gitlab-ci docker | using sudo inside container - docker

Hey fellow developers,
I use gitlab-ci, with my own gitlab-runner running as a docker image on the server (Ubuntu 22.04, Docker 20.10, Docker image: gitlab/gitlab-runner:latest).
I want to use some sudo commands inside the container.
How can I do that ?
Thanks for any help.

You can install sudo from you docker file:
FROM gitlab/gitlab-runner:latest
RUN apt-get update && \
apt-get -y install sudo
RUN useradd -m docker && echo "docker:docker" | chpasswd && adduser docker
sudo
USER docker
CMD /bin/bash

Related

Docker in Docker | Github actions - Self Hosted Runner

Am trying to create a self-hosted runner for Github actions on Kubernetes. As a first step was trying with the docker file as below:
FROM ubuntu:18.04
# set the github runner version
ARG RUNNER_VERSION="2.283.1"
# update the base packages and add a non-sudo user
RUN apt-get update -y && apt-get upgrade -y && useradd -m docker
RUN useradd -r -g docker nonroot
# install python and the packages the your code depends on along with jq so we can parse JSON
# add additional packages as necessary
RUN apt-get install -y curl jq build-essential libssl-dev apt-transport-https ca-certificates curl software-properties-common
# install docker
RUN curl -fsSL https://download.docker.com/linux/ubuntu/gpg | apt-key add - \
&& add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu bionic stable" \
&& apt update \
&& apt-cache policy docker-ce \
&& apt install docker-ce -y
ENV TINI_VERSION v0.19.0
ADD https://github.com/krallin/tini/releases/download/${TINI_VERSION}/tini /tini
RUN chmod +x /tini
RUN usermod -aG docker nonroot
USER nonroot
# set the entrypoint to the start.sh script
ENTRYPOINT ["/tini", "--"]
CMD ["/bin/bash"]
After doing a build, I run the container with the below command:
docker run -v /var/run/docker.sock:/var/run/docker.sock -it srunner
When i try to pull image, I get the below error:
nonroot#0be0cdccb29b:/$ docker run hello-world
docker: Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Post "http://%2Fvar%2Frun%2Fdocker.sock/v1.24/containers/create": dial unix /var/run/docker.sock: connect: permission denied.
See 'docker run --help'.
nonroot#0be0cdccb29b:/$
Please advise if there is a possible way to run docker as non-root inside a docker container.
Instead of using sockets, there is also a way to connect to outer docker, from docker in container, over TCP.
Linux example:
Run ifconfig, it will print the docker's network interface that is created when you install docker on a host node. Its usually named docker0, note down the IP address of this interface.
Now, modify the /etc/docker/daemon.json and add thistcp://IP:2375 to the hosts section. Restart docker service.
Run containers with extra option: --add-host=host.docker.internal:host-gateway
Inside any such container, the address tcp://host.docker.internal:2375 now points to the outside docker engine.
Try adding your username to the docker group as suggested here.
Additionally, you should check your kernel compatibility.

