Develop Reference

Docker fails to push images to Google Cloud Registry

I am trying to push a Docker image to Google Cloud Registry via the GitLab ci pipeline.
The image builds but when its time to push to registry i get the following error.
denied: Token exchange failed for project 'xxx-dev01-xxxxx'. Org
Policy Violated: 'eu' violates constraint
'constraints/gcp.resourceLocations'
.gitlab.yaml
deploy:dev:
allow_failure: true
extends:
- .prod
stage: Deploy
image: google/cloud-sdk
services:
- docker:dind
variables:
IMAGE_TAG: "eu.gcr.io/$PROJECT_ID/testapp"
before_script:
- echo $GCLOUD_SERVICE_KEY > ${HOME}/gcloud-service-key.json
- gcloud auth activate-service-account --key-file=${HOME}/gcloud-service-key.json
- gcloud config set project $DEV_PROJECT_ID
- gcloud auth configure-docker
- gcloud services enable containerregistry.googleapis.com
- docker login -u _json_key --password-stdin https://eu.gcr.io < ${HOME}/gcloud-service-key.json
script:
- docker build . -t "$IMAGE_TAG"
- docker push $IMAGE_TAG:latest
when: manual

It seems to violate one of your Organisation Policy, the "resource location" one.
According to the documentation, it looks like your company is preventing you to store data into this location (region).
https://cloud.google.com/resource-manager/docs/organization-policy/defining-locations
You might want to try to change the eu.gcr.io with another one from this list.
https://cloud.google.com/container-registry/docs/pushing-and-pulling#add-registry

CI/CD Gitlab with Harbor Registry

I have 3 server
Gitlab
Gitlab Runner
Harbor Registry
When I run CI/CD on Gitlab but it cannot login to Harbor Registry. This is error.
Get https://172.21.5.247/v1/users/: x509: cannot validate certificate for 172.21.5.247 because it doesn't contain any IP SANs
When I try login docker on server Gitlab and Gitlab Runner is successfully. I added "insecure-registries" to two server.
.gitlab.ci.yml file
image: docker:18-git
variables:
DOCKER_DRIVER: overlay2
DOCKER_TLS_CERTDIR: ""
DOCKER_HOST: tcp://localhost:2375
stages:
- build
- push
services:
- name: docker:dind
command: ["--insecure-registry=172.21.5.247:443"]
before_script:
- echo $HARBOR_USERNAME
- echo -n $HARBOR_PASSWORD | docker login -u $HARBOR_USERNAME -p $HARBOR_PASSWORD $HARBOR_REGISTRY
- docker version
- docker info
after_script:
- docker logout $HARBOR_REGISTRY
Build:
stage: build
script:
- docker pull $HARBOR_REGISTRY_IMAGE:latest || true
- >
docker build
--pull
--cache-from $HARBOR_REGISTRY_IMAGE:latest
--tag $HARBOR_REGISTRY_IMAGE:$CI_COMMIT_SHA .
- docker push $HARBOR_REGISTRY_IMAGE:$CI_COMMIT_SHA
Push_When_tag:
stage: push
only:
- tags
script:
- docker pull $HARBOR_REGISTRY_IMAGE:$CI_COMMIT_SHA
- docker tag $HARBOR_REGISTRY_IMAGE:$CI_COMMIT_SHA $HARBOR_REGISTRY_IMAGE:$CI_COMMIT_REF_NAME
- docker push $HARBOR_REGISTRY_IMAGE:$CI_COMMIT_REF_NAME
It have error in docker login.

Since Harbor 2.2 minor release you are able to create a harbor robot login,
afterwards write these credentials to Settings->CI/CD->Variables:
-HARBOR_ROBOT_USER (Important! you have to escape the $ in the robot username eg. robot$$myuser robot account name containing "$" will cause...)
-HARBOR_ROBOT_PASSWORD
Now you are able to use these Variables in before script as follows
- HARBOR_ROBOT_PASSWORD=${HARBOR_ROBOT_PASSWORD}
- HARBOR_ROBOT_USER=${HARBOR_ROBOT_USER}
## login process to harbor docker registry
echo $HARBOR_ROBOT_PASSWORD | docker login --username $HARBOR_ROBOT_USER --password-stdin ${HARBOR_REGISTRY}

