I am trying to push a Docker image to Google Cloud Registry via the GitLab ci pipeline.
The image builds but when its time to push to registry i get the following error.
denied: Token exchange failed for project 'xxx-dev01-xxxxx'. Org
Policy Violated: 'eu' violates constraint
'constraints/gcp.resourceLocations'
.gitlab.yaml
deploy:dev:
allow_failure: true
extends:
- .prod
stage: Deploy
image: google/cloud-sdk
services:
- docker:dind
variables:
IMAGE_TAG: "eu.gcr.io/$PROJECT_ID/testapp"
before_script:
- echo $GCLOUD_SERVICE_KEY > ${HOME}/gcloud-service-key.json
- gcloud auth activate-service-account --key-file=${HOME}/gcloud-service-key.json
- gcloud config set project $DEV_PROJECT_ID
- gcloud auth configure-docker
- gcloud services enable containerregistry.googleapis.com
- docker login -u _json_key --password-stdin https://eu.gcr.io < ${HOME}/gcloud-service-key.json
script:
- docker build . -t "$IMAGE_TAG"
- docker push $IMAGE_TAG:latest
when: manual
It seems to violate one of your Organisation Policy, the "resource location" one.
According to the documentation, it looks like your company is preventing you to store data into this location (region).
https://cloud.google.com/resource-manager/docs/organization-policy/defining-locations
You might want to try to change the eu.gcr.io with another one from this list.
https://cloud.google.com/container-registry/docs/pushing-and-pulling#add-registry
Related
I have a bitbucket-pipelines.yml file with the code below
image: atlassian/default-image:2
pipelines:
branches:
master:
- step:
name:
Build And Publish To Azure
services:
- docker
script:
#Authenticate on Azure
- docker login -u $AZURE_USER -p $AZURE_PASS myticket.azurecr.io
#Build Docker Image
- docker build -t myticket.azurecr.io/myticket .
#Push to Azure
- docker push myticket.azurecr.io/myticket
- step:
name:
Push To Docker Hub
services:
- docker
script:
- docker logout
#Authenticate on Docker
#The below says Error: Cannot perform an interactive login from a non TTY device
- docker login --username $DOCKER_HUB_USERNAME --password-stdin $DOCKER_HUB_PASSWORD
#The below says invalid username or password
# - echo $DOCKER_HUB_PASSWORD | docker login --username $DOCKER_HUB_USERNAME --password-stdin
#Build Docker Image
- docker build -t myticket.azurecr.io/myticket .
#Push to Docker Hub
- docker push isaachats/myticket:latest
I have added comments with the errors I am getting, What am I missing? I also tried adding hub.docker.com to the login line in step two but still failed. What am I doing wrong?
Either
docker login --username "$DOCKERHUB_USERNAME" --password "$DOCKERHUB_PASSWORD"
or
echo "$DOCKERHUB_PASSWORD" | docker login --username "$DOCKERHUB_USERNAME" --password-stdin
should work just fine.
If you are seeing "invalid username or password" error messages, check those credentials again, they are most probably wrong. Rotating the token you are using should cut it.
I have 3 server
Gitlab
Gitlab Runner
Harbor Registry
When I run CI/CD on Gitlab but it cannot login to Harbor Registry. This is error.
Get https://172.21.5.247/v1/users/: x509: cannot validate certificate for 172.21.5.247 because it doesn't contain any IP SANs
When I try login docker on server Gitlab and Gitlab Runner is successfully. I added "insecure-registries" to two server.
.gitlab.ci.yml file
image: docker:18-git
variables:
DOCKER_DRIVER: overlay2
DOCKER_TLS_CERTDIR: ""
DOCKER_HOST: tcp://localhost:2375
stages:
- build
- push
services:
- name: docker:dind
command: ["--insecure-registry=172.21.5.247:443"]
before_script:
- echo $HARBOR_USERNAME
- echo -n $HARBOR_PASSWORD | docker login -u $HARBOR_USERNAME -p $HARBOR_PASSWORD $HARBOR_REGISTRY
- docker version
- docker info
after_script:
- docker logout $HARBOR_REGISTRY
Build:
stage: build
script:
- docker pull $HARBOR_REGISTRY_IMAGE:latest || true
- >
docker build
--pull
--cache-from $HARBOR_REGISTRY_IMAGE:latest
--tag $HARBOR_REGISTRY_IMAGE:$CI_COMMIT_SHA .
