Docker registry dind

I’m trying to use the GitLab Docker registry, but I seem to fail whatever I try, most of it has to do with ca certificates and privileged mode. My .gitLab-ci.yml file, see below.

Now, here’s the problem: when I’m not running in privileged mode, I can make work docker login work by mounting a volume with my ca-certificates into the docker container and run update-ca-certificates. However, since I’m not running in privileged mode, I can’t use docker, since I get this error:

$ docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded
$ docker build --pull -t $TEST_IMAGE .
Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running?

So, I updated my gitLab-runner config to run in privileged mode. When I do so, for some reason, the ca-certificates seem to be a problem again:

$ docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
Error response from daemon: Get https://op-gitlab.howest.be:4567/v2/: x509: certificate signed by unknown authority

Can I find a full but minimal working example somewhere with self-signed certificates and the docker registry?

–

image: docker:stable
services:
- docker:dind

stages:
- build
- test
- release

variables:
  TEST_IMAGE: <domain>/<group>/<container>:$CI_COMMIT_REF_NAME
  RELEASE_IMAGE: <domain>/<group>/<container>:latest

before_script:
  - echo $CI_REGISTRY
  - apk update && apk add ca-certificates && rm -rf /var/cache/apk/*
  - mkdir -p /etc/ssl/certs/ && update-ca-certificates --fresh
  - docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY
  
build:
  stage: build
  script:
    - docker build --pull -t $TEST_IMAGE .
    - docker push $TEST_IMAGE

test:
  stage: test
  script:
    - docker pull $TEST_IMAGE
    - docker run $TEST_IMAGE npm test

release:
  stage: release
  script:
    - docker pull $TEST_IMAGE
    - docker tag $TEST_IMAGE $RELEASE_IMAGE
    - docker push $RELEASE_IMAGE
  only:
    - master

or, in short:

In config.toml, depending on the setting of privileged in the runner config, I get a different problem:

= true -> Error response from daemon: Get https://<registry-domain>:4567/v2/: x509: certificate signed by unknown authority

= false -> Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running?

I know it should be set to true, but if I do so, I have no clue how to make the certificates work (they do work when privileged is false!)

Not really a clean solution, but when I make the socket a volume (volumes = ["/cache", ..., "/var/run/docker.sock:/var/run/docker.sock"]) and keep privileged = false, I’m able to get to the next stage, where it fails on something else:

$ docker run $TEST_IMAGE npm test
docker: Error response from daemon: OCI runtime create failed: container_linux.go:348: starting container process caused "exec: \"npm\": executable file not found in $PATH": unknown.

Still confused why all this just doesn’t work…?

*** WARNING: Service runner-THx2q9K--project-609-concurrent-0-docker-0 probably didn't start properly.

Health check error:
ContainerStart: Error response from daemon: Cannot link to a non running container: /runner-THx2q9K--project-609-concurrent-0-docker-0 AS /runner-THx2q9K--project-609-concurrent-0-docker-0-wait-for-service/service (executor_docker.go:1321:0s)

Service container logs:
2019-01-19T20:51:18.357634640Z mount: permission denied (are you root?)
2019-01-19T20:51:18.357687609Z Could not mount /sys/kernel/security.
2019-01-19T20:51:18.357691127Z AppArmor detection and --privileged mode might break.
2019-01-19T20:51:18.359871820Z mount: permission denied (are you root?)

*********