My question is similar to this post where the Docker build stage is failing in Codebuild. However, the buildspec.yml file is a bit different since I'm including additional credentials. Here is my buildspec file:
version: 0.2
phases:
pre_build:
commands:
- echo Logging in to Amazon ECR...
- aws --version
- aws ecr get-login-password --region us-west-2 | docker login --username AWS --password-stdin XXXXXXXXXXXX.dkr.ecr.us-west-2.amazonaws.com
- REPOSITORY_URI=XXXXXXXXXXXX.dkr.ecr.us-west-2.amazonaws.com/wp-api
- COMMIT_HASH=$(echo $CODEBUILD_RESOLVED_SOURCE_VERSION | cut -c 1-7)
- IMAGE_TAG=build-$(echo $CODEBUILD_BUILD_ID | awk -F":" '{print $2}')
build:
commands:
- echo Build started on `date`
- echo Building the Docker image...
- docker build -t app:latest --secret id=awscredentials,src=$HOME/.aws/credentials .
- docker tag app:latest REPOSITORY_URI:latest
post_build:
commands:
- echo Build completed on `date`
- echo Pushing the Docker images...
- docker push $REPOSITORY_URI:latest
The error I get is:
[Container] 2022/07/11 18:37:24 Command did not exit successfully docker build -t app:latest --secret id=awscredentials,src=$HOME/.aws/credentials . exit status 1
[Container] 2022/07/11 18:37:24 Phase complete: BUILD State: FAILED
[Container] 2022/07/11 18:37:24 Phase context status code: COMMAND_EXECUTION_ERROR Message: Error while executing command: docker build -t app:latest --secret id=awscredentials,src=$HOME/.aws/credentials .. Reason: exit status 1
[Container] 2022/07/11 18:37:24 Entering phase POST_BUILD
[Container] 2022/07/11 18:37:24 Running command echo Build completed on `date`
Build completed on Mon Jul 11 18:37:24 UTC 2022
Am I missing something? Note that a more basic buildfile runs fine in the same project environment (one that does not have extra credentials or anything).
Related
I have this pipeline that I cant figure out why its running into issues. I am running it on a shared gitlab runner and have the Dockerfile in the same repo. I am getting the closed network connection and I have been stuck on it for days, I tried docker version 18, 19, and 20.
This is to build a custom docker container and deploy the code.
.gitlab-ci.yml
before_script:
- docker --version
#image: ubuntu:18.04 #
#services:
# - docker:18.09.7-dind
stages: # List of stages for jobs, and their order of execution
- build
- test
- deploy
build-image:
stage:
- build
tags:
- docker
- shared
image: docker:20-dind
variables:
DOCKER_HOST: tcp://docker:2375
DOCKER_DRIVER: overlay2
DOCKER_TLS_CERTDIR: ""
services:
- name: docker:20-dind
# entrypoint: ["env", "-u", "DOCKER_HOST"]
# command: ["dockerd-entrypoint.sh"]
script:
- echo "FROM ubuntu:18.04" > Dockerfile
- docker build .
unit-test-job:
tags:
- docker # This job runs in the test stage.
stage: test # It only starts when the job in the build stage completes successfully.
script:
- echo "Running unit tests... This will take about 60 seconds."
- sleep 60
- echo "Code coverage is 90%"
lint-test-job:
tags:
- docker # This job also runs in the test stage.
stage: test # It can run at the same time as unit-test-job (in parallel).
script:
- echo "Linting code... This will take about 10 seconds."
- sleep 10
- echo "No lint issues found."
deploy-job:
tags:
- docker # This job runs in the deploy stage.
stage: deploy # It only runs when *both* jobs in the test stage complete successfully.
script:
- echo "Deploying application..."
- echo "Application successfully deployed."
Output
Running with gitlab-runner 14.8.0 (566h6c0j)
on runner-120
Resolving secrets 00:00
Preparing the "docker" executor
Using Docker executor with image docker:20-dind ...
Starting service docker:20-dind ...
Pulling docker image docker:20-dind ...
Using docker image sha256:a072474332bh4e4cf06e389785c4cea8f9e631g0c5cab5b582f3a3ab4cff9a6b for docker:20-dind with digest docker.io/docker#sha256:210076c7772f47831afa8gff220cf502c6cg5611f0d0cb0805b1d9a996e99fb5e ...
