How to configure a self-hosted runner to test a dockerized PHP project

GitLab CI/CD
1

I am trying and failing to set up a self-hosted runner to use with a self-managed Gitlab instance for CI of a containerized PHP project.
I created a new test-repository by following this tutorial from docker.com.
You can find the repository on Gitlab.com SaaS instance here.

The original tutorial uses Github Actions. I was able to get the repository to run with Gitlab CI using a template CI file for Docker in Docker, which is located here. This works as expected using one of the hosted runners at Gitlab.com. This is the first ~50 lines of the output from the runner in the web-interface of Gitlab.com:

Running with gitlab-runner 16.6.0~beta.105.gd2263193 (d2263193)
  on blue-3.saas-linux-small-amd64.runners-manager.gitlab.com/default zxwgkjAP, system ID: s_d5d3abbdfd0a
  feature flags: FF_USE_IMPROVED_URL_MASKING:true
Preparing the "docker+machine" executor
00:31
Using Docker executor with image docker:cli ...
Starting service docker:dind ...
Pulling docker image docker:dind ...
Using docker image sha256:e5fbe8997fd9ff8f2894874c12a4fbc5fc1bb42d08a7db8433bbe09066562a2a for docker:dind with digest docker@sha256:0d70c541ee98e66b8f7ece8c0e9f7910732466e337a9087c2ac2868ef0775092 ...
Waiting for services to be up and running (timeout 30 seconds)...
Pulling docker image docker:cli ...
Using docker image sha256:250a0da50f2db4ecf793b2ed9d4493065e25cc9b6c06e147393c6caa8fad282a for docker:cli with digest docker@sha256:4e368a0762d185ea8f8dfea1fa99bc6cd8841d71f29eb4c46edecb4adc933381 ...
Preparing environment
00:00
Running on runner-zxwgkjap-project-55390451-concurrent-0 via runner-zxwgkjap-s-l-s-amd64-1709140457-a7efc437...
Getting source from Git repository
00:01
Fetching changes with git depth set to 20...
Initialized empty Git repository in /builds/michael.mell/docker-php-sample/.git/
Created fresh repository.
Checking out 7e32d79a as detached HEAD (ref is main)...
Skipping Git submodules setup
$ git remote set-url origin "${CI_REPOSITORY_URL}"
Executing "step_script" stage of the job script
00:49
Using docker image sha256:250a0da50f2db4ecf793b2ed9d4493065e25cc9b6c06e147393c6caa8fad282a for docker:cli with digest docker@sha256:4e368a0762d185ea8f8dfea1fa99bc6cd8841d71f29eb4c46edecb4adc933381 ...
$ docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
$ docker build --pull -t "$DOCKER_IMAGE_NAME" .
#0 building with "default" instance using docker driver
#1 [internal] load build definition from Dockerfile
#1 transferring dockerfile: 1.35kB done
#1 DONE 0.0s
#2 [internal] load metadata for docker.io/library/php:8.2-apache
#2 ...
#3 [internal] load metadata for docker.io/library/composer:lts
#3 DONE 0.5s
#2 [internal] load metadata for docker.io/library/php:8.2-apache
#2 DONE 0.5s
#4 [internal] load .dockerignore
#4 transferring context: 688B done
#4 DONE 0.0s
#5 [internal] load build context
#5 transferring context: 64.83kB done
#5 DONE 0.0s
#6 [base 1/3] FROM docker.io/library/php:8.2-apache@sha256:d817128eff36b02b2ec7a297dde58a7e04feef0b4900bab6f832e6d64d244c2d

[ELIDED: total number of lines is 540]

I am now trying reproduce this setup for our self-managed Gitlab instance using a self-hosted runner. But failing at it.

I am trying to use the Docker runner, which is at version 16.9.1 and matches that of our Gitlab instance:

docker run --rm -t -i gitlab/gitlab-runner --version
Version:      16.9.1
Git revision: 782c6ecb
Git branch:   16-9-stable
GO version:   go1.21.7
Built:        2024-02-28T16:51:21+0000
OS/Arch:      linux/amd64

Registering the Docker container with the Gitlab project worked. But when I trigger the pipeline I get output with errors. This is the log from Gitlab runner (copied from the web-interface of our self-managed Gitlab instance):

