The CI/CD Pipeline suddenly fails without any changes done to the repository

mihai.chirodea · February 3, 2023, 2:13pm

Hello!

As the title suggests, starting today we’ve been experiencing issues with successfully running the build job in our pipeline. This issue is reproduced even when no changes were done to the repository and even on old jobs that actually succeeded before (e.g. a job from 2 months ago).

The error we are facing is the following:

#36 DONE 156.8s
#37 preparing layers for inline cache
WARNING: buildx: git was not found in the system. Current commit information was not captured by the build
ERROR: failed to receive status: rpc error: code = Unavailable desc = error reading from server: EOF
Cleaning up project directory and file based variables
ERROR: Job failed: exit code 1

So from what we could piece together as well as test, the issue seems to be related to the runner itself rather than the docker image we are building, but we are kind of stuck here.

Does anyone have any ideas what the problem could be?

I’ll leave the stage in question here:

build:
  stage: build
  image: docker
  services:
    - docker:dind
  script:
    - docker image prune -f

    - docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY

    # Dev image (includes resources for tests, coverage, etc.)
    - DOCKER_BUILDKIT=1 docker build
      --cache-from $IMAGE_REPO_NAMETAG_LATEST
      --target development
      --build-arg BUILDKIT_INLINE_CACHE=1
      --build-arg SECRET_ELASTIC_ENVIRONMENT=$SECRET_ELASTIC_ENVIRONMENT
      --build-arg SECRET_ELASTIC_FILEBEAT_LOGGER_CLOUD_ID=$SECRET_ELASTIC_FILEBEAT_LOGGER_CLOUD_ID
      --build-arg SECRET_ELASTIC_FILEBEAT_LOGGER_CLOUD_AUTH=$SECRET_ELASTIC_FILEBEAT_LOGGER_CLOUD_AUTH
      -t $IMAGE_REPO_NAMETAG -t $IMAGE_REPO_NAMETAG_LATEST .
    - docker push $IMAGE_REPO_NAMETAG && docker push $IMAGE_REPO_NAMETAG_LATEST

As a sidenote:
We are using a shared runner with the following version: gitlab-runner 15.6.0~beta.186.ga889181a

gkinsman · February 3, 2023, 2:34pm

We ran into this, and it appears to be a new issue with the docker base image. We solved it by pinning to a slightly older version until it’s fixed:

docker@sha256:c8bb6fa5388b56304dd770c4bc0478de81ce18540173b1a589178c0d31bfce90

so you’d do:

build:
  stage: build
  image: docker@sha256:c8bb6fa5388b56304dd770c4bc0478de81ce18540173b1a589178c0d31bfce90
  services:
    - docker:dind@sha256:c8bb6fa5388b56304dd770c4bc0478de81ce18540173b1a589178c0d31bfce90

mihai.chirodea · February 3, 2023, 2:59pm

Thank you very much for the reply and insight!

I can confirm that this was our issue as well.

joffrey.villard · February 3, 2023, 11:16pm

Thank you so much (both of you!), as I have been struggling with this for several hours today!

Do you know if there is some issue reported to the Docker team that we can use to track progress on the fix?

mihai.chirodea · February 4, 2023, 7:23am

I’m not really sure if this particular issue was reported, but from what I’ve seen, there have been a number of similar ones reported.

andromeda306 · February 6, 2023, 7:47am

as stated above, it’s probably due to the recent update of the docker latest image which contains some pretty significant changes under the hood Docker Engine 23.0 release notes | Docker Documentation . The best quick fix at the moment is to pin to an older version such as 20.10 (in my case following the same error). I’ll follow up when I’ve figured out how to make the new version work.

neux · February 6, 2023, 11:12am

Thank you @gkinsman

andromeda306 · February 6, 2023, 12:51pm

For what it’s worth the error WARNING: buildx: git was not found in the system. Current commit information was not captured by the build seems to be intentional and might possibly be resolved as part of these changes Git warning being displayed when building in a git directory with no commits yet · Issue #1587 · docker/buildx · GitHub. Nevertheless I have determined that simply adding --load to my build command enabled the pipeline to complete as intended without any other further changes based on the latest docker:dind image (where buildx is the default builder for linux). i.e. The following results in a single image file with 2 tags.

docker build -f docker/Dockerfile -t $REPO:$MYTAG1 -t $REPO:MYTAG2 --load .
docker push --all-tags $MYIMAGE

An alternative would look slightly different but is more geared towards multi-arch builds since it will results in the creation of multiple artifacts i.e. The following results in 3 artifacts; 2 images and an image index.

docker build -f docker/Dockerfile -t $REPO:$MYTAG1 -t $REPO:MYTAG2 --push .

In both cases the afrementioned warning is still displayed but seems to be harmless - at least in my case.

mihai.chirodea · February 6, 2023, 1:08pm

In our case, the warning & subsequent error prevented us from actually being able to build our image. While this was fixed with the solution provided by @gkinsman, I will also try yours as well and come back with what I found.

