bentolor/docker-dind-awscli
is a drop-in replacement for the docker
image in situations where you'd also want to use awscli
at the same time.
On similar lines bentolor/docker-dind-awscli:dind
is a drop-in replacement for docker:dind
augmented by awscli
.
Refer to section "docker:dind vs. docker:latest" for details on the differences.
If you face the simple problem that you want to do a simple aws ecr set-login-password … | docker login …
inside your Docker-based CI pipeline, you might stumble over the following problems:
- The official
docker:latest
Image does not have Python,pip
or theaws
tools installed - The popular
awscli
images do not provide Docker support - Even manually installing
awscli
intodocker:stable
as described in the official AWS CLI documentation does not work,
The last point is because docker:latest
is based on Alpine Liinux and awscli
does not work on Alpine distribution due to missing glibc libraries.
This repository reflects a workaround as described by @blagerweij in this upstream issue. Basically it
- Starts of
docker:latest
- Downloads & install glibc libraries for Apline from https://github.com/sgerrand/alpine-pkg-glibc/
- Downloads & insstalls
awscli
using the method described in https://docs.aws.amazon.com/cli/latest/userguide/install-cliv2-linux.html
This synthetical example pulls a docker image by SHA1 from the Gitlab container repository and then pushes it to an ECR instance.
deploy:api:ecr-image:
image: bentolor/docker-dind-awscli
services:
- name: docker:dind
stage: publish-aws
script:
# Fetch local docker image, rename & push to target environment
- docker info
- docker login -u gitlab-ci-token -p $CI_BUILD_TOKEN gitlab.foo.bar:4567
- docker pull $LOCAL_IMAGE_NAME:$CI_COMMIT_SHA
- aws ecr get-login-password --region $AWS_REGION | docker login --username AWS --password-stdin $REPOSITORY_HOST_API
- docker tag $LOCAL_IMAGE_NAME:$CI_COMMIT_SHA $REPOSITORY_HOST_API/myservice:latest
- docker push $REPOSITORY_HOST_API/myservice:latest
only:
- master
Note: Using the services
-Tag we start a separate dind container running the actual docker daemon. Gitlab CI automatically passes the required DOCKER_HOST
, so that the docker
-Client talks to that dind container.
Since 2021-10-15 this image no longer is based on the no longer maintained docker:stable
tag (Docker v19) but now is based on the docker:latest
tag. If this broke your build you might quick-resort into using bentolor/docker-dind-awscli:2.2.36
.
Please note, that while this image is called docker-dind-awscli
, the bentolor/docker-dind-awscli
image itself is not meant as replacement for docker:dind
, but for docker:latest
.
Short explanation: docker:dind
is an image, which allows to run an additional Docker daemon inside another Docker daemon. Therefore Docker-in-Docker, or short: dind. Containers based on this image expose a new Docker daemon instance via TCP sockets at port 2375
and 2376
(SSL/TLS).
The general idea here is, that instead of using and exposing your host Docker, you now can run a separate Docker dind daemon inside your Docker installation. For example to build images inside you CI/CD, which itself might run as Docker container. This approach avoids opening and directly exposing your host daemon, therefore less threatening your overall host security.
On the other hand, the docker
command itself is only a client. The DOCKER_HOST
defines to which Docker daemon it talks to. By default the docker
client tries to directly access your local Docker daemon installation.
So there are to approaches to use Docker-in-Docker:
-
You start a separate
docker:dind
container while running yourdocker
andawscli
client commands in a separate container based ondocker:latest
. ThereDOCKER_HOST
must point to the dind container. This is the recommended way and is shown in the Gitlab CI example. To useaws
commands, i.e. along withdocker build …
commands, you'd replace thedocker:latest
image withbentolor/docker-dind-awscli
. -
You start a
docker:dind
container and run youdocker
client commands inside that nested Docker installation. In that casebentolor/docker-dind-awscli:dind
would replacedocker:dind
, if you want to useaws
commands, i.e. along withdocker build …
commands.