Download Postgresql Docker Image

You can run your CI/CD jobs in separate, isolated Docker containers.

Dec 27, 2020 The Spring Boot Docker image has the name docker-spring-boot-postgres:latest (line 5). Docker builds that image from the Dockerfile in the current directory (lines 6-7) The container name is app (line 8). It depends on the db service (line 10). That's why it starts after the db container. # Start empty Ubuntu container docker run -it ubuntu bash # Show current Ubuntu version lsbrelease -a (See instruction detail from.

If you run Docker on your local machine, you can run tests in the container,rather than testing on a dedicated CI/CD server.

To run CI/CD jobs in a Docker container, you need to:

  1. Register a runner so that all jobs run in Docker containers. Do this by choosing the Docker executor during registration.
  2. Specify which container to run the jobs in. Do this by specifying an image in your .gitlab-ci.yml file.
  3. Optional. Run other services, like MySQL, in containers. Do this by specifying servicesin your .gitlab-ci.yml file.

Register a runner that uses the Docker executor

To use GitLab Runner with Docker you need to register a runnerthat uses the Docker executor.

This example shows how to set up a temporary template to supply services:

Then use this template to register the runner:

The registered runner uses the ruby:2.6 Docker image and runs twoservices, postgres:latest and mysql:latest, both of which areaccessible during the build process.

What is an image

The image keyword is the name of the Docker image the Docker executoruses to run CI/CD jobs.

By default, the executor pulls images from Docker Hub.However, you can configure the registry location in the gitlab-runner/config.toml file.For example, you can set the Docker pull policyto use local images.

For more information about images and Docker Hub, seethe Docker Fundamentals documentation.

Define image in the .gitlab-ci.yml file

You can define an image that's used for all jobs, and a list ofservices that you want to use during runtime:

The image name must be in one of the following formats:

  • image: <image-name> (Same as using <image-name> with the latest tag)
  • image: <image-name>:<tag>
  • image: <image-name>@<digest>

Extended Docker configuration options

Introduced in GitLab and GitLab Runner 9.4.

You can use a string or a map for the image or services entries:

Download
  • Strings must include the full image name(including the registry, if you want to download the image from a registryother than Docker Hub).
  • Maps must contain at least the name option,which is the same image name as used for the string setting.

For example, the following two definitions are equal:

  • A string for image and services:

  • A map for image and services. The image:name isrequired:

Where scripts are executed

When a CI job runs in a Docker container, the before_script, script, and after_script commands run in the /builds/<project-path>/ directory. Your image may have a different default WORKDIR defined. To move to your WORKDIR, save the WORKDIR as an environment variable so you can reference it in the container during the job's runtime.

Available settings for image

Introduced in GitLab and GitLab Runner 9.4.

SettingRequiredDescription
nameYes, when used with any other option.Full name of the image. It should contain the registry part if needed.
entrypointNo.Command or script to execute as the container's entrypoint. It's translated to Docker's --entrypoint option while creating the container. The syntax is similar to Dockerfile's ENTRYPOINT directive, where each shell token is a separate string in the array.

Overriding the entrypoint of an image

Introduced in GitLab and GitLab Runner 9.4. Read more about the extended configuration options.

Before explaining the available entrypoint override methods, let's describehow the runner starts. It uses a Docker image for the containers used in theCI/CD jobs:

  1. The runner starts a Docker container using the defined entrypoint. The defaultfrom Dockerfile that may be overridden in the .gitlab-ci.yml file.
  2. The runner attaches itself to a running container.
  3. The runner prepares a script (the combination ofbefore_script,script,and after_script).
  4. The runner sends the script to the container's shell stdin and receives theoutput.

To override the entrypoint of a Docker image,define an empty entrypoint in the .gitlab-ci.yml file, so the runner does not starta useless shell layer. However, that does not work for all Docker versions.

  • For Docker 17.06 and later, the entrypoint can be set to an empty value.
  • For Docker 17.03 and earlier, the entrypoint can be set to/bin/sh -c, /bin/bash -c, or an equivalent shell available in the image.

The syntax of image:entrypoint is similar to Dockerfile's ENTRYPOINT.

Let's assume you have a super/sql:experimental image with a SQL databasein it. You want to use it as a base image for your job because youwant to execute some tests with this database binary. Let's also assume thatthis image is configured with /usr/bin/super-sql run as an entrypoint. Whenthe container starts without additional options, it runsthe database's process. The runner expects that the image has noentrypoint or that the entrypoint is prepared to start a shell command.

With the extended Docker configuration options, instead of:

  • Creating your own image based on super/sql:experimental.
  • Setting the ENTRYPOINT to a shell.
  • Using the new image in your CI job.

You can now define an entrypoint in the .gitlab-ci.yml file.

For Docker 17.06 and later:

For Docker 17.03 and earlier:

Define image and services in config.toml

Look for the [runners.docker] section:

The image and services defined this way are added to all jobs run bythat runner.

Define an image from a private Container Registry

To access private container registries, the GitLab Runner process can use:

  • Statically defined credentials. That is, a username and password for a specific registry.
  • Credentials Store. For more information, see the relevant Docker documentation.
  • Credential Helpers. For more information, see the relevant Docker documentation.

To define which option should be used, the runner process reads the configuration in this order:

  • A DOCKER_AUTH_CONFIG variable provided as either:
    • A CI/CD variable in the .gitlab-ci.yml file.
    • A project's variables stored on the project's Settings > CI/CD page.
  • A DOCKER_AUTH_CONFIG variable provided as environment variable in the runner's config.toml file.
  • A config.json file in $HOME/.docker directory of the user running the process.If the --user flag is provided to run the child processes as unprivileged user,the home directory of the main runner process user is used.

The runner reads this configuration only from the config.toml file and ignores it ifit's provided as a CI/CD variable. This is because the runner uses onlyconfig.toml configuration and does not interpolate any CI/CD variables atruntime.

Requirements and limitations

  • Available for Kubernetes executorin GitLab Runner 13.1 and later.
  • Credentials Store and Credential Helpersrequire binaries to be added to the GitLab Runner $PATH, and require access to do so. Therefore,these features are not available on shared runners, or any other runner where the user does nothave access to the environment where the runner is installed.

Use statically-defined credentials

There are two approaches that you can take to access aprivate registry. Both require setting the CI/CD variableDOCKER_AUTH_CONFIG with appropriate authentication information.

  1. Per-job: To configure one job to access a private registry, addDOCKER_AUTH_CONFIG as a job variable.
  2. Per-runner: To configure a runner so all its jobs can access aprivate registry, add DOCKER_AUTH_CONFIG to the environment in therunner's configuration.

See below for examples of each.

Determine your DOCKER_AUTH_CONFIG data

As an example, let's assume you want to use the registry.example.com:5000/private/image:latestimage. This image is private and requires you to sign in to a private containerregistry.

Let's also assume that these are the sign-in credentials:

KeyValue
registryregistry.example.com:5000
usernamemy_username
passwordmy_password

Use one of the following methods to determine the value of DOCKER_AUTH_CONFIG:

  • Do a docker login on your local machine:

    Then copy the content of ~/.docker/config.json.

    If you don't need access to the registry from your computer, youcan do a docker logout:

  • In some setups, it's possible the Docker client uses the available system keystore to store the result of docker login. In that case, it's impossible toread ~/.docker/config.json, so you must prepare the requiredbase64-encoded version of ${username}:${password} and create the Dockerconfiguration JSON manually. Open a terminal and execute the following command:

    Create the Docker JSON configuration content as follows:

Configure a job

Download Postgresql Docker Image

To configure a single job with access for registry.example.com:5000,follow these steps:

  1. Create a CI/CD variableDOCKER_AUTH_CONFIG with the content of theDocker configuration file as the value:

  2. You can now use any private image from registry.example.com:5000 defined inimage or services in your .gitlab-ci.yml file:

    In the example above, GitLab Runner looks at registry.example.com:5000 for theimage namespace/image:tag.

You can add configuration for as many registries as you want, adding moreregistries to the 'auths' hash as described above.

The full hostname:port combination is required everywherefor the runner to match the DOCKER_AUTH_CONFIG. For example, ifregistry.example.com:5000/namespace/image:tag is specified in the .gitlab-ci.yml file,then the DOCKER_AUTH_CONFIG must also specify registry.example.com:5000.Specifying only registry.example.com does not work.

Configuring a runner

If you have many pipelines that access the same registry, you shouldset up registry access at the runner level. Thisallows pipeline authors to have access to a private registry just byrunning a job on the appropriate runner. It also helps simplify registrychanges and credential rotations.

This means that any job on that runner can access theregistry with the same privilege, even across projects. If you need tocontrol access to the registry, you need to be sure to controlaccess to the runner.

To add DOCKER_AUTH_CONFIG to a runner:

  1. Modify the runner's config.toml file as follows:

    • The double quotes included in the DOCKER_AUTH_CONFIGdata must be escaped with backslashes. This prevents them from beinginterpreted as TOML.
    • The environment option is a list. Your runner mayhave existing entries and you should add this to the list, not replaceit.
  2. Restart the runner service.

Use a Credentials Store

To configure a Credentials Store:

  1. To use a Credentials Store, you need an external helper program to interact with a specific keychain or external store.Make sure the helper program is available in the GitLab Runner $PATH.

  2. Make GitLab Runner use it. There are two ways to accomplish this. Either:

    • Create aCI/CD variableDOCKER_AUTH_CONFIG with the content of theDocker configuration file as the value:

    • Or, if you're running self-managed runners, add the above JSON to${GITLAB_RUNNER_HOME}/.docker/config.json. GitLab Runner reads this configuration fileand uses the needed helper for this specific repository.

credsStore is used to access all the registries.If you use both images from a private registry and public images from Docker Hub,pulling from Docker Hub fails. Docker daemon tries to use the same credentials for all the registries.

Use Credential Helpers

Introduced in GitLab Runner 12.0.

As an example, let's assume that you want to use the aws_account_id.dkr.ecr.region.amazonaws.com/private/image:latestimage. This image is private and requires you to log in into a private container registry.

To configure access for aws_account_id.dkr.ecr.region.amazonaws.com, follow these steps:

  1. Make sure docker-credential-ecr-login is available in the GitLab Runner $PATH.

  2. Have any of the following AWS credentials setup.Make sure that GitLab Runner can access the credentials.

  3. Make GitLab Runner use it. There are two ways to accomplish this. Either:

    • Create a CI/CD variableDOCKER_AUTH_CONFIG with the content of theDocker configuration file as the value:

      This configures Docker to use the Credential Helper for a specific registry.

      Instead, you can configure Docker to use the Credential Helper for all Amazon Elastic Container Registry (ECR) registries:

    • Or, if you're running self-managed runners,add the previous JSON to ${GITLAB_RUNNER_HOME}/.docker/config.json.GitLab Runner reads this configuration file and uses the needed helper for thisspecific repository.

  4. You can now use any private image from aws_account_id.dkr.ecr.region.amazonaws.com defined inimage and/or services in your .gitlab-ci.yml file:

    In the example, GitLab Runner looks at aws_account_id.dkr.ecr.region.amazonaws.com for theimage private/image:latest.

You can add configuration for as many registries as you want, adding moreregistries to the 'credHelpers' hash.

1. Introduction

In a previous article, we explained the difference between Docker images and Docker containers. In short: An image is like a Java class, and containers are like Java objects.

In this tutorial, we'll look at the various ways of removing Docker images.

2. Why Remove Docker Images?

The Docker Engine stores images and runs containers. For that purpose, the Docker Engine reserves a certain amount of disk space as a “storage pool” for images, containers, and everything else (such as global Docker volumes or networks).

Docker

Once that storage pool is full, the Docker Engine stops working: We can't create or download new images anymore, and our containers fail to run.

Docker images take up the majority of the Docker Engine storage pool. So we remove Docker images to keep Docker running.

We also remove images to keep our Docker Engine organized and clean. For instance, we can easily create dozens of images during development that we soon don't need anymore. Or, we download some software images for testing that we can dispose of later.

We can easily remove a Docker image that we pulled from a Docker repository: If we ever need it again, we'll just pull it from the repository once more.

But we have to be careful with Docker Images we created ourselves: Once removed, our own images are gone unless we saved them! We can save Docker images by pushing them to a repository or exporting them to a TAR file.

3. Downloading PostgreSQL 13 Beta Images

PostgreSQL is an open-source relational database. We'll use the first two PostgreSQL 13 beta Docker images as examples. These two images are relatively small, so we can download them quickly. And because they are beta software, we don't have them in our Docker Engine already.

We'll use the beta 2 image to create a container. We won't use the beta 1 image directly.

But before we download these two images, let's check first how much space Docker images take up in the storage pool:

Here's the output from a test machine. The first line shows that our 71 Docker images use 7.8 GB:

Now we download the two PostgreSQL images and recheck the Docker storage pool:

As expected, the number of images increased from 71 to 73. And the overall image size went from 7.8 GB to 8.1 GB.

We'll just show the first line for brevity:

4. Removing a Single Image

Let's start a container with the PostgreSQL 13 beta 2 image. We set secr3t as the password for the database root user because the PostgreSQL container won't start without one:

Here is the running container on the test machine:

Download

Now let's remove the PostgreSQL 13 beta 2 image. We use docker image rm to remove a Docker image. That command removes one or more images:

This command fails because a running container still uses that image:

So let's stop that running container by using its ID, which we obtained from docker ps:

We now try to remove the image again – and get the same error message: We can't remove an image used by a container, running or not.

So let's remove the container. Then we can finally remove the image:

The Docker Engine prints details of the image removal:

The docker system df confirms the removal: The number of images decreased from 73 to 72. And the overall image size went from 8.1 GB to 8.0 GB:

5. Removing Multiple Images by Name

Let's download the PostgreSQL 13 beta 2 image again that we just removed in the previous section:

Now we want to remove both the beta 1 image and the beta 2 image by name. We've only used the beta 2 image so far. As mentioned earlier, we're not using the beta 1 image directly, so we can just remove it now.

Unfortunately, docker image rm doesn't offer a filter option for removing by name. Instead, we'll chain Linux commands to remove multiple images by name.

We'll reference images by repository and tag, like in a docker pull command: The repository is postgres, the labels are 13-beta1-alpine and 13-beta2-alpine.

So, to remove multiple images by name, we need to:

  • List all images by repository and tag, such as postgres:13-beta2-alpine
  • Then, filter those output lines through a regular expression with the grep command: ^postgres:13-beta
  • And finally, feed those lines to the docker image rm command

What Is Docker

Let's start putting these together. To test for correctness, let's run just the first two of these pieces:

And on our test machine we get:

Now given that, we can add it to our docker image rm command:

As before, we can only remove images if no container, running or stopped, uses them. We then see the same image removal details as in the previous section. And docker system df shows that we're back to 71 images at 7.8 GB on the test machine:

This image removal command works in a terminal on Linux and Mac. On Windows, it requires the “Docker Quickstart Terminal” of the Docker Toolbox. In the future, the more recent Docker Desktop for Windows may work with this Linux command on Windows 10, too.

6. Removing Images by Size

Image

An excellent way to save disk space is to remove the largest Docker images first.

Now docker image ls can't sort by size, either. So, we list all images and sort that output with the sort command to view images by size:

which on our test machine outputs:

Next, we manually review to find what we want to remove. The ID, column three, is easier to copy and paste than the repository and tag, columns one and two. Docker allows removing multiple images in one go.

Let's say we want to remove nextcloud:latest and nextcloud:19.0.0-apache. Simply put, we can look at their corresponding IDs in our table and list them in our docker image rm command:

As before, we can only remove images not used by any container and see the usual image removal details. Now we're down to 69 images at 7.1 GB on our test machine:

7. Removing Images by Creation Date

Docker can remove images by their creation date. We'll use the new docker image prune command for that. Unlike docker image rm, it is designed to remove multiple images or even all images.

Now, let's remove all images created before July 7, 2020:

We still can only remove images not used by any container, and we still see the usual image removal details. This command removed two images on the test machine, so we're at 67 images and 5.7 GB on the test machine:

Another way to remove images by their creation date is to specify a time span instead of a cut-off date. Let's say we wanted to remove all images older than a week:

Note that the Docker filter option requires us to convert that time span into hours.

Docker Hub

8. Pruning Containers and Images

docker image prune bulk-removes unused images. It goes hand-in-hand with docker container prune, which bulk-removes stopped containers. Let's start with that last command:

This prints a warning message. We have to enter y and press Enter to proceed:

So on the test machine, this removed one stopped container.

Now we need need to discuss image relationships briefly. Our Docker images extend other images to gain their functionality, just as Java classes extend other Java classes.

Let's look at the top of the Dockerfile for the PostgreSQL beta 2 image to see what image it's extending:

So the beta 2 image uses alpine:3.12. That's why Docker implicitly downloaded alpine:3.12 when we pulled the beta 2 image at first. We don't see these implicitly downloaded images with docker image ls.

Now let's say we removed the PostgreSQL 13 beta 2 image. If no other Docker image extended alpine:3.12, then Docker would consider alpine:3.12 a so-called “dangling image”: A once implicitly downloaded image that's now not needed anymore. docker image prune removes these dangling images:

This command also requires us to enter y and press Enter to proceed:

On the test machine, this didn't remove any images.

docker image prune -a removes all images not used by containers. So if we don't have any containers (running or not), then this will remove all Docker images! That is a dangerous command indeed:

Download Postgresql Docker Image File

On the test machine, this removed all images. docker system df confirms that neither containers nor images are left:

9. Conclusion

Docker

In this article, we first saw how we could remove a single Docker image. Next, we learned how to remove images by name, size, or creation date. Finally, we learned how to remove all unused containers and images.

Docker Image Vs Container

Get started with Spring 5 and Spring Boot 2, through the Learn Spring course:

>> CHECK OUT THE COURSE