#Dagger in Gitlab

Btw, if you have any trouble, we can take a look today. Feel free to ping if you have any question 😇 That could be a nice docs improvement

@neat flax I believe you can copy most of the docker stuff, then, on the .dagger part, you just install Go and run the script. Dagger shall autoprovision itself

So, copy:

.docker:
  image: docker:${DOCKER_VERSION}-git
  services:
    - docker:${DOCKER_VERSION}-dind
  variables:
    # See https://docs.gitlab.com/ee/ci/docker/using_docker_build.html#docker-in-docker-with-tls-enabled-in-the-docker-executor
    DOCKER_HOST: tcp://docker:2376

    DOCKER_TLS_VERIFY: "1"
    DOCKER_TLS_CERTDIR: "/certs"
    DOCKER_CERT_PATH: "/certs/client"

    # Faster than the default, apparently
    DOCKER_DRIVER: overlay2

    DOCKER_VERSION: "20.10"

.dagger:
  extends: [.docker]




  // TODO:
  // add Go
  // checkout multiarch example. Shall autoprovision itself

ahh, perfect, thanks!

Keep me in touch 😇

So, Ihave the multiarch running locally, and can do go run path/to/main.go https:://repo so I think

1. install Go in Docker
2. run app go run path/to/main.go repo
3. profit

I'm not sure to follow the step 1 -> install Go in Docker ?

You need to have go on the host, if you use the Go SDK (the example is in Go SDK, with your time constraint, I would stick to it). The Go SDK will auto-provision the Dagger engine on Docker

For it to be working. You Gitlab CI needs to have:

1. Docker
2. Go
   Then, you should do:
3. go run, as you said 😇

I've not used DIND for a long time.

Just rusty 😉

reviewing the dagger-cue/install.sh

The only conflicts you might have are the mount of sockets, but it we could find workaround and I don't think the example relies on this API 😇

@neat flax feel free to ping me for this too - I just got a gitlab-ci setup with Dagger running last Friday 😄

@elfin blade thanks, will do

progress so far is:

• Successfully installed Go in DIND docker
• Now running with a before_script
• And whilst I wait, creating a container from the DIND image which has Go installed to reduce the duration of the pipeline

  image: docker:${DOCKER_VERSION}-git
  services:
    - docker:${DOCKER_VERSION}-dind
  variables:
    # See https://docs.gitlab.com/ee/ci/docker/using_docker_build.html#docker-in-docker-with-tls-enabled-in-the-docker-executor
    DOCKER_HOST: tcp://docker:2376

    DOCKER_TLS_VERIFY: "1"
    DOCKER_TLS_CERTDIR: "/certs"
    DOCKER_CERT_PATH: "/certs/client"

    # Faster than the default, apparently
    DOCKER_DRIVER: overlay2

    DOCKER_VERSION: "20.10"

.dagger-go:
  extends: [.docker]
  variables:
    DAGGER_VERSION: 0.2.232
    DAGGER_LOG_FORMAT: plain
    DAGGER_CACHE_PATH: .dagger-cache

    ARGS: ""
  cache:
    key: dagger-${CI_JOB_NAME}
    paths:
      - ${DAGGER_CACHE_PATH}
  before_script:
    - |
      # install Go
      echo "installing go version 1.19.4..." 
      apk add --no-cache --virtual .build-deps bash gcc musl-dev openssl go 
      wget -O go.tgz https://dl.google.com/go/go1.19.4.src.tar.gz 
      tar -C /usr/local -xzf go.tgz 
      cd /usr/local/go/src/ 
      ./make.bash 
      export PATH="/usr/local/go/bin:$PATH"
      export GOPATH=/opt/go/ 
      export PATH=$PATH:$GOPATH/bin 
      apk del .build-deps 

      go version
  script:
    - |
      echo "Runing CMD: ${CMD}"
      go run ${CMD}

run-go-pipeline:
  extends: [.dagger-go]
  variables:
    CMD: experiments/01-go-multiarch/main.go https://github.com/jbendotnet/helloworld

Path failed, but making progress - lunch now.

we're open to suggestions if there's something we can do to simplify this besides providing examples.

FWIW the cue SDK docs has examples to setup dagger for each CI platform (https://docs.dagger.io/sdk/cue/470907/get-started#step-3-build-run-and-test-in-a-remote-ci-environment).

Starting from there should be 90% of the setup.

Is your example on a public repo ? 😇

Not atm no, I was planning to clean up and publish before the community call I'm joining but that's not until Jan - happy to share any details you want, but the Gitlab CI side is mostly just copy-paste from your docs 🙂

Ok, fighting a bit (we have on-prem Gitlab so can't assume things are 100% the same).

I'm attempting to get the CUE todoapp running.

ERROR: error during connect: Get "http://docker:2376/v1.24/info": dial tcp: lookup docker on 10.43.0.10:53: no such host

I get this error, what can I configure in the dagger.cue to change the addr used?

tangentially, the experience of writing Go to write the pipelines was seamless, the experience of deploying the pipelines in CI less so - sure it will improve

Here's the Go SDK Getting Started in GitLab CI: https://gitlab.com/jpadams301/getting-started

.docker:
  image: golang:1.19-alpine
  services:
    - docker:${DOCKER_VERSION}-dind
  variables:
    DOCKER_HOST: tcp://docker:2376
    DOCKER_TLS_VERIFY: '1'
    DOCKER_TLS_CERTDIR: '/certs'
    DOCKER_CERT_PATH: '/certs/client'
    DOCKER_DRIVER: overlay2
    DOCKER_VERSION: '20.10.16'
.dagger:
  extends: [.docker]
  before_script:
    - apk add docker-cli
build:
  extends: [.dagger]
  script:
    - go run main.go

thanks! I will try that now.