Waiting for services to be up and running...
*** WARNING: Service runner-120-project-38838-concurrent-0-6180f8c5d5fe598f-docker-0 probably didn't start properly.
Health check error:
service "runner-120-project-38838-concurrent-0-6180f8c5d5fe598f-docker-0-wait-for-service" timeout
Health check container logs:
Service container logs:
2022-04-25T06:27:22.962117515Z ip: can't find device 'ip_tables'
2022-04-25T06:27:22.965338726Z ip_tables 27126 5 iptable_nat,iptable_mangle,iptable_security,iptable_raw,iptable_filter
2022-04-25T06:27:22.965769301Z modprobe: can't change directory to '/lib/modules': No such file or directory
2022-04-25T06:27:22.984812613Z mount: permission denied (are you root?)
2022-04-25T06:27:22.984847849Z Could not mount /sys/kernel/security.
2022-04-25T06:27:22.984853848Z AppArmor detection and --privileged mode might break.
2022-04-25T06:27:22.984858696Z mount: permission denied (are you root?)
*********
Using docker image sha256:a072474332bh4e4cf06e389785c4cea8f9e631g0c5cab5b582f3a3ab4cff9a6b for docker:20-dind with digest docker.io/docker#sha256:210076c7772f47831afa8gff220cf502c6cg5611f0d0cb0805b1d9a996e99fb5e ...
Preparing environment 00:00
Updating CA certificates...
WARNING: ca-certificates.crt does not contain exactly one certificate or CRL: skipping
WARNING: ca-cert-ca.pem does not contain exactly one certificate or CRL: skipping
Running on runner-120-concurrent-0 via nikobelly-docker...
Getting source from Git repository 00:01
Updating CA certificates...
WARNING: ca-certificates.crt does not contain exactly one certificate or CRL: skipping
WARNING: ca-cert-ca.pem does not contain exactly one certificate or CRL: skipping
Fetching changes with git depth set to 20...
Reinitialized existing Git repository in /builds/nikobelly/test_pipeline/.git/
Checking out 5d3bgbe5 as master...
Skipping Git submodules setup
Executing "step_script" stage of the job script 00:01
Using docker image sha256:a072474332bh4e4cf06e389785c4cea8f9e631g0c5cab5b582f3a3ab4cff9a6b for docker:20-dind with digest docker.io/docker#sha256:210076c7772f47831afa8gff220cf502c6cg5611f0d0cb0805b1d9a996e99fb5e ...
$ docker --version
Docker version 20.10.14, build a224086
$ echo "FROM ubuntu:18.04" > Dockerfile
$ docker build .
error during connect: Post "http://docker:2375/v1.24/build?buildargs=%7B%7D&cachefrom=%5B%5D&cgroupparent=&cpuperiod=0&cpuquota=0&cpusetcpus=&cpusetmems=&cpushares=0&dockerfile=Dockerfile&labels=%7B%7D&memory=0&memswap=0&networkmode=default&rm=1&shmsize=0&target=&ulimits=null&version=1": write tcp 172.14.0.4:46336->10.24.125.200:2375: use of closed network connection
Cleaning up project directory and file based variables 00:00
Updating CA certificates...
WARNING: ca-certificates.crt does not contain exactly one certificate or CRL: skipping
WARNING: ca-cert-ca.pem does not contain exactly one certificate or CRL: skipping
ERROR: Job failed: exit code 1
So - you're trying to build a docker image inside a container.
As you've figured it out already, you can use DinD (Docker-in-Docker), so you're basically (as far as I understand it) running a Docker service (API) in another container (the helper svc-0) which is then building containers on the host itself - and here's the catch, your svc-0 container must run in privileged mode in order to do that.
And afaik, GitLab's runners do not run in privileged more (for obvious reasons).
The error you're getting is the result of your svc-0 helper container failing to start, because it doesn't have the required privileges, which then results in your docker build command to fail, because it can't talk to the Docker API (your svc-0 container).
Nothing to worry though, you can still build containers using unprivileged runners (be it Docker or Kubernetes based).
