I am using the GitLab 15.4.1 self-hosted.
I a project called foo, and I have two GitLab groups with different names, let’s call them main and customer:
main/foo/customer/foo/
I want to build Docker images and push them to the repository using, e.g., main/foo/foo:latest, but I also want to push customer-specific builds to the other repository, e.g. customer/foo/foo:latest.
I can build and tag an image using the following tag:
registry.example.com/main/foo/foo:latest
Using docker buildx, this is what I see in the end:
=> => pushing layers
=> => pushing manifest for registry.example.com/main/foo/foo:latest@sha256:3e6bdc2e8f24d0553d66eeab4f32e532c99034fd6a098c74799d7ff7192d618a
=> => pushing manifest for registry.example.com/main/foo/foo:v1.0.17@sha256:3e6bdc2e8f24d0553d66eeab4f32e532c99034fd6a098c74799d7ff7192d618a
=> [auth] main/foo/foo:pull,push token for registry.example.com
Now, when I instead instruct docker buildx to build and push an image for customer/foo/foo:latest, I get this output in the end:
=> => pushing layers
=> [auth] customer/foo/foo:pull,push token for registry.example.com
=> [auth] customer/foo/foo:pull,push token for registry.example.com
=> [auth] customer/foo/foo:pull,push token for registry.example.com
=> [auth] main/foo/foo:pull customer/foo/foo:pull,push token for registry.example.com
=> [auth] customer/foo/foo:pull,push token for registry.example.com
=> [auth] customer/foo/foo:pull,push token for registry.example.com
=> [auth] main/foo/foo:pull customer/foo/foo:pull,push token for registry.example.com
------
> exporting to image:
------
ERROR: failed to solve: server message: insufficient_scope: authorization failed
To push, I am using a private token with read/write registry scope that is not tied to any particular project (I created it in my user account).
Why can’t I push the image with another tag? Curiously, I see the main/foo/foo:pull reference in the second build step despite me not ever specifying the main part during this build. I am essentially doing:
docker buildx create --name mybuilder --driver docker-container --bootstrap --use
docker buildx build \
--platform linux/amd64,linux/arm64 \
--push \
-t "${REGISTRY}/${REGISTRY_IMAGE_PREFIX}/${imageNameLatest}" \
.
Where REGISTRY_IMAGE_PREFIX is either main/foo or customer/foo.
Any ideas?
I can boil down the problem to:
$ docker pull hello-world:latest
latest: Pulling from library/hello-world
7050e35b49f5: Pull complete
Digest: sha256:18a657d0cc1c7d0678a3fbea8b7eb4918bba25968d3e1b0adebfa71caddbc346
Status: Downloaded newer image for hello-world:latest
docker.io/library/hello-world:latest
$ docker tag hello-world:latest registry.example.com/main/foo/foo:latest
$ docker push registry.example.com/main/foo/foo:latest
The push refers to repository [registry.example.com/main/foo/foo]
efb53921da33: Layer already exists
foo: digest: sha256:432f982638b3aefab73cc58ab28f5c16e96fdb504e8c134fc58dff4bae8bf338 size: 525
$ docker tag hello-world:latest registry.example.com/customer/foo/foo:latest
$ docker push registry.example.com/customer/foo/foo:latest
The push refers to repository [registry.example.com/customer/foo/foo]
efb53921da33: Preparing
denied: requested access to the resource is denied