- docker push $HARBOR_REGISTRY_IMAGE:$CI_COMMIT_SHA
Push_When_tag:
stage: push
only:
- tags
script:
- docker pull $HARBOR_REGISTRY_IMAGE:$CI_COMMIT_SHA
- docker tag $HARBOR_REGISTRY_IMAGE:$CI_COMMIT_SHA $HARBOR_REGISTRY_IMAGE:$CI_COMMIT_REF_NAME
- docker push $HARBOR_REGISTRY_IMAGE:$CI_COMMIT_REF_NAME
It have error in docker login.
Since Harbor 2.2 minor release you are able to create a harbor robot login,
afterwards write these credentials to Settings->CI/CD->Variables:
-HARBOR_ROBOT_USER (Important! you have to escape the $ in the robot username eg. robot$$myuser robot account name containing "$" will cause...)
-HARBOR_ROBOT_PASSWORD
Now you are able to use these Variables in before script as follows
- HARBOR_ROBOT_PASSWORD=${HARBOR_ROBOT_PASSWORD}
- HARBOR_ROBOT_USER=${HARBOR_ROBOT_USER}
## login process to harbor docker registry
echo $HARBOR_ROBOT_PASSWORD | docker login --username $HARBOR_ROBOT_USER --password-stdin ${HARBOR_REGISTRY}
I am having issues while I am pushing my docker image to my private GCP registry.
I created a new Service account with Owner role from Google Cloud Platform. Then I created a service key and copied the content of the json file (that I downloaded from the Service Account) in the $GCP_SERVICE_KEY variable in Gitlab CI/CD Variables.
This my .gitlab-ci.yaml file:
image: python:3.6
stages:
- push
before_script:
- mkdir -p $HOME/.docker
- echo "$GCP_SERVICE_KEY" >> "$HOME/.docker/config.json"
dockerpush:
stage: push
image: docker:stable
services:
- docker:dind
script:
- docker build --build-arg MONGODB_URI=$MONGODB_URI -t my_image_name .
- docker login -u _json_key --password-stdin https://gcr.io < $HOME/.docker/config.json
- docker tag my_image_name eu.gcr.io/my_project_id/my_image_name
- docker push eu.gcr.io/my_project_id/my_image_name
When I check the console logs, I see "Login succeeded". But I cannot push to my GCP registry. I checked the Project ID, Roles of my user, everything seems okay. But why do I still see the "unauthorized "error?
$ docker login -u _json_key -p "$GCP_SERVICE_KEY" https://gcr.io
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
$ docker tag my_image_name eu.gcr.io/my_project_id/my_image_name
$ docker push eu.gcr.io/my_project_id/my_image_name
The push refers to repository
Preparing
Preparing
unauthorized: You don't have the needed permissions to perform this operation, and you may have invalid credentials.
To authenticate your request, follow the steps in: https://cloud.google.com/container-registry/docs/advanced-authentication
You're logging in to https://gcr.io, but pushing to https://eu.gcr.io
Update your docker login command to https://eu.gcr.io
I am trying to teach my Gitlab Runner image to get custom builder images from my private Docker Registry (GCR running in the Google Cloud).
What did not work out?
