Gitlab-runner / docker / systemd

Hi,
I try to get this minimal .gitlab-ci.yml pipeline project running:

deploy:centos7:
image: centos/systemd
script:
- systemctl status

My gitlab-runner configuration looks as follows:
cat /etc/gitlab-runner/config.toml
concurrent = 4
check_interval = 0

[[runners]]
name = “docker”
url = “https://host.example.com
token = “ba3s974a9a41d8e1ca3da852a82ba2”
executor = “docker”
[runners.docker]
tls_verify = false
image = “docker:latest”
privileged = true
disable_cache = false
volumes = ["/sys/fs/cgroup:/sys/fs/cgroup:ro","/cache"]
shm_size = 0
[runners.cache]

The job always results in:
$ systemctl status
Failed to get D-Bus connection: Operation not permitted
ERROR: Job failed: exit code 1

What am I doing wrong?

Cheers Jonas

You cannot use systemctl inside docker. Systemctl is part of Systemd, but Docker images generally do not have systemd running.

$ docker run --privileged -v /sys/fs/cgroup:/sys/fs/cgroup:ro -d centos/systemd
bd0435084d4b664cc752771c27b9d44a6ca4fdda6d48d1515d4dc8dff520dc49

$ docker exec -it bd0435084d4b bash
[root@bd0435084d4b /]# systemctl status
● bd0435084d4b
State: running
Jobs: 0 queued
Failed: 0 units
Since: Mon 2017-08-14 11:09:14 UTC; 17s ago
CGroup: /docker/bd0435084d4b664cc752771c27b9d44a6ca4fdda6d48d1515d4dc8dff520dc49
├─ 1 /usr/sbin/init
├─26 bash
├─39 systemctl status
├─40 systemctl status
└─system.slice
└─systemd-journald.service
└─18 /usr/lib/systemd/systemd-journald

Sure it works, there are specialised container images, which support running systemd inside the container.

hey @MrRagga did you ever figure this out?

Hey Steve,
no sadly no progress on this issue. But I still would love to get it running.

Can’t believe that there are no people who have the same issue to be able to test services with native systemd support.
My current workaround is:

  • write systemd unit file
  • take the command from the unit file, run it manually and don’t start the service via systemd itself.

Cheers Jonas

I’m looking at some redhat docs here and I’ve added /tmp and /run as temps volumes and I’m still seeing the same things as you.

My use case is that I’m building an RPM and would like to be able to install it into a docker image and run goss to test to see whether the RPM can start services and the like. Works great for local testing but I can’t make it go in gitlab-ci.

Hi.

I have the same problem. I’m testing Ansible code and therefor want to start services just like on other systems which fails.

Is there any solution, yet?

Cheers,
Thomas

Hi,

starting a service inside a container with systemd is quite some work and not one of the recommended ways AFAIK. I would opt for a virtual machine spun up in the cloud for the CI job, with running the services and tests in there.

Reading more on Molecule for testing Ansible playbooks at https://www.toptechskills.com/ansible-tutorials-courses/rapidly-build-test-ansible-roles-molecule-docker/#dealing-with-services

This leads me to some findings:

Unfortunately I have no experience with Molecule in combination with Ansible, but I would recommend to leave out the CI runner and try to make this work locally in Docker first.

Cheers,
Michael

2 Likes

It took me quite some time with a lot of trial-and-error but finally I got it working.

As a prerequisite you should know that I’m running this within a customers setup, so I don’t have full access and could not easily change GitLab configuration or Runner configuration. That’s one of the reasons why I had to disable TLS configuration because I can’t just hand over certificates from one container to another.

Here’s the most of .gitlab-ci.yml

# Workaround to deactivate TLS on current DIND containers found at: https://about.gitlab.com/releases/2019/07/31/docker-in-docker-with-docker-19-dot-03/
image: 
  name: quay.io/ansible/molecule:latest

variables:
  DOCKER_DRIVER: overlay2
  DOCKER_TLS_CERTDIR: ""

services:
- docker:dind

before_script:
  - docker -v
  - python -V
  - ansible --version
  - molecule --version
  # the following is needed as long as the molecule container has an old version of molecule which just fails with our configuration
  - pip install --upgrade molecule
  - molecule --version

stages:
  - validate
  - my_test

validate:
  stage: validate
  script:
    - ansible-lint -v tests/test.yml
  only:
    - branches

my_test:
  stage: my_test
  variables:
    DOCKER_HOST: "tcp://docker:2375"
  script:
    - molecule test -s default
  only:
    - branches

The corresponding molecule.yml

---
dependency:
  name: galaxy
driver:
  name: docker
platforms:
  - name: instance
    image: "geerlingguy/docker-${MOLECULE_DISTRO:-centos7}-ansible:latest"
    command: ${MOLECULE_DOCKER_COMMAND:-""}
    volumes:
      - /sys/fs/cgroup:/sys/fs/cgroup:ro
    privileged: true
    pre_build_image: true
provisioner:
  name: ansible
verifier:
  name: ansible

And converge.yml

---
# The workaround for arbitrarily named role directory is important because the git repo has one name and the role within it another
# Found at: https://github.com/ansible-community/molecule/issues/1567#issuecomment-436876722
- name: Converge
  hosts: all
  tasks:
    - name: "Include common"
      include_role:
        name: "{{ lookup('env', 'MOLECULE_PROJECT_DIRECTORY') | basename }}"
2 Likes