Inconsistent documentation for private registry support
Summary
Documentation for Gitlab CI Runner 1.8 and Gitlab 8.14, including the release announcement suggests a different behaviour than actually implemented.
Steps to reproduce
- Read documentation on private registries support and on support for Gitlab's Container Registry.
- Observe sentences like "These credentials will be automatically added to registries authorization parameters list."
- Imagine a global
.docker/config.json
automatically created by Gitlab CI Runner from three sources on each build. - Throw away all manual
docker login -u gitlab-ci-token -p ...
from.gitlab-ci.yml
- Observe failing builds
Expected behavior
Documentation and also the release announcement for 8.14 suggest that a common authentication pool is automatically created for docker instances inside the builds, which consists of DOCKER_AUTH_CONFIG
, Gitlab Container Registry credentials and also probably local .docker/config.json
. Usual model of a "common authentication pool" in Docker world is a .docker/config.json
, so the assumption is that providing the credentials once, the registries are fully "open" inside the build, just like docker.io
is.
Actual behavior
It seems the idea is to provide credentials for build images only, i.e. those images used in image:
directives in .gitlab-ci.yml
. Any other image, pulled or pushed manually, must be authenticated separately as before. That means that all the docker login -u gitlab-ci-token....
lines still exist in the configuration.
Apart from that, it seems that the original commit has been reverted and superseeded by another implementation. This implementation does not, as far as I can see, create a pool of credentials but rather looks for the first available authentication pair for a particular image. This is of course an easy optimization if looking for authentication for a single image. However, this also precludes any attempt to implement a kind of global .docker/config.json
to allow working freely with available registries.
Possible fixes
The easiest fix would be to fix the documentation to stress explicitely that private registry and Gitlab Container Registry support is only provided for automatically pulled images via image:
and service:
directive. Base images, manual docker pull
and docker push
still need to be manually authenticated.
A nice-to-have fix would be to implement an authentication pool which would be valid for any docker actions in the complete build step, so that any docker login
s can be skipped completely.