How to reach the GitLab build container from a docker container running in the docker in docker service?
I have a compose file that I want to spin up in a Gitlab Pipeline.
I am using a docker executor with the docker in docker service.
I have a Nginx proxy in my compose that handles mTLS for my main app and a service in my compose that I need for testing (that requires mTLS). Nginx fails to find the host "build" and fails to start.
I set FF_NETWORK_PER_BUILD: "true" in my .gitlab-ci.yml file and got the same error. I added it to my runner config and same issue.
The docs mention that IPv6 needs to be enabled, so I updated my daemon.json file to the following and restarted the docker service and I still ran into the same issue.
daemon.json snippet
{
"ipv6": true,
"fixed-cidr-v6": "2001:db8:d0ca:d0ca::/64",
"default-address-pools":[
{"base": "172.31.0.0/16", "size": 24},
{"base": "2001:db8:d0ca::/49", "size": 64}
]
}
.gitlab-ci.yml snippet
.docker-in-docker:
tags:
- app-name
- docker-in-docker
image:
name: docker:28.2.2
pull_policy: if-not-present
variables:
FF_NETWORK_PER_BUILD: "true"
services:
- name: docker:28.2.2-dind
alias: docker
pull_policy: if-not-present
variables:
HEALTHCHECK_TCP_PORT: "2375"
before_script:
- sed -i -e s/172.17.0.1:8080/build:8080/g docker-compose.yaml
- sed -i -e s/172.17.0.1:3000/docker:3000/g docker-compose.yaml
- docker compose up -d
- apk add --update nodejs npm
- npm ci --cache .npm --prefer-offline --include dev
- grep -q "database system is ready to accept connections" <(docker compose logs postgres --follow)
- export APP_DB_HOST=docker
- export APP_ORIGIN="docker:8443"
- export AUTH_URL="http://docker:8444/AUTH/api/rest/v4"
- npm run build
- grep -q "Welcome to auth" <(docker compose logs auth --follow)
- docker compose ps
- docker compose logs nginx
- '[ $(docker compose ps -q | wc -l) = 3 ]'
- npm run start &
ui:
stage: lint
extends: .docker-in-docker
script:
- |
docker run \
--network host \
-e CI=1 \
-v $(pwd):/app \
-w /app \
mcr.microsoft.com/playwright:v1.52.0-noble \
/bin/sh -c "npm run test:ui"
docker compose snippet
services:
postgres:
image: postgres
environment:
POSTGRES_USER: $APP_DB_USER
POSTGRES_PASSWORD: $APP_DB_PASSWORD
POSTGRES_DB: $APP_DB_NAME
ports:
- $APP_DB_PORT:5432
auth:
extends:
file: auth/docker-compose.yaml
service: auth
volumes:
- ./auth-data:/auth/data:rw
nginx:
image: nginx
ports:
- "8443:443"
- "8444:444"
volumes:
- ./auth-data/pki/intermediate/servers/app/crt.pem:/etc/nginx/nginx.crt
- ./auth-data/pki/intermediate/servers/app/key.pem:/etc/nginx/nginx.key
- ./auth-data/pki/intermediate/ca/crt.pem:/etc/nginx/intermediate.crt
- ./auth-data/pki/root/ca/crt.pem:/etc/nginx/root.crt
configs:
- source: nginx_config
target: /etc/nginx/conf.d/default.conf
- source: nginx_setup
target: /docker-entrypoint.d/50-my-setup.sh
mode: 0777
configs:
nginx_setup:
content: |
# need to build the ca chain
cat /etc/nginx/root.crt /etc/nginx/intermediate.crt > /etc/nginx/ca.crt
nginx_config:
content: |
error_log /var/log/nginx/error.log info;
# proxy to app
server {
listen 443 ssl;
ssl_certificate nginx.crt;
ssl_certificate_key nginx.key;
ssl_client_certificate ca.crt;
ssl_verify_client on;
location / {
proxy_set_header X-SSL-Client-S-DN $$ssl_client_s_dn;
proxy_pass http://172.17.0.1:8080;
}
}
# proxy to auth
server {
listen 444;
proxy_ssl_certificate nginx.crt;
proxy_ssl_certificate_key nginx.key;
proxy_ssl_trusted_certificate ca.crt;
location / {
proxy_pass "https://172.17.0.1:3000$$request_uri";
}
}
runner configuration
[[runners]]
name = "app docker in docker runner"
url = <REMOVED>
id = 68
token = <REMOVED>
token_obtained_at = <REMOVED>
token_expires_at = <REMOVED>
executor = "docker"
[runners.feature_flags]
FF_NETWORK_PER_BUILD = true
[runners.custom_build_dir]
[runners.cache]
MaxUploadedArchiveSize = 0
[runners.cache.s3]
[runners.cache.gcs]
[runners.cache.azure]
[runners.docker]
tls_verify = false
image = "docker:28.2.2"
privileged = true
disable_entrypoint_overwrite = false
oom_kill_disable = false
disable_cache = false
volumes = ["/certs/client", "/cache"]
allowed_pull_policies = ["always", "if-not-present"]
shm_size = 0
network_mtu = 0
--network host, which would work, a named dedicated network should work too. BTW: Another approach would be to run the container within the compose setup. Put the general config into a different profile and then usedocker compose exec.