Running with gitlab-runner 16.9.1 (782c6ecb)
  on docker-runner 279RD8YJX, system ID: r_JN9x9MI18fwv
Preparing the "docker" executor
00:35
Using Docker executor with image docker:cli ...
Starting service docker:dind ...
Pulling docker image docker:dind ...
Using docker image sha256:e5fbe8997fd9ff8f2894874c12a4fbc5fc1bb42d08a7db8433bbe09066562a2a for docker:dind with digest docker@sha256:0d70c541ee98e66b8f7ece8c0e9f7910732466e337a9087c2ac2868ef0775092 ...
Waiting for services to be up and running (timeout 30 seconds)...
*** WARNING: Service runner-279rd8yjx-project-2949-concurrent-0-0ed178639dcae587-docker-0 probably didn't start properly.
Health check error:
service "runner-279rd8yjx-project-2949-concurrent-0-0ed178639dcae587-docker-0-wait-for-service" timeout
Health check container logs:
2024-03-01T09:26:41.475113076Z waiting for TCP connection to 172.17.0.3 on [2375 2376]...
2024-03-01T09:26:41.475226760Z dialing 172.17.0.3:2376...
2024-03-01T09:26:41.475237283Z dialing 172.17.0.3:2375...
2024-03-01T09:26:42.475493674Z dialing 172.17.0.3:2375...
2024-03-01T09:26:42.475513935Z dialing 172.17.0.3:2376...
2024-03-01T09:26:43.475785643Z dialing 172.17.0.3:2375...
2024-03-01T09:26:43.475818138Z dialing 172.17.0.3:2376...
Service container logs:
2024-03-01T09:26:42.596692269Z Certificate request self-signature ok
2024-03-01T09:26:42.596730042Z subject=CN = docker:dind server
2024-03-01T09:26:42.610490594Z /certs/server/cert.pem: OK
2024-03-01T09:26:42.832840360Z Certificate request self-signature ok
2024-03-01T09:26:42.832862834Z subject=CN = docker:dind client
2024-03-01T09:26:42.846603455Z /certs/client/cert.pem: OK
2024-03-01T09:26:42.849070801Z cat: can't open '/proc/net/ip6_tables_names': No such file or directory
2024-03-01T09:26:42.849596064Z cat: can't open '/proc/net/arp_tables_names': No such file or directory
2024-03-01T09:26:42.851683151Z ip: can't find device 'nf_tables'
2024-03-01T09:26:42.852421836Z nf_tables             372736 702 nft_reject_ipv4,nft_reject,nft_ct,nft_masq,nft_chain_nat,nft_limit,nft_compat
2024-03-01T09:26:42.852877460Z libcrc32c              12288  3 nf_nat,nf_conntrack,nf_tables
2024-03-01T09:26:42.852884490Z nfnetlink              20480  4 nf_conntrack_netlink,nft_compat,nf_tables
2024-03-01T09:26:42.853400269Z modprobe: can't change directory to '/lib/modules': No such file or directory
2024-03-01T09:26:42.855420189Z ip: can't find device 'ip_tables'
2024-03-01T09:26:42.856502324Z ip_tables              36864  0 
2024-03-01T09:26:42.856550736Z x_tables               69632 13 xt_nat,xt_MASQUERADE,ip6t_REJECT,xt_hl,ip6t_rt,ipt_REJECT,xt_LOG,xt_limit,xt_addrtype,xt_tcpudp,xt_conntrack,nft_compat,ip_tables
2024-03-01T09:26:42.856985484Z modprobe: can't change directory to '/lib/modules': No such file or directory
2024-03-01T09:26:42.858649789Z iptables v1.8.10 (nf_tables)
2024-03-01T09:26:42.861301537Z mount: permission denied (are you root?)
2024-03-01T09:26:42.861400687Z Could not mount /sys/kernel/security.
2024-03-01T09:26:42.861408543Z AppArmor detection and --privileged mode might break.
2024-03-01T09:26:42.862656870Z mount: permission denied (are you root?)
*********
Pulling docker image docker:cli ...
Using docker image sha256:250a0da50f2db4ecf793b2ed9d4493065e25cc9b6c06e147393c6caa8fad282a for docker:cli with digest docker@sha256:4e368a0762d185ea8f8dfea1fa99bc6cd8841d71f29eb4c46edecb4adc933381 ...
Preparing environment
00:01
Running on runner-279rd8yjx-project-2949-concurrent-0 via 02ee6b36a5ad...
Getting source from Git repository
00:01
Fetching changes with git depth set to 20...
Reinitialized existing Git repository in /builds/researchit/docker-php-sample/.git/
Checking out 7e32d79a as detached HEAD (ref is main)...
Skipping Git submodules setup
Executing "step_script" stage of the job script
00:00
Using docker image sha256:250a0da50f2db4ecf793b2ed9d4493065e25cc9b6c06e147393c6caa8fad282a for docker:cli with digest docker@sha256:4e368a0762d185ea8f8dfea1fa99bc6cd8841d71f29eb4c46edecb4adc933381 ...
$ docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
error during connect: Post "http://docker:2375/v1.24/auth": dial tcp: lookup docker on 131.152.227.92:53: no such host
Cleaning up project directory and file based variables
00:01
ERROR: Job failed: exit code 1

I would be grateful for any suggestions. Thanks in advance and best regards,
Michael

Steps to reproduce

  • Install Docker (I am using Ubuntu 23.10).
  • Configure the dockered Gitlab runner:
DOCKER_VOLUME="gitlab-runner-config"
docker volume create $DOCKER_VOLUME

docker run --rm -v $DOCKER_VOLUME:/etc/gitlab-runner gitlab/gitlab-runner register \
  --non-interactive \
  --url "$GITLAB_URL" \
  --token "$RUNNER_TOKEN" \
  --executor "docker" \
  --docker-image alpine:latest \
  --description "$RUNNER_DESCRIPTION"

docker run -d --name gitlab-runner --restart always \
    -v /var/run/docker.sock:/var/run/docker.sock \
    -v $DOCKER_VOLUME:/etc/gitlab-runner \
    gitlab/gitlab-runner:latest

  • Register the Docker container with Gitlab as describer here.

  • Trigger the pipline in Gitlab.

Configuration

See Gitlab repository: Michael Mell / docker-php-sample ยท GitLab

Versions

Please select whether options apply, and add the version information.

  • Self-managed: 16.9.1
  • GitLab.com SaaS: used for testing with provided runner (which works)
  • Self-hosted Runners: 16.9.1

Versions:

  • Docker host: Ubuntu 23.10
  • GitLab (Web: /help or self-managed system information): v16.9.1
  • GitLab Runner, if self-hosted (Web /admin/runners or CLI gitlab-runner --version): v16.9.1