I created a custom Gitlab Runner image with the ServiceAccount properly set. I started in in non-privileged mode but the wormhole pattern (via docker.sock). On exec-ing into that container (which is based on gitlab/gitlab-runner:v11.3.0) I had to recognise that I cannot do any docker commands in there (neither as root nor as gitlab-user). How the gitlab-runner starts the builder containers afterwards is way above my cognitive capabilities. ;)
# got started via eu.gcr.io/my-project/gitlab-runner:0.0.5 which got taught the GCR credentials
stages:
- build
build:
image: docker pull eu.gcr.io/my-project/gitlab-builder-docker:0.0.2
stage: build
script:
# only for test if I have access to private docker registry
- docker pull eu.gcr.io/my-project/gitlab-builder-docker:0.0.1
What worked out?
According to this tutorial you can authenticate via in a before_script block in your .gitlab-ci.yml files. That worked out.
# got started via gitlab/gitlab-runner:v11.3.0
stages:
- build
before_script:
- apk add --update curl python which bash
- curl -sSL https://sdk.cloud.google.com | bash
- export PATH="$PATH:/root/google-cloud-sdk/bin"
- gcloud components install docker-credential-gcr
- gcloud auth activate-service-account --key-file=/key.json
- gcloud auth configure-docker --quiet
build:
image: docker:18.03.1-ce
stage: build
# only for test if I have access to private docker registry
- docker pull eu.gcr.io/my-project/gitlab-builder-docker:0.0.1
The Question
This means that I have to do this (install gcloud & authenticate) in each build run - I would prefer to have done this in the gitlab-runner image. Do you have an idea how to achieve this?
Finally I found a way to get this done.
Teach the vanilla gitlab-runner how to pull from your private GCR Docker Repo
GCP
Create Service account with no permissions in IAM & Admin
Download Json Key
Add Permissions in Storage Browser
Select bucket holding your images (eg eu.artifacts.my-project.appspot.com)
Grant permission Storage Object Admin to the service account
Local Docker Container
Launch a library/docker container and exec into it (with Docker Wormhole Pattern docker.sock volume mount)
Login into GCR via (Check the url of your repo, in my case its located in Europe, therefore the eu prefix in the url)
docker login -u _json_key --password-stdin https://eu.gcr.io < /etc/gitlab-runner/<MY_KEY>.json
Verify if it works via some docker pull <MY_GCR_IMAGE>
Copy the content of ~/.docker/config.json
Gitlab config.toml configuration
Add the following into your config.toml file
[[runners]]
environment = ["DOCKER_AUTH_CONFIG={ \"auths\": { \"myregistryurl.com:port\": { \"auth\": \"<TOKEN-FROM-DOCKER-CONFIG-FILE>\" } } }"]
Vanilla Gitlab Runner Container
Run the runner eg like this
docker run -it \
--name gitlab-runner \
--rm \
-v <FOLDER-CONTAININNG-GITLAB-RUNNER-CONFIG-FILE>:/etc/gitlab-runner:ro \
-v /var/run/docker.sock:/var/run/docker.sock \
gitlab/gitlab-runner:v11.3.0
Your .gitlab-ci.yml file
Verify the done work via a .gitlab-ci.yml
Use an image which is located in your private GCP Container Registry
Teach your builder images how to push to your private GCR Docker Repo
GCP
Add permissions to your service account
Grant permission Storage Legacy Bucket Reader to your service account in the Storage Browser
Custom Docker Builder Image
Add your Service Account key file to your your custom image
FROM docker:18.03.1-ce
ADD key.json /<MY_KEY>.json
Your .gitlab-ci.yml file
Add the following script into your before_script section
docker login -u _json_key --password-stdin https://eu.gcr.io < /key.json
Final Thoughts
Now the vanilla gitlab-runner can pull your custom images from your private GCR Docker Repo. Furthermore those pullable custom images are also capable of talking to your private GCR Docker Repo and eg push the resulting images of your build pipeline.
That was quite complicated stuff. Maybe Gitlab enhances the support for this usecase in the future.
