Build Dockerfiles in GitLab CI shared runners the easy way: ditch dind
Buildah is more secure, less finicky, and great for GitLab
This post describes a clean way to build container images in GitLab CI and push them to a registry, without Docker in Docker. The same technique should work well on any CI platform. I went heavy on the links to supporting documentation, but my goal is that you should only have to click on them if you are curious.
Why Buildah instead of Docker in Docker
Building container images from a Dockerfile in CI/CD carries a host of unexpected challenges and security risks, primarily because the CI pipeline is running in Docker to begin with. Docker in Docker, or “dind,” requires a --privileged
flag and exposing the host’s docker daemon socket to the container. Security complaints, versioning issues, and inefficiency abound; docker even warns you about it.
Fortunately, there’s Buildah — a tool that facilitates building Open Container Initiative (OCI) container images, which includes Dockerfiles. It rarely requires root permissions and does not need a daemon. It has great support from Red Hat, and Buildah (along with Podman and Skopeo) is also available in Ubuntu 22.04 default apt repos.