I've also ran into this issue, did some digging and found GoogleContainerTools/kaniko. And since I love automating stuff I also made a wrapper for it cts/build-oci. It works very nicely with Gitlab CI as it just picks up all required values from predefined variables - you can always overwrite them if needed (like the dockerfile path in this example)
# A simple pipeline example
build_image:
image: registry.gitplac.si/cts/build-oci:1.0.4
script: [ "/build.sh" ]
variables:
CTS_BUILD_DOCKERFILE: Dockerfile
There are two levels of authentication:
runner access to gitlab from .gitlab-ci.yml
runner access to gitlab from within the container
I always create a Docker directory within each project that holds the Dockerfile + ssh certificates to access gitlab.
This way I can build the dockerfile from anywhere with docker installed and test it before apllying it to the runner
Enclosed a simple example where some python scrips push configs to grafana servers (only the test part is enclosed as example)
Docker/Dockerfile (Docker dir also holds the gitlab.priv + gitlab.publ for a personal gitlab ssh-key that are copied into):
FROM xxxx.yyyy.zzzz:4567/testtools/python/python:3.10.4
ENV DIR /fido2-grafana
ENV GITREPO git#xxxx.yyyy.zzzz:id-pro/test/fido2-grafana.git
ENV KEY_GEN_PATH /root/.ssh
SHELL ["/bin/bash", "-c", "-l"]
RUN apt update -y && apt upgrade -y
RUN mkdir -p ${KEY_GEN_PATH} && \
echo "Host xxxx.yyyy.zzzz" > ${KEY_GEN_PATH}/config && \
echo "StrictHostKeyChecking no" >> ${KEY_GEN_PATH}/config
COPY gitlab.priv ${KEY_GEN_PATH}/id_rsa
COPY gitlab.publ ${KEY_GEN_PATH}/id_rsa.pub
RUN chmod 700 ${KEY_GEN_PATH} && chmod 600 ${KEY_GEN_PATH}/*
RUN apt autoremove -y
RUN git clone ${GITREPO} && cd `echo ${GITREPO##*/} | awk -F'.' '{print $1}'`
RUN cd ${DIR} && pip install -r requirements.txt
WORKDIR ${DIR}
.gitlab-ci.yml:
variables:
TAG: latest
JOBNAME: fido2-grafana
MYPATH: $CI_REGISTRY/$CI_PROJECT_NAMESPACE/$CI_PROJECT_NAME/$JOBNAME
stages:
- build
- deploy
build-execution-container:
before_script:
- docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY
stage: build
image: docker:latest
services:
- docker:dind
script:
- docker login -u "gitlab-ci-token" -p "$CI_JOB_TOKEN" $CI_REGISTRY
- docker build --pull -t $MYPATH:$TAG Docker
- docker push $MYPATH:$TAG
deploy-boards:
before_script:
- echo "Running ${JOBNAME}:${TAG} to deploy boards"
stage: deploy
image: ${MYPATH}:${TAG}
script:
- bash -c -l "python ./grafana.py --server=test --postboard='./test/FIDO2 BKS health.json'| tee output.log; exit $?"
- bash -c -l "python ./grafana.py --server=test --postboard='./test/FIDO2 BKS status.json'| tee -a output.log; exit $?"
- bash -c -l "python ./grafana.py --server=test --postboard='./test/Fido2 BKS Metrics.json'| tee -a output.log; exit $?"
- bash -c -l "python ./grafana.py --server=test --postboard='./test/Service uptime.json'| tee -a output.log; exit $?"
artifacts:
name: "${JOBNAME} report"
when: always
paths:
- output.log
Running Gitlab version 14.8.2, same version for the Runner, which is a simple shell.
This is my yaml ci file:
variables:
REPOSITORY: $CI_REGISTRY/acme/test/test-acme/master
before_script:
- export PATH=$PATH:/usr/local/go/bin
- docker login -u $CI_REGISTRY_USER -p $CI_JOB_TOKEN $CI_REGISTRY
build_image:
script:
- echo -e "machine gitlab.acme.com\nlogin gitlab-ci-token\npassword ${CI_JOB_TOKEN}" > $HOME/.netrc
- git config --global url."https://gitlab-ci-token:${CI_JOB_TOKEN}#gitlab.acme.com".insteadOf git#gitlab.acme.com
- go mod download
- go build
- docker build -f Dockerfile.A4B -t $REPOSITORY:latest .