$ go run main.go
2022/12/08 14:44:06 Hello, world!

@west zenith thank you

These CI examples will be in the docs soon.
https://github.com/dagger/dagger/issues/3918

thanks 🙂

it's more my lack of DIND in Gitlab that's causing pain, we build with Kaniko in Kube now, so the process is a bit different.

$ docker info
unable to resolve docker endpoint: open /certs/client/ca.pem: no such file or directory

Is it possible to run Dagger without privilege escalation ?

I don't think it is possible yet

yeah, I think it's a bit of a non-starter with our deployed runners, so I'm going to run a local runner, which should work 🙂

thanks for all the help

@neat flax we run k8s runners, for dind they need to run as privileged containers but the rest is fairly smooth sailing

@dire veldt I don't think we have an issue for that yet. Can you create one and reference this thread in it?

@violet wave @elfin blade hi - sorry for the delay - I've spoken to our SRE team and the feedback was to say "we're using kube deployed Gitlab ci runners" - if you have any tips or require additional info, please let me know 🙂

@dire veldt @neat flax Dagger won't work without privileged containers, because dind doesn't work without privileged containers. That said, there is rootless buildkit https://github.com/moby/buildkit/blob/master/docs/rootless.md.

@dire veldt I'm not too familiar with the low-level interaction with buildkit, but would it be feasible to run buildkit directly rather than DIND?

I think we do, back home in 20, will confirm

We have an issue for supporting rootless mode here: https://github.com/dagger/dagger/issues/1287

Rootless containers in general are full of nuances and tradeoffs (described some previously here: https://github.com/dagger/dagger/pull/2978#issuecomment-1234794009) so it's unfortunately not possible to just enable it by default and have it work for everyone.

As of right now, the only path to running rootlessly would require customization of our base engine image, which right now is in the category of "not officially supported but we can't stop you from doing it", though we are figuring out our next steps on that front here: https://github.com/dagger/dagger/issues/4105

I'm not too familiar with the low-level interaction with buildkit, but would it be feasible to run buildkit directly rather than DIND?
It's certainly technically possible but will currently again full under the category of "not officially supported but we can't stop you from doing it". One hard part is that we package our engine as an image because it's more than just buildkit; it also includes other dependent binaries like runc, a dagger shim, qemu emulators, etc. So it's not just a matter of running a single binary outside a container. The other thing to keep in mind is that this mode would still require either privilege (buildkitd needs it) or running rootlessly (with the same caveats)

interesting, thanks 🙂

thanks, I'll feed this back to our infra/sre team.

I'm going to run a CI runner locally for my live-demo later 😉 😓

On that I'll maybe add that it's all about risk management - we run a dedicated cluster for CI, so the risks of privileged containers are fairly low; anything happening is contained to our CI runners. Personally I don't think running as privileged is a big deal for this but ymmv (or your sec team's mileage)

I'll pass that along as well.

My understanding is we have dedicated K8s cluster for CI runners, though the specifics of why privileged is disabled I'm not party to (yet).

The response I got was (paraphrasing) "it is probably possible but likely very fiddlly as we use Kaniko for $reasons - tell them we run CI Runners in Kube".

Do you run or intend to run on AWS Fargate? (Not sure you're even on AWS). We discussed that, and Fargate doesn't support privileged containers, which is why we started looking at Kaniko initially

One thing to note is that you can also run a dagger host remotely, and set the DAGGER_HOST env (though this is being deprecated in favour of better alternatives last I heard). So one option could be to have your runners as now, and use a remote dagger host. That avoids DIND entirely

Oh, so you could run Dagger in Kube, and use that instead of the CI runners?

In this case what I was talking about was to run a separate node that just runs dagger, then have your gitlab CI run just the dagger client

Yes, that node being a node running in Kube, rather than DIND running Docker which is used to run Dagger.

It couldn’t run in Kube. The Dagger server needs access to buildkit, and running buildkit is, to my understanding, what requires privileged

It might be possible to run within k8s, but I haven’t given it much thought – I think e.g @vale wedge would know better on the limitations of that

but the TLDR is that the dagger agent needs access to a DOCKER_HOST, which needs to run somewhere. You also have the option of running just docker on a remote host, and changing the docker host

Ok, so we could run one or more fat Dagger hosts provisioned with Terraform or similar, provided one can load balance them, that should work.

that might work

This is getting into territory I have no idea about so I’ll defer to the people actually working on Dagger for it 😄 but yeah that was my understanding about remote hosts

hehe 🙂

it's even newer to me mate 😉

I’ve only been here a week 😂

Or two? I lost track of time

maybe 2 weeks but yeah, you run into a lot of interesting edge cases when running CI runners in kubernetes and making it work with Dagger 😄

@elfin blade hi - coming back to this after the w/e, occurs to me that perhaps I could have run Dagger as a CI service 🤔