bentolor/docker-dind-awscli is a drop-in replacement for the docker image in situations where you'd also want to use awscli at the same time.
On similar lines bentolor/docker-dind-awscli:dind is a drop-in replacement for docker:dind augmented by awscli.
Refer to section "docker:dind vs. docker:latest" for details on the differences.
If you face the simple problem that you want to do a simple aws ecr set-login-password … | docker login … inside your Docker-based CI pipeline, you might stumble over the following problems:
- The official
docker:latestImage does not have Python,pipor theawstools installed - The popular
awscliimages do not provide Docker support - Even manually installing
awscliintodocker:stableas described in the official AWS CLI documentation does not work,
The last point is because docker:latest is based on Alpine Liinux and awscli does not work on Alpine distribution due to missing glibc libraries.
This repository reflects a workaround as described by @blagerweij in this upstream issue. Basically it
- Starts of
docker:latest - Downloads & install glibc libraries for Apline from https://github.com/sgerrand/alpine-pkg-glibc/
- Downloads & insstalls
awscliusing the method described in https://docs.aws.amazon.com/cli/latest/userguide/install-cliv2-linux.html
This synthetical example pulls a docker image by SHA1 from the Gitlab container repository and then pushes it to an ECR instance.
deploy:api:ecr-image:
image: bentolor/docker-dind-awscli
services:
- name: docker:dind
stage: publish-aws
script:
# Fetch local docker image, rename & push to target environment
- docker info
- docker login -u gitlab-ci-token -p $CI_BUILD_TOKEN gitlab.foo.bar:4567
- docker pull $LOCAL_IMAGE_NAME:$CI_COMMIT_SHA
- aws ecr get-login-password --region $AWS_REGION | docker login --username AWS --password-stdin $REPOSITORY_HOST_API
- docker tag $LOCAL_IMAGE_NAME:$CI_COMMIT_SHA $REPOSITORY_HOST_API/myservice:latest
- docker push $REPOSITORY_HOST_API/myservice:latest
only:
- masterNote: Using the services-Tag we start a separate dind container running the actual docker daemon. Gitlab CI automatically passes the required DOCKER_HOST, so that the docker-Client talks to that dind container.
Since 2021-10-15 this image no longer is based on the no longer maintained docker:stable tag (Docker v19) but now is based on the docker:latest tag. If this broke your build you might quick-resort into using bentolor/docker-dind-awscli:2.2.36.
Please note, that while this image is called docker-dind-awscli, the bentolor/docker-dind-awscli image itself is not meant as replacement for docker:dind, but for docker:latest.
Short explanation: docker:dind is an image, which allows to run an additional Docker daemon inside another Docker daemon. Therefore Docker-in-Docker, or short: dind. Containers based on this image expose a new Docker daemon instance via TCP sockets at port 2375 and 2376 (SSL/TLS).
The general idea here is, that instead of using and exposing your host Docker, you now can run a separate Docker dind daemon inside your Docker installation. For example to build images inside you CI/CD, which itself might run as Docker container. This approach avoids opening and directly exposing your host daemon, therefore less threatening your overall host security.
On the other hand, the docker command itself is only a client. The DOCKER_HOST defines to which Docker daemon it talks to. By default the docker client tries to directly access your local Docker daemon installation.
So there are to approaches to use Docker-in-Docker:
-
You start a separate
docker:dindcontainer while running yourdockerandawscliclient commands in a separate container based ondocker:latest. ThereDOCKER_HOSTmust point to the dind container. This is the recommended way and is shown in the Gitlab CI example. To useawscommands, i.e. along withdocker build …commands, you'd replace thedocker:latestimage withbentolor/docker-dind-awscli. -
You start a
docker:dindcontainer and run youdockerclient commands inside that nested Docker installation. In that casebentolor/docker-dind-awscli:dindwould replacedocker:dind, if you want to useawscommands, i.e. along withdocker build …commands.