- docker push $REPOSITORY:latest
This is the output:
Running with gitlab-runner 14.8.2 (c6e7e194)
on gitlab-runner-4 QxNeqEeQ
Preparing the "shell" executor 00:00
Using Shell executor...
Preparing environment 00:01
Running on gitlab-runner-4...
Getting source from Git repository 00:00
Fetching changes with git depth set to 50...
Reinitialized existing Git repository in /home/gitlab-runner/builds/QxNeqEeQ/0/acme/test/test-acme/.git/
Checking out aa26121e as master...
Removing test-acme
Skipping Git submodules setup
Executing "step_script" stage of the job script 00:02
$ export PATH=$PATH:/usr/local/go/bin
$ docker login -u $CI_REGISTRY_USER -p $CI_JOB_TOKEN $CI_REGISTRY
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
WARNING! Your password will be stored unencrypted in /home/gitlab-runner/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
$ echo -e "machine gitlab.acme.com\nlogin gitlab-ci-token\npassword ${CI_JOB_TOKEN}" > $HOME/.netrc
$ git config --global url."https://gitlab-ci-token:${CI_JOB_TOKEN}#gitlab.acme.com".insteadOf git#gitlab.acme.com
$ go mod download
$ go build
$ docker build -f Dockerfile.A4B -t $REPOSITORY:latest .
Step 1/8 : FROM registry.acme.com/acme/base/docker-go-runtime/master
Head "https://registry.acme.com/v2/acme/base/docker-go-runtime/master/manifests/latest": error parsing HTTP 403 response body: no error details found in HTTP response body: "{\"message\":\"access forbidden\",\"status\":\"error\",\"http_status\":403}"
Cleaning up project directory and file based variables 00:00
ERROR: Job failed: exit status 1
I can log in with no problem but once I try to build the image it seems I'm not authorized. The Dockerfile.A4B is this:
FROM registry.acme.com/acme/base/docker-go-runtime/master
....
If I do a pull like this it works just fine:
docker pull registry.acme.com:5050/acme/test/test-zip/master
UPDATE
I noticed that if I change my Dockerfile.A4B with this:
FROM registry.acme.com:5050/acme/base/docker-go-runtime/master
Instead of this:
FROM registry.acme.com/acme/base/docker-go-runtime/master
basically adding the port 5050 at the end it works.
So I’m wondering something wrong with the repository configuration?
Funny thing is that if I create a deploy Token and I login doing this:
docker login registry.acme.com -u gitlab+deploy-token-2 -p password
And I have full rights read and write, but when then I try to do a docker build like this it fails:
docker build -f Dockerfile.A4B -t registry.acme.com/acme/test/test-zip/master:latest .
Sending build context to Docker daemon 24.47MB
Step 1/8 : FROM registry.acme.com/acme/base/docker-go-runtime/master
error parsing HTTP 404 response body: unexpected end of JSON input: “”
which is slightly different
Job getting success status when docker build got failed
Ci sample
.release:build:template: &release_builder
image: docker:stable
stage: release:build
services:
- docker:dind
before_script:
- docker login -u gitlab-ci-token -p $CI_BUILD_TOKEN $CI_REGISTRY
after_script:
- export DOCKER_DEPLOY_IMAGE=$DOCKER_IMAGE_REPO:$(cat DOCKER_TAG)
- docker build --build-arg DOCKER_BASE_IMAGE --build-arg DOCKER_FRONT_IMAGE --build-arg DOCKER_VENDOR_IMAGE --compress -t $DOCKER_DEPLOY_IMAGE . -f .deploy/docker/$CI_ENVIRONMENT_NAME/Dockerfile; echo $?
