Instructions for pushing to private Docker repositories do not work

We need a MariaDB image with a couple of customisations, notably installation of a few packages. I’ve tried avoiding the need of a custom image for a long time, but now the situation has more-or-less become unavoidable.

I realise I can build a custom image in Gitlab, and use its own repository to host the image. Build and Push Images using Gitlab CI mentions it can be done with a deploy token.

So, I’ve created a private repository in Gitlab, with the following two files:

# .gitlab-ci.yml

image: docker:latest

services:
  - docker:dind

build:
  stage: build
  script:
    - docker build -t registry.gitlab.com/GROUP/PROJECT .
    # ${TOKEN_NAME} and ${TOKEN_PW} from
    # https://gitlab.com/help/user/profile/personal_access_tokens.md
    - docker login registry.gitlab.com -u ${TOKEN_NAME} -p ${TOKEN_PW}
    - docker push registry.gitlab.com/GROUP/PROJECT

and

# Dockerfile
FROM mariadb:10.4

ARG PRIV_REPO="http://host.example.com/pub/repo stretch main"

RUN dpkg-divert --add /bin/systemctl \
	&& ln -sT /bin/true /bin/systemctl \
	&& echo "deb [trusted=yes] ${PRIV_REPO}" \
		> /etc/apt/sources.list.d/repo.list \
	&& apt-get update \
	&& apt-get install -y mariadb-plugin-connect \
				lib-mysqludf-sys

The CI build fails with denied: requested access to the resource is denied. What did I do wrong?

May be this will work (source):

test:
  script:
    - docker login -u gitlab-ci-token -p $CI_JOB_TOKEN $CI_REGISTRY
    - docker pull $CI_REGISTRY/group/other-project:latest
    - docker run $CI_REGISTRY/group/other-project:latest
1 Like

That nailed it. In particular, replacing the log-in step with docker login -u gitlab-ci-token -p $CI_JOB_TOKEN $CI_REGISTRY did the trick.

I now get the following:

371 $ docker push registry.gitlab.com/GROUP/PROJECT
372 + docker push registry.gitlab.com/GROUP/PROJECT
373 The push refers to repository [registry.gitlab.com/GROUP/PROJECT]
374 eaf821d30ad6: Preparing
375 19f3605979c2: Preparing
376 4fe6568f891e: Preparing
377 68d5ca739db5: Preparing
378 6f0a0447e1c4: Preparing
379 9791e4457e04: Preparing
380 af56f7cade51: Preparing
381 bd91736441b3: Preparing
382 485340e1d645: Preparing
383 846045303e1f: Preparing
384 0f6a230f26b2: Preparing
385 918efb8f161b: Preparing
386 27dd43ea46a8: Preparing
387 9f3bfcc4a1a8: Preparing
388 2dc9f76fb25b: Preparing
389 9791e4457e04: Waiting
390 af56f7cade51: Waiting
391 bd91736441b3: Waiting
392 485340e1d645: Waiting
393 846045303e1f: Waiting
394 0f6a230f26b2: Waiting
395 918efb8f161b: Waiting
396 27dd43ea46a8: Waiting
397 9f3bfcc4a1a8: Waiting
398 2dc9f76fb25b: Waiting
399 6f0a0447e1c4: Pushed
400 4fe6568f891e: Pushed
401 19f3605979c2: Pushed
402 eaf821d30ad6: Pushed
403 9791e4457e04: Pushed
404 bd91736441b3: Pushed
405 af56f7cade51: Pushed
406 485340e1d645: Pushed
407 68d5ca739db5: Pushed
408 0f6a230f26b2: Pushed
409 846045303e1f: Pushed
410 918efb8f161b: Pushed
411 27dd43ea46a8: Pushed
412 9f3bfcc4a1a8: Pushed
413 2dc9f76fb25b: Pushed
414 latest: digest: sha256:7bd9fef0f0b51c7f95993b6838d437b381440d114876069543ff5c97dee4141e size: 3453
419 Job succeeded

enjoy :grinning: