Gitlab-runner fails to pull image from docker registry for scheduled pipelines (owned by project access tokens)
Summary
The job in the pipeline is based on Docker image from the project's/group's container registry. This job is now failing in the preparation phase of the job (i.e. in the Preparing the docker+machine" executor
phase) when the executor is trying to pull the image for the job. That happens if pipeline started by "bot user" (project access token)
Steps to reproduce
- Create a pipeline:
report:
image: $CI_REGISTRY/<PATH_TO>/<IMAGEe>
script:
- ls -la
- Schedule the pipeline to run in 5 minutes (goto CI/CD -> Schedules -> New schedule)
- Create a project access token
my_full_access_token
with "full access" (goto Settings -> Access Tokens -> select all possible checkboxes) - Give the ownership of the created schedule for created access token (this step is necessary since I try to workarond #339888 (closed))
- Ensure that the schedule now belongs to
my_full_access_token
(goto CI/CD -> Schedules) - Wait until pipeline starts
- Job should fail (see log example below)
What is the current bug behavior?
The job fails in the preparation phase while trying to pull the image from the gitlab's container registry (probably authorization issue)
What is the expected correct behavior?
The job doesn't fail
Relevant logs and/or screenshots
Running with gitlab-runner 14.4.0-rc1 (bc99a056)
on docker-auto-scale fa6cab46
Resolving secrets
00:00
Preparing the "docker+machine" executor
00:06
Using Docker executor with image registry.gitlab.com/<PATH_TO>/<IMAGE> ...
Authenticating with credentials from job payload (GitLab Registry)
Pulling docker image registry.gitlab.com/<PATH_TO>/<IMAGE> ...
WARNING: Failed to pull image with policy "always": Error response from daemon: pull access denied for registry.gitlab.com/<PATH_TO>/<IMAGE>, repository does not exist or may require 'docker login': denied: requested access to the resource is denied (manager.go:203:0s)
ERROR: Job failed: failed to pull image "registry.gitlab.com/<PATH_TO>/<IMAGE>" with specified policies [always]: Error response from daemon: pull access denied for registry.gitlab.com/<PATH_TO>/<IMAGE>, repository does not exist or may require 'docker login': denied: requested access to the resource is denied (manager.go:203:0s)
Output of checks
This bug happens on GitLab.com
Edited by seletin