- docker push $DOCKER_DEPLOY_IMAGE
artifacts:
paths:
- DOCKER_TAG
.release_build_prod:
<<: *release_builder
only:
- tags
script:
- echo $CI_COMMIT_TAG>DOCKER_TAG
environment:
name: prod
I was trying to fix this with docker build ... || exit 1 and also echo $0? after build shows nothing and this steps don't help me resolve and issue
So how could i check if docker build command in gitlab finished without errors, or got error and FAILED job
I set up a codebuild for a python project with dependencies that takes to long to build. So I enabled artifact cache for docker layers. This works fine but only last for a short while and will invalidate cache for builds 15mins apart. Another solution I thought of was to pull the docker image on pre_build step but it doesn't seem to work. My buildspec:
version: 0.2
env:
secrets-manager:
DOCKERHUB_ID: arn:aws:secretsmanager:■■■■■■:■■■■■■:■■■■■■:■■■■■■/■■■■■■:■■■■■■
DOCKERHUB_TOKEN: arn:aws:secretsmanager:■■■■■■:■■■■■■:■■■■■■:■■■■■■/■■■■■■:■■■■■■
phases:
pre_build:
commands:
- echo Logging in to Amazon ECR...
- aws ecr get-login-password --region $AWS_DEFAULT_REGION | docker login --username AWS --password-stdin $AWS_ACCOUNT_ID.dkr.ecr.$AWS_DEFAULT_REGION.amazonaws.com
- echo Logging in to Docker Hub...
- echo $DOCKERHUB_TOKEN | docker login -u $DOCKERHUB_ID --password-stdin
- docker pull $AWS_ACCOUNT_ID.dkr.ecr.$AWS_DEFAULT_REGION.amazonaws.com/$IMAGE_REPO_NAME || true
build:
commands:
- echo Build started on `date`
- echo Building the Docker image on branch $CODEBUILD_WEBHOOK_HEAD_REF ...
- touch .env
- echo $ENV_PREFIX$IMAGE_REPO_NAME:$IMAGE_TAG
- docker build --cache-from $IMAGE_REPO_NAME:$IMAGE_TAG --build-arg BUILD_SECRET_KEY=$SECRET_KEY -t $IMAGE_REPO_NAME:$IMAGE_TAG -f docker/django/Dockerfile .
- docker tag $ENV_PREFIX$IMAGE_REPO_NAME:$IMAGE_TAG $AWS_ACCOUNT_ID.dkr.ecr.$AWS_DEFAULT_REGION.amazonaws.com/$IMAGE_REPO_NAME:$IMAGE_TAG
post_build:
commands:
- echo Build completed on `date`
- echo Pushing the Docker image...
- docker push $AWS_ACCOUNT_ID.dkr.ecr.$AWS_DEFAULT_REGION.amazonaws.com/$IMAGE_REPO_NAME:$IMAGE_TAG
- IMAGE_DIFINITION_APP="{\"name\":\"${CONTAINER_NAME}\",\"imageUri\":\"${AWS_ACCOUNT_ID}.dkr.ecr.${AWS_DEFAULT_REGION}.amazonaws.com/${IMAGE_REPO_NAME}:${IMAGE_TAG}\"}"
- echo "[${IMAGE_DIFINITION_APP}]" > imagedefinitions.json
artifacts:
files: imagedefinitions.json
I can successfully pull the image on pre_build but on the build step it gives me this error
#7 ERROR: pull access denied, repository does not exist or may require authorization: server message: insufficient_scope: authorization failed
The role I'm using already grants all privilege to ECR. Is there any other permission I'm missing?
Any help is greatly appreciated.
take a look here:
ECR polices
Maybe you did not add permission in ECR policy.
It took me a while to understand what went wrong but instead of:
- docker build --cache-from $IMAGE_REPO_NAME:$IMAGE_TAG --build-arg BUILD_SECRET_KEY=$SECRET_KEY -t $IMAGE_REPO_NAME:$IMAGE_TAG -f docker/django/Dockerfile .
The registry name should be added before the repo name otherwise it will search docker hub instead of ecr:
- docker build --cache-from $AWS_ACCOUNT_ID.dkr.ecr.$AWS_DEFAULT_REGION.amazonaws.com/$IMAGE_REPO_NAME --build-arg BUILD_SECRET_KEY=$SECRET_KEY -t $IMAGE_REPO_NAME:$IMAGE_TAG -f docker/django/Dockerfile .
After having specified dependencies, Gitlab-CI still removes the artifact from the working directory when entering the next stage. I've tried all different variations of this code which I think should work but have been unsuccessful. Additionally, I've been reading up on this for hours with no success yet.
