
  DOCKER_DRIVER: overlay

services:
- docker:dind

before_script:
- docker info

build:
  stage: build
  script:
  - docker version
  - docker build -t my-docker-image .
  - docker run my-docker-image /script/to/run/tests

Another method is to setup a separate docker server, set the environment variables DOCKER_TLS_VERIFY and DOCKER_HOST so your docker client can securely connect to the server.

To enable TLS you will need to follow these instructions:
https://docs.docker.com/engine/security/https/