Building docker containers in k8s runner

Howdy,

I have an out-of-the-box GKE cluster running a Helm-installed gitlab-ci runner. Here’s the relevant yaml:

Name:         runner-gitlab-runner-57f5b757dc-2vjnt
Namespace:    gitlab-managed-apps
Priority:     0
Node:         gke-gitlab-runners-default-pool-967eeb7f-tpsn/10.128.15.200
Start Time:   Mon, 03 May 2021 19:32:23 -0400
Labels:       app=runner-gitlab-runner
              chart=gitlab-runner-0.28.0
              heritage=Helm
              pod-template-hash=57f5b757dc
              release=runner

The issue I’m running into is running any docker build scripts within this runner. I attempted to do the steps described here in order to expose the host’s docker socket to my build containers.
The related .gitlab-ci.yml to do so is

stages:
  - build

build:
  stage: build
  image: google/cloud-sdk:latest
  script:
    # Authenticate to GCloud
    - ./google-auth.sh
    # Bootstrap the docker image
    - docker build 
      --build-arg from=us.gcr.io/mining-suite/python:3.8.6-slim
      --build-arg ENVIRONMENT=production 
      -t us.gcr.io/mining-suite/api:$CI_COMMIT_SHA .

and the related configmap is

# Please edit the object below. Lines beginning with a '#' will be ignored,

# and an empty file will abort the edit. If an error occurs while saving this file will be

# reopened with the relevant failures.

#

apiVersion: v1

data:

  check-live: |

    #!/bin/bash

    if /usr/bin/pgrep -f .*register-the-runner; then

      exit 0

    elif /usr/bin/pgrep gitlab.*runner; then

      exit 0

    else

      exit 1

    fi

  config.template.toml: |

    [[runners]]

      [runners.kubernetes]

        image = "ubuntu:20.04"

  config.toml: |

    concurrent = 4

    check_interval = 3

    log_level = "info"

    listen_address = ':9252'

    [[runners]]

      [runners.kubernetes]

        [[runners.kubernetes.volumes.host_path]]

          name = "docker"

          mount_path = "/var/run/docker.sock"

          host_path = "var/run/docker.sock"

  configure: |

    set -e

    cp /init-secrets/* /secrets

  entrypoint: |

    #!/bin/bash

    set -e

    mkdir -p /home/gitlab-runner/.gitlab-runner/

    cp /configmaps/config.toml /home/gitlab-runner/.gitlab-runner/

    # Set up environment variables for cache

    if [[ -f /secrets/accesskey && -f /secrets/secretkey ]]; then

      export CACHE_S3_ACCESS_KEY=$(cat /secrets/accesskey)

      export CACHE_S3_SECRET_KEY=$(cat /secrets/secretkey)

    fi

    if [[ -f /secrets/gcs-applicaton-credentials-file ]]; then

      export GOOGLE_APPLICATION_CREDENTIALS="/secrets/gcs-applicaton-credentials-file"

    elif [[ -f /secrets/gcs-application-credentials-file ]]; then

      export GOOGLE_APPLICATION_CREDENTIALS="/secrets/gcs-application-credentials-file"

    else

      if [[ -f /secrets/gcs-access-id && -f /secrets/gcs-private-key ]]; then

        export CACHE_GCS_ACCESS_ID=$(cat /secrets/gcs-access-id)

        # echo -e used to make private key multiline (in google json auth key private key is oneline with \n)

        export CACHE_GCS_PRIVATE_KEY=$(echo -e $(cat /secrets/gcs-private-key))

      fi

    fi

    if [[ -f /secrets/azure-account-name && -f /secrets/azure-account-key ]]; then

      export CACHE_AZURE_ACCOUNT_NAME=$(cat /secrets/azure-account-name)

      export CACHE_AZURE_ACCOUNT_KEY=$(cat /secrets/azure-account-key)

    fi

    if [[ -f /secrets/runner-registration-token ]]; then

      export REGISTRATION_TOKEN=$(cat /secrets/runner-registration-token)

    fi

    if [[ -f /secrets/runner-token ]]; then

      export CI_SERVER_TOKEN=$(cat /secrets/runner-token)

    fi

    # Register the runner

    if ! sh /configmaps/register-the-runner; then

      exit 1

    fi

    # Run pre-entrypoint-script

    if ! bash /configmaps/pre-entrypoint-script; then

      exit 1

    fi

    # Start the runner

    exec /entrypoint run --user=gitlab-runner \

      --working-directory=/home/gitlab-runner

  pre-entrypoint-script: ""

  register-the-runner: |

    #!/bin/bash

    MAX_REGISTER_ATTEMPTS=30

    for i in $(seq 1 "${MAX_REGISTER_ATTEMPTS}"); do

      echo "Registration attempt ${i} of ${MAX_REGISTER_ATTEMPTS}"

      /entrypoint register \

        --template-config /configmaps/config.template.toml \

        --non-interactive

      retval=$?

      if [ ${retval} = 0 ]; then

        break

      elif [ ${i} = ${MAX_REGISTER_ATTEMPTS} ]; then

        exit 1

      fi

      sleep 5

    done

    exit 0

kind: ConfigMap

metadata:

  annotations:

    meta.helm.sh/release-name: runner

    meta.helm.sh/release-namespace: gitlab-managed-apps

  creationTimestamp: "2021-05-03T14:40:29Z"

  labels:

    app: runner-gitlab-runner

    app.kubernetes.io/managed-by: Helm

    chart: gitlab-runner-0.28.0

    heritage: Helm

    release: runner

  name: runner-gitlab-runner

  namespace: gitlab-managed-apps

  resourceVersion: "187603"

  selfLink: /api/v1/namespaces/gitlab-managed-apps/configmaps/runner-gitlab-runner

  uid: 846a7fb6-5649-4f1d-a94e-aac9804eeabe

I’ve made sure to bounce the pod after updating the configmap, and it even appears in ~/.gitlab-runner/config.toml on the runner’s container, but it still doesn’t seem to pick it up.

Any help is appreciated. Thanks.

Hi @based64god
new GKE clusters are not running on Docker anymore. See here. Look for a big red warning.

If you need it, make sure your nodes are running one of the deprecated Docker based images.

Otherwise I suggest to build using Kaniko. Here are some docs by GitLab and Kaniko.

You also need to know that Docker as runtime for Kubernetes is deprecated since 1.20 and planned to be removed in 1.22