Skip to content

unable to pull image from google container registry

I'm trying to use the runner 'docker-machine' to pull images from my private google docker registry but it seems to fail no matter what I try. Do you have any pointers on how to accomplish this?

With GCE you can pull images by either

  1. using gcloud docker pull image
  2. login to docker registry: docker login -e gitlab-ci@<PROJECT>.iam.gserviceaccount.com -u _json_key -p "$(cat /etc/google/auth/application_default_credentials.json)" https://eu.gcr.io

This is what I've tried so far:

  • giving the correct access-scopes to the created instance: google-scopes=https://www.googleapis.com/auth/logging.write,https://www.googleapis.com/auth/monitoring.write,https://www.googleapis.com/auth/servicecontrol,https://www.googleapis.com/auth/service.management.readonly,https://www.googleapis.com/auth/devstorage.read_write
  • build a custom image that docker-machine uses to start a new instance. The image is already logged in to the docker-registry using method 2 (@See above) and saves the docker credentials in /home/docker-user/.docker, which seems to be the user that docker-machine is using

When I ssh into the created machine I can pull images from the GCE registry, but somehow the gitlab-ci-runner can't:

Running with gitlab-ci-multi-runner 1.5.2 (76fdacd)
Using Docker executor with image eu.gcr.io/<MY-PROJECT>/clojure-runner:alpine ...
Pulling docker image eu.gcr.io/<MY-PROJECT>/clojure-runner:alpine ...
ERROR: Preparation failed: Error: Status 403 trying to pull repository <MY-PROJECT>/clojure-runner: "Unable to access the repository: <MY-PROJECT>/clojure-runner; please verify that it exists and you have permission to access it (no valid credential was supplied)."

config.toml:

concurrent = 2

[[runners]]
  name = "GCE on-demand runner"
  url = "https://gitlab.com/ci"
  token = "XXXXXX"
  tls-skip-verify = false
  tls-ca-file = ""
  executor = "docker+machine"
  limit = 1
  builds_dir = "/builds"
  [runners.machine]
    IdleCount = 0
    IdleTime = 1200
    MaxBuilds = 50
    MachineName = "ci-%s"
    MachineDriver = "google"
    MachineOptions = [
      "google-project=<MY-PROJECT>",
      "google-zone=europe-west1-d",
      "google-machine-type=n1-standard-1",
      "google-machine-image=https://www.googleapis.com/compute/v1/projects/<MY-PROJECT>/global/images/ci-debian-8-v20160905",
      "google-disk-size=200",
      "google-disk-type=pd-standard",
      "google-preemptible=true",
      "google-use-internal-ip=true",
      #@see https://developers.google.com/identity/protocols/googlescopes
      "google-scopes=https://www.googleapis.com/auth/logging.write,https://www.googleapis.com/auth/monitoring.write,https://www.googleapis.com/auth/servicecontrol,https://www.googleapis.com/auth/service.management.readonly,https://www.googleapis.com/auth/devstorage.read_write",
      "google-tags=ci-runner",
      "engine-registry-mirror=https://eu.gcr.io"
    ]
  [runners.docker]
    image = "eu.gcr.io/<MY-PROJECT>/clojure-runner:alpine"
    privileged = true
    disable_cache = false
    volumes = [
      "/var/run/docker.sock:/var/run/docker.sock:ro",
      "/root/.docker/:/root/.docker/:ro",
    ]
  [runners.cache]
    Type = "s3"
    ServerAddress = "storage.googleapis.com"
    AccessKey = "XXXXXX"
    SecreyKey = "XXXXXX"
    BucketName = "gitlab-ci-cache"
    BucketLocation = "europe-west1"