Installing Kubernetes in Docker container

I want to use Kubeflow to check it out and see if it fits my projects. I want to deploy it locally as a development server so I can check it out, but I have Windows on my computer and Kubeflow only works on Linux. I'm not allowed to dual boot this computer, I could install a virtual machine, but I thought it would be easier to use docker, and oh boy was I wrong. So, the problem is, I want to install Kubernetes in a docker container, right now this is the Dockerfile I've written:
# Docker file with local deployment of Kubeflow
FROM ubuntu:18.04
ENV USER=Joao
ENV PASSWORD=Password
ENV WK_DIR=/home/${USER}
# Setup Ubuntu
RUN apt-get update -y
RUN apt-get install -y conntrack sudo wget
RUN useradd -rm -d /home/${USER} -s /bin/bash -g root -G sudo -u 1001 -p ${PASSWORD} ${USER}
WORKDIR ${WK_DIR}
# Installing Docker CE
RUN apt-get install -y apt-transport-https ca-certificates curl software-properties-common
RUN curl -fsSL https://download.docker.com/linux/ubuntu/gpg | apt-key add -
RUN add-apt-repository \
"deb [arch=amd64] https://download.docker.com/linux/ubuntu \
$(lsb_release -cs) \
stable"
RUN apt-get update -y
RUN apt-get install -y docker-ce docker-ce-cli containerd.io
# Installing Kubectl
RUN curl -LO https://storage.googleapis.com/kubernetes-release/release/v1.15.0/bin/linux/amd64/kubectl
RUN chmod +x ./kubectl
RUN mv ./kubectl /usr/local/bin/kubectl
# Installing Minikube
RUN curl -LO https://storage.googleapis.com/minikube/releases/latest/minikube-linux-amd64
RUN install minikube-linux-amd64 /usr/local/bin/minikube
ENV PATH="${PATH}:${WK_DIR}"
COPY start.sh start.sh
CMD sh start.sh
With this, just to make the deployment easier, I also have a docker-compose.yaml that looks like this:
services:
kf-local:
build: .
volumes:
- path/to/folder:/usr/kubeflow
privileged: true
And start.sh looks like this:
service docker start
minikube start \
--extra-config=apiserver.service-account-issuer=api \
--extra-config=apiserver.service-account-signing-key-file=/var/lib/minikube/certs/apiserver.key \
--extra-config=apiserver.service-account-api-audiences=api \
--driver=docker
The problem is, whenever I try running this I get the error:
X Exiting due to DRV_AS_ROOT: The "docker" driver should not be used with root privileges.
I've tried creating a user and running it from there also but then I'm not being able to run sudo, any idea how I could install Kubernetes on a Docker container?
As you thought you are right in case of using VM and that be easy to test it out.
Instead of setting up Kubernetes on docker you can use Linux base container for development testing.
There is linux container available name as LXC container. Docker is kind of application container while in simple words LXC is like VM for local development testing. you can install the stuff into rather than docker setting up application inside image.
read some details about lxc : https://medium.com/#harsh.manvar111/lxc-vs-docker-lxc-101-bd49db95933a
you can also run it on windows and try it out at : https://linuxcontainers.org/
If you have read the documentation of Kubeflow there is also one option multipass
Multipass creates a Linux virtual machine on Windows, Mac or Linux
systems. The VM contains a complete Ubuntu operating system which can
then be used to deploy Kubernetes and Kubeflow.
Learn more about Multipass : https://multipass.run/#install
Insufficient user permissions on the docker groups and minikube directory cause this error ("X Exiting due to DRV_AS_ROOT: The "docker" driver should not be used with root privileges.").
You can fix that error by adding your user to the docker group and setting permissions to the minikube profile directory (change the $USER with your username in the two commands below):
sudo usermod -aG docker $USER && newgrp docker
sudo chown -R $USER $HOME/.minikube; chmod -R u+wrx $HOME/.minikube

Docker Container Not Starting for create docker file

AM completely new to Docker, now am trying to create a container for tomact from ubuntu base image & written a docker file acoding to it:
From ubuntu
RUN apt-get update -y && apt-get upgrade -y
RUN apt-get install wget -y
RUN apt-get install openjdk-8-jdk -y
RUN mkdir /usr/local/tomcat
RUN wget https://mirrors.estointernet.in/apache/tomcat/tomcat-8/v8.5.61/bin/apache-tomcat-8.5.61.tar.gz
RUN tar xvzf apache-tomcat-8.5.61.tar.gz
RUN mv apache-tomcat-8.5.61 /usr/local/tomcat/
#MD ./usr/local/tomcat/apache-tomcat-8.5.61/bin/catlina.sh run
EXPOSE 8080
RUN /usr/local/tomcat/apache-tomcat-8.5.61/bin/catlina.sh run
Created Docker image for the respective docker file using:
docker build -t [filename] .
Tried to start the container using: docker run -itd --name my-con -p 8080:8080
but the container is not starting & the container is listed in stopped container
Cn any one help me fixing this issue
Thanks.
try this in last line:
CMD ["/usr/local/tomcat/bin/catalina.sh","run"]