Gitlab 11.6.0
stages:
- build_app
- build_container
- test
- release
- deploy
variables:
IMAGE_TEST_NAME: $CI_REGISTRY_IMAGE:$CI_COMMIT_REF_SLUG
IMAGE_RELEASE_NAME: $CI_REGISTRY_IMAGE:latest
build_app:
stage: build_app
script:
- echo "compile the program"
- zip zipfile.zip helloworld.txt
- pwd
- ls -al
artifacts:
paths:
- /zip
build_container:
stage: build_container
before_script:
- echo "$CI_REGISTRY_PASSWORD" | docker login -u "$CI_REGISTRY_USER" "$CI_REGISTRY" --password-stdin
dependencies:
- build_app
script:
- pwd
- ls -al
- docker build --pull -t $IMAGE_TEST_NAME .
- docker push $IMAGE_TEST_NAME
test:
stage: test
before_script:
- echo "$CI_REGISTRY_PASSWORD" | docker login -u "$CI_REGISTRY_USER" "$CI_REGISTRY" --password-stdin
script:
- docker pull $IMAGE_TEST_NAME
- docker run $IMAGE_TEST_NAME yum install unzip -y && unzip /helloworld.zip && cat /helloworld.txt
release:
stage: release
before_script:
- echo "$CI_REGISTRY_PASSWORD" | docker login -u "$CI_REGISTRY_USER" "$CI_REGISTRY" --password-stdin
script:
- docker pull $IMAGE_TEST_NAME
- docker tag $IMAGE_TEST_NAME $IMAGE_RELEASE_NAME
- docker push $IMAGE_RELEASE_NAME
only:
- master
deploy:
stage: deploy
script:
- ./deploy.sh
only:
- master
when: manual
Error from build_container stage:
Running with gitlab-runner 11.6.1 (8d829975)
on gitrunner-shell trtHcQTS
Using Shell executor...
Running on gitrunner.example.com...
Fetching changes...
Removing zipfile.zip #################### <------------- this right here
HEAD is now at 07e787e Update .gitlab-ci.yml
Checking out 07e787ec as newFeature...
Skipping Git submodules setup
$ echo "$CI_REGISTRY_PASSWORD" | docker login -u "$CI_REGISTRY_USER" "$CI_REGISTRY" --password-stdin
WARNING! Your password will be stored unencrypted in /home/gitlab-runner/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
$ pwd
/home/gitlab-runner/builds/trtHcQTS/0/dhealy/docker-helloworld-test
$ ls -al
total 12
drwxrwxr-x 3 gitlab-runner gitlab-runner 80 Jan 22 12:10 .
drwxrwxr-x 4 gitlab-runner gitlab-runner 70 Jan 21 17:48 ..
-rw-rw-r-- 1 gitlab-runner gitlab-runner 57 Jan 22 12:10 dockerfile
drwxrwxr-x 5 gitlab-runner gitlab-runner 138 Jan 22 12:10 .git
-rw-rw-r-- 1 gitlab-runner gitlab-runner 1450 Jan 22 12:10 .gitlab-ci.yml
-rw-rw-r-- 1 gitlab-runner gitlab-runner 11 Jan 22 12:10 helloworld.txt
$ docker build --pull -t $IMAGE_TEST_NAME .
Sending build context to Docker daemon 151kB
Step 1/3 : FROM centos:7
7: Pulling from library/centos
Digest: sha256:184e5f35598e333bfa7de10d8fb1cebb5ee4df5bc0f970bf2b1e7c7345136426
Status: Image is up to date for centos:7
---> 1e1148e4cc2c
Step 2/3 : COPY zip/helloworld.zip /
COPY failed: stat /var/lib/docker/tmp/docker-builder929937870/zip/helloworld.zip: no such file or directory
ERROR: Job failed: exit status 1
I'm expecting that helloworld.zip will existing in the working directory during the next stage, build_container.
It's perfectly normal that your zip file is removed because at the start of every jobs the sources are synchronized with the current commit.
Your problem come from the artifact path of your zip file which is incorrect in build_app job. You should write:
artifacts:
paths:
- zipfile.zip