Introduction
In this previous post I came accross an issue that I wanted to write about in more details:
- Why it is bad to rely on any kind of
latesttags - How docker
19.03-dindwill break your gitlab-ci docker builds and what you can do about it
If you do not use latest your pipeline is not already broken but this may still be interesting for you since this summary will help you update.
Why latest is bad
We have all been told that relying on latest tags is bad: there may be breaking changes.
Well, docker:19.03.11 and docker:19.03.11-dind came with such a breaking change (in fact, it affects 18.09+), and if you have not been careful, your pipeline is probably broken.
What are the changes?
The changes affect the default behavior of dind for version after 18.09: in these versions TLS has been made the default where it was not before. More about this in the “TLS” section [here]](https://hub.docker.com/_/docker?tab=description&page=1&name=dind)
Solution
Our build job looks like this, where the tricky details are in bold, and marked with a number, e.g. (1) that are not part of the job’s source code, but rather markers for easier reading:
docker build:
stage: build
image: docker:19.03.11
tags:
- asksven-homelab-prd-public
services:
- name: docker:19.03.11-dind
variables:
(1)DOCKER_TLS_CERTDIR: "" # set this to disable TLS (default on docker 18.09+)
(2)DOCKER_HOST: tcp://localhost:2375/
DOCKER_DRIVER: overlay2
script:
- docker login -u "${DOCKER_REGISTRY_USER}" -p "$DOCKER_REGISTRY_PASSWORD" ${DOCKER_REGISTRY}
# build and push
- docker build -t ${DOCKER_REGISTRY}/${DOCKER_IMAGE_URL}:${CI_BUILD_REF} .
- We must set
DOCKER_TLS_CERTDIRto empty in order to disable dind to go for the new TLS-default - If you the gitlab-runner on Kubernetes - as privileged pod -
DOCKER_HOSTmust be set to point to the underlying dind