I have some trouble with the setup of a clean and encapsulated docker environment for each gitlab ci pipeline.
What I want to achieve:
Each pipeline should run in its own docker environment.
Docker containers started in one job should be present in jobs of a following stage (that use the docker executor).
a sample pipeline could contain the following stages:
- startup containers (docker executor)
- install some dependencies (docker executor)
- run tests (docker executor)
- run some other kind of tests (docker executor)
- release to docker registry (docker executor)
- deploy to kubernetes (Kubernetes executor)
- rollback kubernetes (Kubernetes executor)
- stop / remove containers (docker executor)
When I use the docker executor with the docker-in-docker (dind) service each job runs in a clean environment. But that means docker containers started in one job won’t be accesible in the following one.
When I make use of docker socket binding the given sample pipeline could be realized.
But if I understand everything right, this could lead to conflicts between different commits running that pipeline.
The docker socket is passed through from the host and thus all docker containers that are created within a pipeline will be available on the host and concurrent pipelines as well.
To prevent naming conflicts the name of each container could append the predefined gitlab environment variable
CI_COMMIT_SHA. So each pipeline creates its own identifiable containers (on the host).
But this is a security issue. As the gitlab documentation says the command
docker rm -f $(docker ps -a -q)
run in any job would remove all containers even outside the pipeline, meaning the host including the gitlab runner containers.
I’ve read a lot in the gitlab docs and other sources but I can’t find a soltion to setup a clean and encapsulated docker environment for a whole pipeline where containers are accesible between stages but not from the outside (other pipelines). Also containers of the host should be save.
Is there a clean solution to this problem? Or at least reasonable workarounds?
Thanks in advance for your support!