CICD variable to disable dependency proxy
Summary
Since Docker Hub have a strict rate limit for pulling images, I want to use a cached mirror, specifically Google's public mirror, to build the images.
Dependency Proxy doesn't support pulling images from a mirror (Unless we configure a generic HTTP(S) proxy that enabled caching. But this is not for pulling from mirrors and will affect features other than dependency proxy as well. Not ideal.). To use a registry mirror, the best option I have is to disable Dependency Proxy at group-level and configure mirrors directly on the build system.
For buildah-based build, my runners have been configured to mount /etc/containers/registries.conf.d/000-default-mirrors.conf from host machine to all build containers automatically with the following content:
# Snippet of docker-autoscaler runner configuration
[runners.docker]
volumes = [
'/certs/client',
'/cache',
'/etc/containers/registries.conf.d/000-default-mirrors.conf:/etc/containers/registries.conf.d/000-default-mirrors.conf:ro'
]# /etc/containers/registries.conf.d/000-default-mirrors.conf
[[registry]]
blocked = false
insecure = false
location = 'docker.io'
[[registry.mirror]]
insecure = false
location = 'mirror.gcr.io'
pull-from-mirror = 'all'
[[registry]]
blocked = false
insecure = false
location = 'registry-1.docker.io'
prefix = '*.docker.io'
[[registry.mirror]]
insecure = false
location = 'mirror.gcr.io'
pull-from-mirror = 'all'What is the current bug behavior?
For some reason, the variable CI_DEPENDENCY_PROXY_DIRECT_GROUP_IMAGE_PREFIX is still available after disabling dependency proxy in the group settings (this may worth open an issue at gitlab-org/gitlab?). So the configuration for dependency proxy in /etc/containers/registries.conf.d/dependency-proxy.conf will always override the configuration of the runner.
As the result, the runners will always try to pull directly from Docker Hub and hit rate limit fairly quickly.
This issue is not caused by this project per se. But some simple modifications of the pipeline would really helps resolve issue until CI_DEPENDENCY_PROXY_DIRECT_GROUP_IMAGE_PREFIX will be not populated when dependency proxy is disabled.
Environment Information
GitLab Instance
- OS: Debian 13 Trixie
- GitLab version:
18.8.2-ee.0(Omnibus package)
GitLab Runner
- OS: Google Container-optimized OS (latest image from image family
cos-stable) - GitLab Runner helper image:
registry.gitlab.com/gitlab-org/gitlab-runner/gitlab-runner-helper:x86_64-v18.8.0 - Internet traffic uses a shared NAT with single static IP address
Workaround
The simplest way is to rename the registries config file to something terrible like zzz.conf. But I still want to allow other projects to override this settings, so this is not optimal.
Another janky workaround is to add configuration to mirror images that matches docker.io/library.
[[registry]]
blocked = false
insecure = false
location = 'docker.io/library'
[[registry.mirror]]
insecure = false
location = 'mirror.gcr.io/library'
pull-from-mirror = 'all'This works for this project as all Docker Hub images this project referenced are under docker.io/library.
Possible fixes
In CI YAML file, rather than detecting CI_DEPENDENCY_PROXY_DIRECT_GROUP_IMAGE_PREFIX, use a new variable to decide whether Dependency Proxy configuration is created or not.
By doing so, we can simply add project variable, like DISABLE_DEPENDENCY_PROXY to disable that feature.
--- .gitlab-ci.old.yml 2026-01-27 15:51:36.284437560 +0800
+++ .gitlab-ci.yml 2026-01-27 15:52:04.741652596 +0800
@@ -183,7 +183,7 @@
# Supporting GitLab dependency proxies:
# see https://docs.gitlab.com/ee/user/packages/dependency_proxy/
- |
- if [ -n "$CI_DEPENDENCY_PROXY_DIRECT_GROUP_IMAGE_PREFIX" ]; then
+ if [ -n "$CI_DEPENDENCY_PROXY_DIRECT_GROUP_IMAGE_PREFIX" ] && [ -z "$DISABLE_DEPENDENCY_PROXY" ]; then
echo "Detected GitLab Dependency Proxy at '$CI_DEPENDENCY_PROXY_DIRECT_GROUP_IMAGE_PREFIX', configuring it for buildah ..."
cat > /etc/containers/registries.conf.d/dependency-proxy.conf <<EOF
[[registry]]