Building docker image with dependency proxy results in 401 Unauthorized

I am trying to use Gitlab’s dependency proxy like so:


.build:
  stage: build
  image: $CI_DEPENDENCY_PROXY_GROUP_IMAGE_PREFIX/docker:latest
  variables:
    DOCKER_HOST: tcp://docker:2376
    DOCKER_TLS_CERTDIR: "/certs"
    DOCKER_DRIVER: overlay2
    DOCKER_BUILDKIT: 1
    GIT_DEPTH: 0
  before_script:
    - docker login -u $CI_DEPENDENCY_PROXY_USER -p $CI_DEPENDENCY_PROXY_PASSWORD $CI_DEPENDENCY_PROXY_SERVER
  services:
    - name: $CI_DEPENDENCY_PROXY_GROUP_IMAGE_PREFIX/docker:dind
      alias: docker
  dependencies:
    - version
    - tests
  script:
    - |
      # generate tags
      export CI_APP_IMAGE_VERSION="$CI_REGISTRY_IMAGE:$CI_APP_VERSION_PACKAGE"
      export CI_APP_IMAGE_COMMIT="$CI_REGISTRY_IMAGE:$CI_COMMIT_SHA"
      export CI_APP_IMAGE_COMMIT_BEFORE="$CI_REGISTRY_IMAGE:$CI_COMMIT_BEFORE_SHA"
      
      # build
      docker build \
        --cache-from "$CI_APP_IMAGE_COMMIT_BEFORE" \
        --cache-from "$CI_APP_IMAGE_COMMIT" \
        --build-arg GITLAB_DEPENDENCY_PROXY=${CI_DEPENDENCY_PROXY_GROUP_IMAGE_PREFIX} \
        --build-arg BUILDKIT_INLINE_CACHE=1 .
      

As you can see we pass the proxy in via --build-arg

Inside Dockerfile I have:

ARG GITLAB_DEPENDENCY_PROXY
ARG BUILDER_IMG=${GITLAB_DEPENDENCY_PROXY}/mcr.microsoft.com/dotnet/sdk:6.0-alpine

FROM $BUILDER_IMG AS build

...

The output results in:

#3 [internal] load metadata for gitlab.com:443/mygroup/dependency_proxy/containers/mcr.microsoft.com/dotnet/sdk:6.0-alpine
#3 sha256:88c2b0277997088cfa864cbeb61f92524562bb631e26f06fbebf0222fcc29696
#3 ...
#4 [auth] mygroup/dependency_proxy/containers/mcr.microsoft.com/dotnet/sdk:pull token for gitlab.com:443
#4 sha256:6472ebd8f35f6eeba68ecb77cb905c5f295a54312eb42106c5fc1817205c8c4e
#4 DONE 0.0s
#3 [internal] load metadata for gitlab.com:443/mygroup/dependency_proxy/containers/mcr.microsoft.com/dotnet/sdk:6.0-alpine
#3 sha256:88c2b0277997088cfa864cbeb61f92524562bb631e26f06fbebf0222fcc29696
#3 ERROR: unexpected status code [manifests 6.0-alpine]: 401 Unauthorized
------
 > [internal] load metadata for gitlab.com:443/mygroup/dependency_proxy/containers/mcr.microsoft.com/dotnet/sdk:6.0-alpine:
------
failed to solve with frontend dockerfile.v0: failed to create LLB definition: unexpected status code [manifests 6.0-alpine]: 401 Unauthorized

This is using Gitlab shared runners so no self hosting or registered runners.

Any ideas why I get this error as I believe this config is correct

I found the answer was Gitlab Dependency Proxy doesn not support mcr.microsoft.com as it sees it as another container registry which it doesn’t support and only Dockerhub

I’ve seen this as well, but with Docker Hub. It comes and goes with time, I suspect the proxy is making some requests to Docker Hub, which occasionally run up against its limit.