2

I have problem with running docker in kubernetes runner. I've installed kubernetes runner with helm and set privileged mode to true

runners:
  config: |
    [[runners]]
      [runners.kubernetes]
        namespace = "{{.Release.Namespace}}"
        image = "ubuntu:20.04"
        privileged = true
        allow_privilege_escalation = true

I've created simple .gitlab-ci.yaml for test

stages:
  - docker_test

services:
  - docker:dind

docker_test:
  stage: docker_test
  image: docker:latest
  variables:
      DOCKER_HOST: "tcp://docker:2375"
  script:
  - docker version

But when I fire this pipeline I'm gettint error

Running with gitlab-runner 14.6.0 (5316d4ac)
  on gitlab-runner-gitlab-runner-5cc654bdf7-gjfvm augRojS5
Preparing the "kubernetes" executor
00:00
Using Kubernetes namespace: gitlab-runner
Using Kubernetes executor with image docker:latest ...
Using attach strategy to execute scripts...
Preparing environment
00:06
Waiting for pod gitlab-runner/runner-augrojs5-project-30333904-concurrent-0k66kk to be running, status is Pending
Waiting for pod gitlab-runner/runner-augrojs5-project-30333904-concurrent-0k66kk to be running, status is Pending
    ContainersNotReady: "containers with unready status: [build helper svc-0]"
    ContainersNotReady: "containers with unready status: [build helper svc-0]"
Running on runner-augrojs5-project-30333904-concurrent-0k66kk via gitlab-runner-gitlab-runner-5cc654bdf7-gjfvm...
Getting source from Git repository
00:03
Fetching changes with git depth set to 50...
Initialized empty Git repository in /builds/gurita/gurita-core/.git/
Created fresh repository.
Checking out fe720f2f as main...
Skipping Git submodules setup
Executing "step_script" stage of the job script
00:00
$ docker version
Client:
 Version:           20.10.12
 API version:       1.41
 Go version:        go1.16.12
 Git commit:        e91ed57
 Built:             Mon Dec 13 11:40:57 2021
 OS/Arch:           linux/amd64
 Context:           default
 Experimental:      true
Cannot connect to the Docker daemon at tcp://docker:2375. Is the docker daemon running?
Cleaning up project directory and file based variables
00:01
ERROR: Job failed: command terminated with exit code 1

I tried to set without variable but at this case there is no /var/run/docker.sock.

Improve this question
1

2 Answers 2

Reset to default
1

Thank you for your hint about mounting docker.sock.

this worked for me

runners:
  config: |
    [[runners]]
      [runners.kubernetes]
        image = "ubuntu:20.04"
        privileged = true
      [[runners.kubernetes.volumes.empty_dir]]
        name = "docker-emptydir"
        mount_path = "/var/run"
        medium = "Memory"

Thanks again

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

How can this is solved without privilege esclation?
1

You need to mount the host's docker socket:

[runners.kubernetes]
  image = "ubuntu:18.04"
  privileged=true
  [[runners.kubernetes.volumes.host_path]]
    name = "docker-socket"
    mount_path = "/var/run/docker.sock"
    read_only = false
    host_path = "/var/run/docker.sock"

(NOTE: This is from one of my old gitlab installations, I haven't tested this against the latest release)

Here's my full Runner block. You can swapping my config in for yours (make a backup of your old config first) and see if it works. Obviously change things as needed -- for example I use a specific node pool, hence the node_selector and node_tolerations sections

## Installation & configuration of gitlab/gitlab-runner
## See requirements.yaml for current version
gitlab-runner:
  install: true
  rbac:
    create: true
  runners:
    locked: false
    privileged: true
    cache:
      secretName: google-application-credentials
    config: |
      [[runners]]
        [runners.feature_flags]
          FF_GITLAB_REGISTRY_HELPER_IMAGE = true
          FF_SKIP_DOCKER_MACHINE_PROVISION_ON_CREATION_FAILURE = true
        [runners.kubernetes]
          image = "ubuntu:18.04"
          privileged=true
          [[runners.kubernetes.volumes.host_path]]
            name = "docker-socket"
            mount_path = "/var/run/docker.sock"
            read_only = false
            host_path = "/var/run/docker.sock"
          [runners.kubernetes.node_selector]
            "cloud.google.com/gke-nodepool" = "gitlab-runners"
          [runners.kubernetes.node_tolerations]
            "appName=gitlab" = "NoExecute"
        {{- if .Values.global.minio.enabled }}
        [runners.cache]
          Type = "gcs"
          Path = "gitlab-runner"
          Shared = true
          [runners.cache.gcs]
            BucketName = "runner-cache"
        {{ end }}
  podAnnotations:
    gitlab.com/prometheus_scrape: "true"
    gitlab.com/prometheus_port: 9252
Improve this answer

4 Comments

Yes, I have tried this also but dind container is getting error time="2022-01-18T22:14:03.338172340Z" level=info msg="Starting up" time="2022-01-18T22:14:03.341282369Z" level=warning msg="could not change group /var/run/docker.sock to docker: group docker not failed to load listeners: can't create unix socket /var/run/docker.sock: is a directory
I've added my own runner config block. You can try that as a starting point. Also, is there a reason why you're mounting /var/run as a memory-based file system?
I coannot use host_path because on host I don't use docker, I have containerd as CRI. I need to share socket from service dind that why I used empty_dir. With empty_dir I cannot mount just one file so I'm mounting whole /var/run sharing this beetween containers in pod.
Thanks, that makes sense now.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.