Building docker image with dependency proxy results in 401 Unauthorized

jonathan.channon · June 24, 2022, 11:10am

I am trying to use Gitlab’s dependency proxy like so:


.build:
  stage: build
  image: $CI_DEPENDENCY_PROXY_GROUP_IMAGE_PREFIX/docker:latest
  variables:
    DOCKER_HOST: tcp://docker:2376
    DOCKER_TLS_CERTDIR: "/certs"
    DOCKER_DRIVER: overlay2
    DOCKER_BUILDKIT: 1
    GIT_DEPTH: 0
  before_script:
    - docker login -u $CI_DEPENDENCY_PROXY_USER -p $CI_DEPENDENCY_PROXY_PASSWORD $CI_DEPENDENCY_PROXY_SERVER
  services:
    - name: $CI_DEPENDENCY_PROXY_GROUP_IMAGE_PREFIX/docker:dind
      alias: docker
  dependencies:
    - version
    - tests
  script:
    - |
      # generate tags
      export CI_APP_IMAGE_VERSION="$CI_REGISTRY_IMAGE:$CI_APP_VERSION_PACKAGE"
      export CI_APP_IMAGE_COMMIT="$CI_REGISTRY_IMAGE:$CI_COMMIT_SHA"
      export CI_APP_IMAGE_COMMIT_BEFORE="$CI_REGISTRY_IMAGE:$CI_COMMIT_BEFORE_SHA"
      
      # build
      docker build \
        --cache-from "$CI_APP_IMAGE_COMMIT_BEFORE" \
        --cache-from "$CI_APP_IMAGE_COMMIT" \
        --build-arg GITLAB_DEPENDENCY_PROXY=${CI_DEPENDENCY_PROXY_GROUP_IMAGE_PREFIX} \
        --build-arg BUILDKIT_INLINE_CACHE=1 .

As you can see we pass the proxy in via --build-arg

Inside Dockerfile I have:

ARG GITLAB_DEPENDENCY_PROXY
ARG BUILDER_IMG=${GITLAB_DEPENDENCY_PROXY}/mcr.microsoft.com/dotnet/sdk:6.0-alpine

FROM $BUILDER_IMG AS build

...

The output results in:

#3 [internal] load metadata for gitlab.com:443/mygroup/dependency_proxy/containers/mcr.microsoft.com/dotnet/sdk:6.0-alpine
#3 sha256:88c2b0277997088cfa864cbeb61f92524562bb631e26f06fbebf0222fcc29696
#3 ...
#4 [auth] mygroup/dependency_proxy/containers/mcr.microsoft.com/dotnet/sdk:pull token for gitlab.com:443
#4 sha256:6472ebd8f35f6eeba68ecb77cb905c5f295a54312eb42106c5fc1817205c8c4e
#4 DONE 0.0s
#3 [internal] load metadata for gitlab.com:443/mygroup/dependency_proxy/containers/mcr.microsoft.com/dotnet/sdk:6.0-alpine
#3 sha256:88c2b0277997088cfa864cbeb61f92524562bb631e26f06fbebf0222fcc29696
#3 ERROR: unexpected status code [manifests 6.0-alpine]: 401 Unauthorized
------
 > [internal] load metadata for gitlab.com:443/mygroup/dependency_proxy/containers/mcr.microsoft.com/dotnet/sdk:6.0-alpine:
------
failed to solve with frontend dockerfile.v0: failed to create LLB definition: unexpected status code [manifests 6.0-alpine]: 401 Unauthorized

This is using Gitlab shared runners so no self hosting or registered runners.

Any ideas why I get this error as I believe this config is correct

jonathan.channon · June 24, 2022, 11:37am

I found the answer was Gitlab Dependency Proxy doesn not support mcr.microsoft.com as it sees it as another container registry which it doesn’t support and only Dockerhub

nigelgbanks · September 2, 2022, 3:32pm

I’ve seen this as well, but with Docker Hub. It comes and goes with time, I suspect the proxy is making some requests to Docker Hub, which occasionally run up against its limit.