Gitlab-runner has 'access denied' when pushing built image

1
votes

I have a problem with pushing a built image with gitlab-runner to a gitlab repository.

My gitlab-ci.yml:

image: docker:latest
services:
- docker:dind

stages:
- build
- release

variables:
TEST_IMAGE: registry.gitlab.com/myhost/haproxy:$CI_COMMIT_REF_NAME
RELEASE_IMAGE: registry.gitlab.com/myhost/haproxy:latest

before_script:
- docker login -u gitlab-ci-token -p $CI_JOB_TOKEN gitlab.com

build:
stage: build
script:
- docker build --pull -t $TEST_IMAGE .
- docker push $TEST_IMAGE

release:
stage: release
script:
- docker pull $TEST_IMAGE
- docker tag $TEST_IMAGE $RELEASE_IMAGE
- docker push $RELEASE_IMAGE
only:
- master

The docker login works - I got "Login success" - but when it comes to the push operation I get:

$ docker push $TEST_IMAGE
The push refers to repository [registry.gitlab.com/myhost/haproxy]
d77ab2f42dd4: Preparing
c70258f465dd: Preparing
96b45c1aa07c: Preparing
28587e66f3e8: Preparing
21b59fc0e3a3: Preparing
9c46f426bcb7: Preparing
9c46f426bcb7: Waiting
denied: access forbidden
ERROR: Job failed: exit code 1

The runner is on my own server, and I'm pushing to gitlab.com

I have also checked on my local machine, executing in terminal commands like in the script - login, build and push - and everything works, but if I run locally with the runner, register it and get the job, I also get an access forbidden error.

So I think the problem is in runner, bo what. I compared the behaviour on a few versions of gitlab-runner from 10.6 to newest 11.0

Any ideas?

1
gitlab-cigitlab-ci-runner
Have you tried login right before push? Maybe it's a timeout? - Jakub Kania
Yes, I also tried loging in at build stage - it loged in - "Login success", then goes to push, and the same result :/ - Dariusz Luber
And are you sure you shouldn't log to registry.gitlab.com instead of gitlab.com? - Jakub Kania
Hmm, locally on Ubuntu if I loged in to gitlab.com it works, but at runner like you suggested I need to login to registry.gitlab.com. Also misled me that it shows "Loged in" in terminal. So the best solution is using build in variables: "docker login -u gitlab-ci-token -p $CI_JOB_TOKEN $CI_REGISTRY". Thans for help - I owe you a beer :) - Dariusz Luber
Because locally you're already logged in by different means so the docker login command doesn't do anything. - Jakub Kania

1 Answers

4
votes

So the problem was wrong registry address - it should be registry.gitlab.com

It misled me that it shows "Loged in" in terminal even without "registry" prefix, so the best solution is using build in variables during login in gitlab-ci.yml: 

docker login -u gitlab-ci-token -p $CI_JOB_TOKEN $CI_REGISTRY