This example config worked for me in values.yaml:
config: |
[[runners]]
[runners.docker]
image = "google/cloud-sdk:alpine"
[runners.kubernetes]
namespace = "{{.Release.Namespace}}"
image = "google/cloud-sdk:alpine"
[runners.cache]
Type = "gcs"
Path = "runner"
Shared = true
[runners.cache.gcs]
BucketName = "runners-cache"
[[runners.kubernetes.volumes.secret]]
name = "service-account-credentials"
mount_path = "keys"
read_only = true
Where service-account-credentials is a secret containing credentials.json
then in .gitlab-ci.yml you can do:
gcloud auth activate-service-account --key-file=/keys/credentials.json
Hope it helps
have you tried to use google cloudbuild?
i had the same problem and solved it like this:
echo ${GCR_AUTH_KEY} > key.json
gcloud auth activate-service-account --key-file key.json
gcloud auth configure-docker
gcloud builds submit . --config=cloudbuild.yaml --substitutions _CI_PROJECT_NAME=$CI_PROJECT_NAME,_CI_COMMIT_TAG=${CI_COMMIT_TAG},_CI_PROJECT_NAMESPACE=${CI_PROJECT_NAMESPACE}
cloudbuild.yaml:
steps:
- name: gcr.io/cloud-builders/docker
id: builder
args:
- 'build'
- '-t'
- 'eu.gcr.io/projectID/$_CI_PROJECT_NAMESPACE-$_CI_PROJECT_NAME:$_CI_COMMIT_TAG'
- '.'
- name: gcr.io/cloud-builders/docker
id: tag-runner-image
args:
- 'tag'
- 'eu.gcr.io/projectID/$_CI_PROJECT_NAMESPACE-$_CI_PROJECT_NAME:$_CI_COMMIT_TAG'
- 'eu.gcr.io/projectID/$_CI_PROJECT_NAMESPACE-$_CI_PROJECT_NAME:latest'
images:
- 'eu.gcr.io/projectID/$_CI_PROJECT_NAMESPACE-$_CI_PROJECT_NAME:$_CI_COMMIT_TAG'
- 'eu.gcr.io/projectID/$_CI_PROJECT_NAMESPACE-$_CI_PROJECT_NAME:latest'
just use google/cloud-sdk:alpine as image in the gitlab-ci stage
I set up a private gitlab registry on a docker host. On the same host I'm trying to build test images and push them to said registry.
For some reason, this is not working. Here is my gitlab ci config:
stages:
- build_testing
- analytics
- testing
- build_deployment
variables:
MYSQL_RANDOM_ROOT_PASSWORD: 'true'
MYSQL_USER: 'dev'
MYSQL_PASSWORD: 'dev'
MYSQL_DATABASE: 'debitor_management_test'
# image: 10.11.12.41/laravel:v1
# services:
# - name: mariadb:10.1
# alias: mysql
image: docker:stable
services:
- name: docker:dind
command: ["--insecure-registry=10.11.12.41:443"]
build_testing:
stage: build_testing
script:
- docker build -t 10.11.12.41/debitor_management_testing .
- ping -c 5 10.11.12.41
- docker push 10.11.12.41/debitor_management_testing
The ping command is working, but the docker push fails with
$ docker push 10.11.12.41/debitor_management_testing
The push refers to repository [10.11.12.41/debitor_management_testing]
Get https://10.11.12.41/v2/: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)
ERROR: Job failed: exit code 1
How can I get this to work?
The error suggests that the CI runner cannot communicate with 10.11.12.41.
Every GitLab repository has an associated Container Registry for storing Docker images. You might better off using that rather than running a custom registry for storing images. GitLab CI provides predefined variables to your CI jobs such as CI_REGISTRY, CI_REGISTRY_IMAGE, CI_REGISTRY_USER, and CI_REGISTRY_PASSWORD to help you access the registry associated with your repository.
If you use the built-in registry, you can write your build_testing job like the following.
build_testing:
stage: build_testing
script:
- docker login --username $CI_REGISTRY_USER --password $CI_REGISTRY_PASSWORD $CI_REGISTRY
- docker image build -tag $CI_REGISTRY_IMAGE .
- docker image push $CI_REGISTRY_IMAGE