Thank you for the insight @andromeda306

xhafan · February 7, 2023, 2:00pm

I fixed my gitlab build issue preparing layers for inline cache followed by unexpected EOF by using previous docker image docker:20.10.22-dind instead of docker:dind. Thanks for the tip to look at previous docker image!

agalmame · February 7, 2023, 3:51pm

Thank you so much that does solve the issue for now at least!

fegmorte · February 8, 2023, 10:03pm

Hello,

FYI the error comes from docker 23.0.0.
In my case our runner set up with docker machine installed this version of docker by default.
The solution was to remove builkit_inline_cache=1
But the GitHub issue related seems to be closed. So it has to be fixed.
I have to check that

mananAI · February 10, 2023, 5:48am

@gkinsman, @andromeda306 thank you! I fixed gitlab build error, but can not fix web:prod:deploy

Running a docker build with gitlab-ci. Works well locally, but we are moving runners to AWS on ubuntu 20 and it appears that DNS is not working in the containers. Any ideas greatly appreciated, perhas Is there a way to statically set the git repo DNS address globally in the config, not finding any variables for this in the doc.

Regards

cshafe02 · March 6, 2023, 8:44pm

I have simply updated my image build job with this line as a quick fix for now until the upstream docker image is either working better or there is a more standard documented way of doing builds going forward.

image: docker:20.10.22-dind

trevor · March 12, 2023, 2:37pm

I’m getting the same error with the docker:dind tag.

Using docker image sha256:c365741dcfc2b1d1fd3dbd7ded480a147a334836444f0335456f3e7e1b363505 for docker with digest docker@sha256:e4d776dd1e0580dfb670559d887300aa08b53b8a59f5df2d4eaace936ef4d0e9

Environment Details

Self-hosted GitLab version 15.9
Using Docker executor on GitLab Runner VM
GitLab Runner is running Ubuntu 22.04 LTS
GitLab CI/CD pipeline file configured to use docker:dind under services: section

keshav.c · May 11, 2023, 1:43pm

I think this problem in now re-occuring?
How do I find an older version of docker to pin to? Where is the repo for the commits?

maxgruebneraeroqual · May 25, 2023, 2:10am

We’re seeing what might be a similar/related problem.

ERROR: failed to solve: process "/bin/sh -c unzip awscliv2.zip && ./aws/install" did not complete successfully: exit code: 4294967295

We don’t use gitlab CI though, we use Drone.

We’re having steps in a docker build inside docker-in-docker fail with a 0xffffffff error.

The build agents are running Docker version 24.0.1, build 6802122, and pulling whatever the latest dind resolves to.

The issue started about two weeks ago for us. Is it the same for you @keshav.c ?

I’ve tried setting different versions of the dind image, which didn’t help, and updating our build agents, which also didn’t help.

For other people having the same issue as us, turning off docker buildkit does help (set DOCKER_BUILDKIT: 0), but that causes other issues for us.

maxgruebneraeroqual · May 28, 2023, 11:04pm

Looks like it might be fixed in 24.0.2

github.com/moby/buildkit

Fixes for containers exiting with code 4294967295

moby:master ← sipsma:exit-4294967295

opened 02:52AM - 01 Apr 23 UTC

sipsma

+268 -234

When dagger tried to upgrade to the latest commit in master we started getting a… bunch of flaky failures where containers would be exiting with code `4294967295` (which is the max uint32 value): https://github.com/dagger/dagger/pull/4879 After some investigation this turned out to be a combination of a few different things. The overflow was caused by the `Status` field of `runc.ExitError` being set to `-1` and then converted to a `uint32`, which is fixed in this commit: https://github.com/moby/buildkit/commit/9b0bdb600641f3dd1d96f54ac2d86581ab6433b2 * We confirmed this was the case through println debugging The `Status` being `-1` is more interesting. We haven't 100% confirmed it but have reasonable confidence this is what was happening: 1. Buildkit's dependency on go-runc is fairly old and specifically did not include this commit: https://github.com/containerd/go-runc/commit/1caf1a73de233bdfe8bbdd860c42b0d263fabe12 2. There was a recent change in the master branch that Dagger also just picked up which results in threads being left locked and thus killed by the go runtime: https://github.com/moby/buildkit/pull/3738#discussion_r1147894969 3. Dagger has a several test cases that spin up a lot of networked containers in parallel with one another, which is where we were getting failures from. So it seems like threads may have been killed in parallel with containers being created, which triggered the problem where the container child procs incorrectly get SIGKILL'd 4. The reason this resulted in `-1` is * The exit code is set to `WaitStatus` on [these lines](https://github.com/containerd/go-runc/blob/16b287bc67d069a60fa48db15f330b790b74365b/monitor.go#L59) * `WaitStatus` will return `-1` if the process did not exit "normally" ([here](https://github.com/golang/go/blob/aee9a19c559da6fd258a8609556d89f6fad2a6d8/src/syscall/syscall_linux.go#L473)) After Dagger upgraded its go.mod's dep on go-runc to the latest commit (previously was on the same as buildkit), the problem was no longer reproducible.