Question 168872 in Docker Question posted in
The official documentation can be found here.

“Can’t pull docker image on GitLab CI/CD?”

Problem

I am pretty new to the CI/CD realm, and I’m trying to figure out how to get my project deployed/tested with it. But I’m running into some pretty simple problems.

I am trying to specify a container in a GitLab instance to use, and the CI Jobs always seem to fail when pulling my docker image. The errors change based on the image value I use, and I’m not clear which one is closer to be correct. I’m leaning towards "invalid reference format" being the correct one, but am unclear.

I have already verified that the Project CI_TOKEN’s are enabled (-/settings/ci_cd/TOKEN ACCESS -> CI_JOB_TOKEN)

I have a feeling this may have to do with the port being explicitly set in the image path. But I’m not sure?

Error (#1): "invalid reference format"

default:
  image: gitlab-ci-token:${CI_JOB_TOKEN}@git.domain.tld:1234/path/to/<subgroup>/<project>/<container>:latest

Running with gitlab-runner 14.10.1 (f761588f) on <subgroup>-group nHMWApbD

00:00 - Resolving secrets
00:01 - Preparing the "docker" executor

Using Docker executor with image gitlab-ci-token:[MASKED]@git.domain.tld:1234/path/to/<subgroup>/<project>/<container>:latest ...
Pulling docker image gitlab-ci-token:[MASKED]@git.domain.tld:1234/path/to/<subgroup>/<project>/<container>:latest ...

WARNING: Failed to pull image with policy "always": 
   invalid reference format (manager.go:203:0s)

Error (#2): "requested access to the resource is denied"

default:
  image: <project>/<container>:latest

Running with gitlab-runner 14.10.1 (f761588f) on <subgroup>-group nHMWApbD

00:00 - Resolving secrets
00:01 - Preparing the "docker" executor

Using Docker executor with image <project>/<container>:latest ...
Pulling docker image <project>/<container>:latest ...

WARNING: Failed to pull image with policy "always": 
   Error response from daemon: 
      pull access denied for <project>/<container>, 
      repository does not exist or may require 'docker login': 
   denied: requested access to the resource is denied (manager.go:203:0s)
Tags:

3

Answers


  1. Chosen as BEST ANSWER
    0

    Answer

    The issue was that b/c I was using a private registry, the job was having trouble authenticating to it. The solution was to create a variable in Settings -> CI/CD -> Variables with a key value of DOCKER_AUTH_CONFIG.

    You can find the general format below, or you can look on your Local Host at ~/.docker/config.json to find the file contents that serve as the value for DOCKER_AUTH_CONFIG.

    NOTE

    Since the entire config value can't be masked, I opted to use a $VARIABLE in place of the Base64 encoded value bXlfdXNlcm5hbWU6bXlfcGFzc3dvcmQ=. This is better practice security wise, since it allows you to mask the encoded form of your username:password in CI/CD logs.

    .gitlab-ci.yml

    default:
  image: 
    name: registry.example.com:5000/path/to/<project>/<container>:tag
    entrypoint: [""]

    Get the Base64 value of your username & password/token (from Local Host)

    # The use of printf (as opposed to echo) prevents encoding a newline in the password.
printf "my_username:my_password" | openssl base64 -A

# Example output to copy
bXlfdXNlcm5hbWU6bXlfcGFzc3dvcmQ=

    Set Variable : DOCKER_AUTH_B64 (In GitLab, Settings -> CI/CD -> Variables)

    DOCKER_AUTH_B64: "bXlfdXNlcm5hbWU6bXlfcGFzc3dvcmQ="

    Set Variable : DOCKER_AUTH_CONFIG (In GitLab, Settings -> CI/CD -> Variables)

    {
    "auths": {
        "registry.example.com:5000": {
            "auth": "$DOCKER_AUTH_B64"
        }
    }
}

    Source


  2. 0

    You could use the second format with the following:

    job_name:
  image: $CI_REGISTRY/<project>/<container>:latest

    More on this and this.

    Login or Signup to reply.
  3. 0

    The problem is because as Gitlab official explain:

    If you use the always policy and the registry is not available, the job fails even if the desired image is cached locally.

    solve method

    After reading this guidance at GitLab website, I changed config.toml of gitlab-runner add a new line for pull_policy as following:

    [[runners]]
  #....
  [runners.docker]
    pull_policy = ["if-not-present", "always"]
    #...
    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search