Docker "Login succeeded" but still cannot push to GCP private registry

I am having issues while I am pushing my docker image to my private GCP registry.
I created a new Service account with Owner role from Google Cloud Platform. Then I created a service key and copied the content of the json file (that I downloaded from the Service Account) in the $GCP_SERVICE_KEY variable in Gitlab CI/CD Variables.
This my .gitlab-ci.yaml file:
image: python:3.6
stages:
- push
before_script:
- mkdir -p $HOME/.docker
- echo "$GCP_SERVICE_KEY" >> "$HOME/.docker/config.json"
dockerpush:
stage: push
image: docker:stable
services:
- docker:dind
script:
- docker build --build-arg MONGODB_URI=$MONGODB_URI -t my_image_name .
- docker login -u _json_key --password-stdin https://gcr.io < $HOME/.docker/config.json
- docker tag my_image_name eu.gcr.io/my_project_id/my_image_name
- docker push eu.gcr.io/my_project_id/my_image_name
When I check the console logs, I see "Login succeeded". But I cannot push to my GCP registry. I checked the Project ID, Roles of my user, everything seems okay. But why do I still see the "unauthorized "error?
$ docker login -u _json_key -p "$GCP_SERVICE_KEY" https://gcr.io
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
$ docker tag my_image_name eu.gcr.io/my_project_id/my_image_name
$ docker push eu.gcr.io/my_project_id/my_image_name
The push refers to repository
Preparing
Preparing
unauthorized: You don't have the needed permissions to perform this operation, and you may have invalid credentials.
To authenticate your request, follow the steps in: https://cloud.google.com/container-registry/docs/advanced-authentication

You're logging in to https://gcr.io, but pushing to https://eu.gcr.io
Update your docker login command to https://eu.gcr.io

Selfhosted gitlab, CI docker login fails with the message denied: access forbidden

From my local PC, I can login fine into the Repo, but when I try to log in from within the CI in gitlab, it always fails with the message denied: access forbidden.
This is the output from the CI:
-----
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
Error response from daemon: Get https://gitlab.domain.nl:5002/v2/: denied: access forbidden
----
This is my project file:
# Official docker image.
image: docker:latest
services:
- docker:dind
build-master:
stage: build
script:
- docker login -u gitlab-ci-token -p $CI_BUILD_TOKEN gitlab.domain.nl:5002
only:
- master

If your GitLab instance is up to date, you should use the CI_REGISTRY_* variables for all parts of the docker login ….
docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY
See GitLab CI/CD Variables for details.

Ideally the answer is the same as mentioned above
docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY
But i have encountered the issue from docker registry side. Make sure your registry is configured with valid ssl certificate. https://docs.docker.com/registry/deploying/#get-a-certificate.
Check with
curl https://<$CI_REGISTRY>/v2/
Which should return
{}
And you should also need to add this variable in Project settings.
DOCKER_AUTH_CONFIG : <paste the contents of ~/.docker/config.json>
I think this should solve the issue.

docker login using -p gives error, and when I switch to --password-stdin like it recommends still gives error - gitlab-ci

I have a docker registry setup on my gitlab server. Here is my .gitlab-ci.yml file:
image: docker:18.05.0-ce
services:
- docker:dind
stages:
- build
- test
- release
variables:
TEST_IMAGE: http://my.gitlab.ip:4444/path/to/project:$CI_COMMIT_REF_NAME
RELEASE_IMAGE: http://my.gitlab.ip:4444/path/to/project:latest
before_script:
- docker login -u $USERNAME -p $PASSWORD http://my.gitlab.ip:4444
build:
stage: build
script:
- docker build --pull -t $TEST_IMAGE .
- docker push $TEST_IMAGE
# ...
# more commands
I am using a secret variable for my username and password. When I push code and the runner runs through this file, I get the following error:
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
Error response from daemon: Get https://my.gitlab.ip:4444/v2/: http: server gave HTTP response to HTTPS client
So I tried using --password-stdin instead like this:
docker login -u $USERNAME --password-stdin $PASSWORD http://my.gitlab.ip:4444
And I get this error:
"docker login" requires at most 1 argument.
See 'docker login --help'.
Usage: docker login [OPTIONS] [SERVER] [flags]
Edit:
I have also tried this for my docker login command:
docker login -u gitlab-ci-token -p $CI_JOB_TOKEN $CI_REGISTRY
and received this error:
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
Error response from daemon: Get https://my.gitlab.ip:4444/v2/: http: server gave HTTP response to HTTPS client
I have made the following changes on my gitlab server:
In /etc/default/docker:
DOCKER_OPTS="--insecure-registry http://my.gitlab.ip:4444"
In /etc/docker/daemon.json:
{
"insecure-registries" : ["http://my.gitlab.ip:4444"]
}
I have also done the same on my gitlab runner (different server).
Why is it showing that I'm using https in the error and how do I change it to http?

I'm not sure when you set this up, but there is an updated permission model after GitLab 8.12 when using GitLab runners and logging into the GitLab Container registry.
As per the docs, you can do:
before_script:
- docker login -u gitlab-ci-token -p $CI_JOB_TOKEN $CI_REGISTRY

Not sure if you already resolved your issue, but while searching for the difference of the login options (and best practises) I noticed your error is actually not even about that, is it?
The error we see is the following:
Error response from daemon: Get https://my.gitlab.ip:4444/v2/: http: server gave HTTP response to HTTPS client
but in your .gitlab-ci.yml file you list https://my.gitlab.ip:4444/v2/ as your URL. While this doesn't have to be related, it seems to me that ssl is missing somewhere, e.g. http vs https.

According to gitlab docs --password-stdin is a flag not a command line variable. In the example provided the password was being read from a file not directly through command line.