Using Private Image in Pipeline

:hugs: Please help fill in this template with all the details to help others help you more efficiently. Use formatting blocks for code, config, logs and ensure to remove sensitive data.

Problem to solve

I am looking to use containers that are built in another repository within the same group in other CICD pipelines. I have a repo that is home to building containers used for things like linting.
WHen using the private image it tells me I need to login

ERROR: Job failed: failed to pull image "git.home.lan:505/prodprojects/dev-docker-containers/python-linting:latest" with specified policies [always]: Error response from daemon: pull access denied for git.home.lan:5050/prodprojects/dev-docker-containers/python-linting, repository does not exist or may require 'docker login': denied: requested access to the resource is denied (manager.go:250:0s)

Steps to reproduce

Using a private image in the image: tag in the .gitlab-ci.yml file

Configuration

stages:
  - lint
  - build
  - test
  - deploy


pylint:
  stage: lint
  image: $CI_REGISTRY/prodprojects/dev-docker-containers/python-linting:latest
  script:
    - python --version

flake8:
  stage: lint
  image: $CI_REGISTRY/prodprojects/dev-docker-containers/python-linting:latest
  script:
    - python --version

isort:
  stage: lint
  image: $CI_REGISTRY/prodprojects/dev-docker-containers/python-linting:latest
  script:
    - python --version

Right now im just using --version to validate before doing any linting

Versions

Please select whether options apply, and add the version information.

  • [X ] Self-managed
  • GitLab.com SaaS
  • [X ] Self-hosted Runners

Versions

  • GitLab (Web: /help or self-managed system information): v17.1.1-ee
  • GitLab Runner, if self-hosted (Web /admin/runners or CLI gitlab-runner --version): 17.1.0

Hi there,

Which installation did you use for GitLab Runner? Can you also share config.toml of your runner? (just make sure you hide any sensitive data)

Also, can you verify that docker pull git.home.lan:505/prodprojects/dev-docker-containers/python-linting:latest works on that server (VM) where your GitLab Runner is installed? (with your own personal credentials)

Hi!
As far as I know, you must authenticate with the private repository in order to get the image.
When we use a private repository we use a pre-script to authenticate to the repository and, in some cases, a post-script to logout from the repository.
I think that’s the expected default behaviour, not an error itself.

Best regards!

I know I need to authenticate to use private images. It’s not directly an error. I just don’t know how to specify a private image without needing to remote onto the box that has the runner authenticate and then trigger get labs to issue the job. I can’t use prescript, because it’s trying to load the image Before it can even execute any command.

Unless do I need to switch from using the docker executor and start using the shell executor?

I think you use case fit for a docker-in-docker (DinD) scenario.
In that scenario you can issue a docker login command after pull your private image.
But, there are some other ways (as I’m looking here: Run your CI/CD jobs in Docker containers | GitLab) to access a private repository images (Run your CI/CD jobs in Docker containers | GitLab)
Hope this helps you!

Hi,

docker executor is perfectly fine, I have the same setup and it worked out-of-the box.

It could be that due to the new CI_JOB_TOKEN restrictions, it is not allowed to pull the image. Please check the Settings > CI/CD > Token Access in your prodprojects/dev-docker-containers/python-linting project - it should either be disabled, or if enabled, then add the project in which you want to use the image.

Hope this helps :slight_smile:

2 Likes

Thank you both! I am going to try what you both recommended. I will post here with any updates or other issues. Thank you!