Using a private Docker Image from Gitlab Registry as the base image for CI

gitlab gitlab-ci gitlab-ci-runner
Martin Sadowski picture Martin Sadowski · Jul 8, 2016 · Viewed 8.4k times · Source

How should I authenticate if I want to use an image from the Gitlab Registry as a base image of another CI build?

According to https://gitlab.com/gitlab-org/gitlab-ci-multi-runner/blob/master/docs/configuration/advanced-configuration.md#using-a-private-docker-registry I first have to manually login on the runner machine. Somehow it feels strange to login with an existing Gitlab user.

Is there a way to use the CI variable "CI_BUILD_TOKEN" (which is described as "Token used for authenticating with the GitLab Container Registry") for authentication to pull the base image from Gitlab Registry?

EDIT: I found out that I can use images from public projects. But I don't really want to make my docker projects public.

UPDATE: Starting with Gitlab 8.14 you can just use the docker images from the build in docker registry. See https://gitlab.com/gitlab-org/gitlab-ci-multi-runner/blob/master/docs/configuration/advanced-configuration.md#support-for-gitlab-integrated-registry

Answer

charli picture charli · Dec 14, 2016

Now it's possible, they have included that option months ago.

Use gitlab-ci-tokenas user and the variable $CI_BUILD_TOKEN as password.

This example works on GitLab 8.13.6. It builds the test image if needed, and in the next stage uses it to perform syntax checks:

build_test:
  stage: build_test_image
  script:
    - docker login -u gitlab-ci-token -p $CI_BUILD_TOKEN $CI_REGISTRY
    - docker build -t $CI_REGISTRY_IMAGE:test -f dockerfiles/test/Dockerfile .
    - docker push $CI_REGISTRY_IMAGE:test
  tags:
    - docker_build
  environment: test

test_syntax:
  image: $CI_REGISTRY_IMAGE:test
  stage: test
  script:
    - flake8 --ignore=E501,E265,E402 .

UPDATE: Re-reading the question, the accepted answer is correct. In my example, the job test_syntax will fail to authenticate to the registry, unless the user logins manually from the runner machine. Although, it can work if the 2 runners are on the same host, but it's not the best solution anyway.

In gitlab-ci-multi-runner 1.8 there's an option to add the Registry credentials as a variable, so you only need to login once to get the encoded credentials. See documentation.

Related questions

How to run a gitlab-ci.yml job only on a tagged branch?

How do I run a .gitlab-ci.yml job only on a tagged Master branch? job: script: - echo "Do something" only: - master - tags The above code will run if either condition exists: a Master branch or a tagged …

Read More
Change Gitlab CI Runner user

Currently when I start a build in GitlabCI it is running under gitlab-runner user. I want to change it the company's internal user. I didn't find any parameter to the /etc/gitlab-runner/config.toml which is solve that. My current …

Read More
Gitlab-CI runner: ignore self-signed certificate

gitlab-ci-multi-runner register gave me couldn't execute POST against https://xxxx/ci/api/v1/runners/register.json: Post https://xxxx/ci/api/v1/runners/register.json: x509: cannot validate certificate for xxxx because it doesn't contain any IP SANs Is there …

Read More