Inconsistent documentation for private registry support
Documentation for Gitlab CI Runner 1.8 and Gitlab 8.14, including the release announcement suggests a different behaviour than actually implemented.
Steps to reproduce
- Read documentation on private registries support and on support for Gitlab's Container Registry.
- Observe sentences like "These credentials will be automatically added to registries authorization parameters list."
- Imagine a global
.docker/config.jsonautomatically created by Gitlab CI Runner from three sources on each build.
- Throw away all manual
docker login -u gitlab-ci-token -p ...from
- Observe failing builds
Documentation and also the release announcement for 8.14 suggest that a common authentication pool is automatically created for docker instances inside the builds, which consists of
DOCKER_AUTH_CONFIG, Gitlab Container Registry credentials and also probably local
.docker/config.json. Usual model of a "common authentication pool" in Docker world is a
.docker/config.json, so the assumption is that providing the credentials once, the registries are fully "open" inside the build, just like
It seems the idea is to provide credentials for build images only, i.e. those images used in
image: directives in
.gitlab-ci.yml. Any other image, pulled or pushed manually, must be authenticated separately as before. That means that all the
docker login -u gitlab-ci-token.... lines still exist in the configuration.
Apart from that, it seems that the original commit has been reverted and superseeded by another implementation. This implementation does not, as far as I can see, create a pool of credentials but rather looks for the first available authentication pair for a particular image. This is of course an easy optimization if looking for authentication for a single image. However, this also precludes any attempt to implement a kind of global
.docker/config.json to allow working freely with available registries.
The easiest fix would be to fix the documentation to stress explicitely that private registry and Gitlab Container Registry support is only provided for automatically pulled images via
service: directive. Base images, manual
docker pull and
docker push still need to be manually authenticated.
A nice-to-have fix would be to implement an authentication pool which would be valid for any docker actions in the complete build step, so that any
docker logins can be skipped completely.