Docker in docker fails to start if container restarted

We are running a docker build agent inside a docker container.
It's based off debian jessie, and gets docker directly from docker as documented here.
The docker daemon runs fine the first time you start the container, but not the second time. (if you don't delete the container)
Dockerfile:
FROM debian:jessie
ARG DEBIAN_FRONTEND=noninteractive
RUN apt-get update \
&& apt-get -y install -q \
apt-transport-https \
ca-certificates \
software-properties-common \
curl \
&& curl -fsSL https://yum.dockerproject.org/gpg | apt-key add - \
&& add-apt-repository \
"deb https://apt.dockerproject.org/repo/ \
debian-$(lsb_release -cs) \
main" \
&& apt-get update \
&& apt-get install -y \
docker-engine
CMD []
docker-compose.yml:
services:
dockerTest:
container_name: dockerTest
privileged: true
image: tomeinc/intel-docker-node:latest
command: bash -c "service docker start && sleep 2 && docker ps"
To reproduce: build the Dockerfile with docker build -t test . and then use docker-compose up twice. The second time, docker-ps will fail with
Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running?
Weirdly, if the container keeps running, you can manually start docker by running docker exec -it test /bin/bash and then executing service docker start and docker ps.
I'm not really sure how to approach debugging this, any suggestions are welcomed.
Turns out to be that docker thought that it and or containterd was still running(which it wasn't, but the PID files didn't get cleaned up)
Recommended starting approach to debugging issues: Look at the log files. I am shocked by this revelation.
Anyway adding rm /var/run/docker/libcontainerd/docker-containerd.pid /var/run/docker.pid to the start command before service docker start fixes it.

Jenkins user using docker (inside docker container)

I have a dockerfile:
FROM jenkins:1.651.1
COPY plugins.txt /usr/share/jenkins/plugins.txt
RUN /usr/local/bin/plugins.sh /usr/share/jenkins/plugins.txt
USER root
RUN groupadd docker
RUN usermod -a -G docker jenkins
USER jenkins
I add my user jenkins to the group docker.
When I access my container:
jenkins#bc145b8cfc1d:/$ docker ps
Cannot connect to the Docker daemon. Is the docker daemon running on this host?
jenkins#bc145b8cfc1d:/$ whoami
jenkins
This is the content of my /etc/groupon my container
jenkins:x:1000:
docker:x:1001:jenkins
my jenkins user is in the docker group
jenkins#bc145b8cfc1d:/$ groups jenkins
jenkins : jenkins docker
What am I doing wrong? I want to use docker-commands with my jenkins user. I'm on Amazon EC2 Container Service.
This is how I start a container from my image:
docker run -d -v /var/run/docker.sock:/var/run/docker.sock -v
/usr/bin/docker:/usr/bin/docker:ro -v
/lib64/libdevmapper.so.1.02:/usr/lib/x86_64-linux-gnu/libdevmapper.so.1.02
-v /lib64/libudev.so.0:/usr/lib/x86_64-linux-gnu/libudev.so.0
-p 8080:8080 --name jenkins -u jenkins --privileged=true -t -i
my-jenkins:1.0
This was my 'solution' but it only worked on Ubuntu (not on my centos).
Dockerfile
FROM jenkins:1.651.1
USER root
RUN apt-get update \
&& apt-get install -y apt-transport-https ca-certificates \
&& echo "deb https://apt.dockerproject.org/repo debian-jessie main" > /etc/apt/sources.list.d/docker.list \
&& apt-key adv --keyserver hkp://p80.pool.sks-keyservers.net:80 --recv-keys 58118E89F3A912897C070ADBF76221572C52609D \
&& apt-get update -y \
&& apt-get install -y docker-engine
RUN gpasswd -a jenkins docker
USER jenkins
Run command:
docker run -d -it -v /var/run/docker.sock:/var/run/docker.sock test-jenkins
On Ubuntu:
jenkins#c73c683b02d7:/$ whoami
jenkins
jenkins#c73c683b02d7:/$ docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
c73c683b02d7 test-jenkins "/bin/tini -- /usr/lo" 2 minutes ago Up 2 minutes 8080/tcp, 50000/tcp
condescending_wing
It has something to do with gid I think:
cat /etc/group in container (on ubuntu and centos).
jenkins:x:1000:
docker:x:999:jenkins
cat /etc/group on Ubuntu (also 999)
docker:x:999:ubuntu
cat /etc/group on Centos (different gid)
docker:x:983:centos
There is probably a solution for this. But I only needed Ubuntu so did not go further in this.
Once your container is running, you can "patch" into the running container using different users using
docker exec -ti -u 0 jenkins bash // root
docker exec -ti -u 1 jenkins bash // probably jenkins
Using the root user, you can su jenkins if you need to switch to the jenkins user from the root user.
If you want to run docker containers inside your existing container (it seems like that is what you're trying), remember to start your docker container with the --privileged flag, eg docker run --privileged ...

Resources