GitLab CI Docker template credentials

andrew1 · February 3, 2019, 2:30am

In my project under Repository, I choose to create a new file, from the .gitlab-ci.yml | Docker template provided by GitLab.

It looks like this:

# This file is a template, and might need editing before it works on your project.
# Official docker image.
image: docker:latest

services:
  - docker:dind

before_script:
  - docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY

build-master:
  stage: build
  script:
    - docker build --pull -t "$CI_REGISTRY_IMAGE" .
    - docker push "$CI_REGISTRY_IMAGE"
  only:
    - master

build:
  stage: build
  script:
    - docker build --pull -t "$CI_REGISTRY_IMAGE:$CI_COMMIT_REF_SLUG" .
    - docker push "$CI_REGISTRY_IMAGE:$CI_COMMIT_REF_SLUG"
  except:
    - master

I choose to make this repository public. When GitLab CI run’s it produces the warning after Docker login:

WARNING! Your password will be stored unencrypted in /root/.docker/config.json.

What does this mean? Does this mean anyone who downloads my public images build from this process has my GitLab Docker Container Registry password and can replace my images?

If so, how can you prevent this? If not is this process secure by default for public repositories and safe to ignore the warning?

remcohaszing · February 13, 2019, 7:35am

Your docker login line will show two warnings, not one.

The first one is this:

WARNING! Using --password via the CLI is insecure. Use --password-stdin.

This can be resolved by changing the login command to:

echo "$CI_REGISTRY_PASSWORD" | docker login -u "$CI_REGISTRY_USER" --password-stdin "$CI_REGISTRY"

The second is the line from your question.

WARNING! Your password will be stored unencrypted in /root/.docker/config.json.

When running Docker on a user machine, such as a developer’s laptop, it is highly recommended to use a credentials store. However, no credential stores are available in the docker:latest image. Assuming you are using a Docker runner, such as one of GitLab’s own shared runners, this is not an issue, as the docker container running your CI job will be discarded afterwards. Also, afaik the $CI_REGISTRY_PASSWORD token is discarded after the job has finished anyway.

I do hope I am or will be wrong someday, because the warning is pretty annoying. However, I’m pretty sure this answer is correct at the time of writing.

andrew1 · February 13, 2019, 12:25pm

Good to know. This is running on GitLab’s shared runners as a CI pipeline job, so by the sounds of things the credentials don’t propagate through to the published docker image, nor the pipeline job logs and are destroyed together with the completed CI job, so this warning can be safely ignored.