As a developer or DevOps person, a common use case is to build Docker images as part of your CI/CD pipeline. No matter whether you use Jenkins, Wookpecker CI, GitLab CI or any other of the many existing CI servers, a typical setup is to have the build runners themselves be Docker containers as well. You’ll end up having to build Docker in Docker. While the easiest and most straightforward way to implement this is to mount the Docker daemon into the container itself, it’s not necessarily the most secure way. Instead, you may want to build your images in a rootless fashion and without requiring a Docker daemon.
For a long time, Google’s Kaniko has been de-facto standard there, but at latest after the project has been discontinued, an alternative was needed. I had to migrate most of my CI pipelines and my particular requirements were the following.
Requirements:
- Build must run inside Docker, but rootless and without access to the host daemon
- Images shall be pushed to a private registry upon successful build
- If a Git tag is given, use that tag (alongside
latest
) for the image as well, otherwise use the commit hash and branch name as tags - Intermediate layers shall be cached for efficiency and speed
- Upstream images shall be pulled from a local mirror registry
Turns out this is harder than you would think. After a bit of research I found that using Docker Buildx is the recommended approach today – even though not necessarily the simplest.
After I worked out a solution, I thought it might be helpful to share it. So here is a GitLab CI pipeline that fulfills the above requirements.
1 | stages: |
Hope that helps! 🤓
Comments