I use Omnibus gitlab-ce 16.8.1-ce.0 and gitlab-runner 16.8.0 under Ubuntu 22.04, with Docker 24.0.5.
The config.toml for GitLab runner is:
concurrent = 2
check_interval = 0
[session_server]
session_timeout = 1800
[[runners]]
name = "ubuntu-worker-docker"
url = "https://git.example.com/"
token = "XXXXXXXXX"
executor = "docker"
[runners.custom_build_dir]
[runners.docker]
tls_verify = false
image = "docker:20.10.14"
privileged = true
disable_entrypoint_overwrite = false
oom_kill_disable = false
disable_cache = false
volumes = ["/certs/client", "/cache"]
shm_size = 0
memory = "3GB"
memory_swap = "3GB"
memory_reservation = "2GB"
cpus = "1"
I have limited the memory and CPUs here, per the documentation. Yet, when I run a job, these do not respect the limits, here per docker stats:
As you can see, a single job causes two Docker instances to run, with one respecting those limits (i.e., 3 GiB of maximum memory), but the other one not (maxing out the server’s RAM). Here is an example .gitlab-ci.yml file:
image: docker:20.10.14
variables:
DOCKER_HOST: tcp://docker:2376
REGISTRY_IMAGE_PREFIX: $CI_REGISTRY/$CI_PROJECT_PATH
DOCKER_TLS_CERTDIR: "/certs"
services:
- docker:20.10.14-dind
before_script:
- docker info
- docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY
stages:
- build
- deploy
# build the tag images and push the versioned and latest build
build_tag:
stage: build
tags:
- image-build
only:
- tags
script:
- docker build --pull --cache-from $REGISTRY_IMAGE_PREFIX/example:latest -t $REGISTRY_IMAGE_PREFIX/example:$CI_COMMIT_TAG -t $REGISTRY_IMAGE_PREFIX/example:latest example
- docker push $REGISTRY_IMAGE_PREFIX/example:$CI_COMMIT_TAG
- docker push $REGISTRY_IMAGE_PREFIX/example:latest
I assume that the inner Docker-in-Docker call simply does not inherit the constraints its parent has. How can I enforce them? Or can I not set them?