docker - gitlab ci 错误 /bin/sh: eval: line 138: docker: not found
问题描述
当我尝试构建 docker 映像时,gitlab runner 抛出错误
gitlab-ci.yml
container_scanning:
stage: test
image:
name: $CI_REGISTRY/devops/trivy/trivy:0.20.1
variables:
GIT_STRATEGY: none
FULL_IMAGE_NAME: $CI_REGISTRY_IMAGE:$CI_COMMIT_REF_SLUG
# Tell docker CLI how to talk to Docker daemon.
DOCKER_HOST: tcp://localhost:2375/
# Use the overlayfs driver for improved performance.
DOCKER_DRIVER: overlay2
# Disable TLS since we're running inside local network.
DOCKER_TLS_CERTDIR: ""
script:
- docker build -t testdocker .
Dockerfile
FROM
Test.dev/devops/aquasec/trivy:0.16.0
RUN trivy filesystem --skip-update --exit-code 1 --no-progress /
错误
/bin/sh: eval: line 138: docker: not found
$ docker build -t testdocker .
我已经检查了 docker 图像历史记录,入口点是ENTRYPOINT ["trivy"]
:
~$ docker image history --no-trunc aquasec/trivy:latest
IMAGE CREATED CREATED BY SIZE COMMENT
sha256:9a0e347a8cda3c2bdf3f4d7aa24ccfb3e5dce8763bf6064526fdecd06aafd711 4 days ago ENTRYPOINT ["trivy"] 0B buildkit.dockerfile.v0
<missing> 4 days ago COPY contrib/*.tpl contrib/ # buildkit 14.7kB buildkit.dockerfile.v0
<missing> 4 days ago COPY trivy /usr/local/bin/trivy # buildkit 39.3MB buildkit.dockerfile.v0
<missing> 4 days ago RUN /bin/sh -c apk --no-cache add ca-certificates git # buildkit 13.5MB buildkit.dockerfile.v0
<missing> 7 weeks ago /bin/sh -c #(nop) CMD ["/bin/sh"] 0B
<missing> 7 weeks ago /bin/sh -c #(nop) ADD file:aad4290d27580cc1a094ffaf98c3ca2fc5d699fe695dfb8e6e9fac20f1129450 in / 5.6MB
解决方案
问题是您告诉 GitLab 在带有图像trivy
图像的容器内运行管道,我认为它是一个自定义 Dockerfile,aquasec/trivy
用作基本图像。
如果您尚未在自定义映像中安装 Docker CLI,则没有理由安装它。
❯ docker pull aquasec/trivy
Using default tag: latest
latest: Pulling from aquasec/trivy
a0d0a0d46f8b: Already exists
330bb1eb9af6: Pull complete
de4b3e2cc536: Pull complete
65a5529ac0a6: Pull complete
Digest: sha256:c5e2a98e1c1a34f2f6d80f02b4f78fb25ddafbadb8f2b3962059b14c8da1d6f8
Status: Downloaded newer image for aquasec/trivy:latest
docker.io/aquasec/trivy:latest
❯ docker run --rm -it --entrypoint sh aquasec/trivy
/ # docker --version
sh: docker: not found
如果我用它扫描该图像,docker scan
我可以看到它alpine:3.14.2
用作基本图像和apk
包管理器;因此,为了在该容器中使用 Docker,您的自定义映像(下一个$CI_REGISTRY/devops/trivy/trivy:0.20.1
)应该安装了 Docker CLI。
Dockerfile
FROM aquasec/trivy
RUN apk add docker-cli
当然,在 Docker Runners 配置中定义configuration.toml
了使用的图像执行绑定挂载的/var/run/docker.sock
.
另一种选择是使用 Docker-in-Docker(直接将整个 Docker 安装在容器内并在其上启动守护程序)。
要在 Docker 中使用 Docker,您必须稍微修改一下您的工作:
container_scanning:
stage: test
image:
name: $CI_REGISTRY/devops/trivy/trivy:0.20.1
services:
- docker:19.03.12-dind
variables:
GIT_STRATEGY: none
FULL_IMAGE_NAME: $CI_REGISTRY_IMAGE:$CI_COMMIT_REF_SLUG
# Tell docker CLI how to talk to Docker daemon.
DOCKER_HOST: tcp://localhost:2375/
# Use the overlayfs driver for improved performance.
DOCKER_DRIVER: overlay2
# Disable TLS since we're running inside local network.
DOCKER_TLS_CERTDIR: ""
script:
- docker build -t testdocker .
请记住,如果您决定在 Docker 中使用 Docker 而不是实际安装套接字,您将受到以下限制:https ://docs.gitlab.com/ee/ci/docker/using_docker_build.html#limitations-码头工人的码头工人
推荐阅读
- android - Android coordinatorlayout 在底部添加了额外的空间
- javascript - Javascript Date.js - 性能缓慢
- java - 据说Java中未经检查的强制转换和原始类型是可以避免的,那么在引用嵌套泛型时如何摆脱编译器警告?
- vba - 使用组合框过滤 ID 查找字段
- oauth-2.0 - 跳过 keycloak 的会话 cookie
- javascript - 启动画面阻止网站交互
- python - 分配错误之前引用的python'x_min'
- android - 在android中的共享元素转换中调用多个活动
- java - 如何在android studio中格式化更大的数字
- python - pandas row中棘手字符串的建议