"docker push" does not work when running CI job triggered by tag
Versions
- GitLab EE Version: 11.8.3
- GitLab Runner Version: 11.8.0
Expected Behavior
Docker Image is successfully pushed to company artifactory with updated CI_COMMIT_TAG
Files
Here is my .gitlab-ci.yml file:
stages:
- build
- push
image: docker:stable
#####################################################
############ Variables Used Across Stages ###########
#####################################################
variables:
DOCKER_DRIVER: overlay2
ARTIFACTORY: <company-artifactory>
CONTAINER_IMAGE_BUILT: ${ARTIFACTORY}/stage/${CI_PROJECT_NAME}:${CI_COMMIT_REF_SLUG}_${CI_COMMIT_SHA}
CONTAINER_IMAGE_VERSION: ${ARTIFACTORY}/prod/${CI_PROJECT_NAME}:${CI_COMMIT_TAG}
CONTAINER_IMAGE_LATEST: ${ARTIFACTORY}/stage/${CI_PROJECT_NAME}:latest
#####################################################
################## Stage Definitions ################
#####################################################
build_stage:
stage: build
tags:
- marketplace
script:
- docker build -t "${CONTAINER_IMAGE_BUILT}" .
only:
- master
build_prod:
stage: build
tags:
- marketplace
script:
- docker build -t "${CONTAINER_IMAGE_BUILT}" .
only:
- tags
except:
- branches
push_stage:
stage: push
tags:
- marketplace
script:
- docker login -u $CI_ARTIFACT_USER -p $CI_ARTIFACT_PASSWORD $ARTIFACTORY
- docker tag ${CONTAINER_IMAGE_BUILT} ${CONTAINER_IMAGE_LATEST}
- docker push ${CONTAINER_IMAGE_LATEST}
only:
- master
push_prod:
stage: push
tags:
- marketplace
script:
- docker login -u $CI_ARTIFACT_USER -p $CI_ARTIFACT_PASSWORD $ARTIFACTORY
- docker tag ${CONTAINER_IMAGE_BUILT} ${CONTAINER_IMAGE_VERSION}
- echo ${CONTAINER_IMAGE_VERSION}
- docker push ${CONTAINER_IMAGE_VERSION}
only:
- tags
except:
- branchesAnd my GitLab Runner config.toml file:
concurrent = 1
check_interval = 0
[session_server]
session_timeout = 1800
[[runners]]
name = "marketrunner"
url = "<company gitlab ee>"
token = "<token>"
executor = "docker"
[runners.docker]
tls_verify = false
image = "alpine:latest"
privileged = false
disable_entrypoint_overwrite = false
oom_kill_disable = false
disable_cache = false
volumes = ["/var/run/docker.sock:/var/run/docker.sock", "/cache"]
shm_size = 0
[runners.cache]
[runners.cache.s3]
[runners.cache.gcs]Problem
When committing to master and triggering push_stage, docker login and docker push work as expected and the docker image is successfully pushed to our company artifactory. With the same credentials, on the same runner, but with a different tag (and even when I tag my code as latest and the CI_COMMIT_TAG == latest) I get the following error:
unauthorized: The client does not have permission to push to the repository.
The GitLab Runner Output can be seen below:
This error is only encountered when running as a GitLab CI job on the CI runner. If I ssh into the VM that is running the runner and follow the same docker login, docker tag, and docker push commands, it works as expected. This leads me to believe that it is only a problem with GitLab or its runner.