CI_JOB_TOKEN does not allow to delete images from the Docker Registry
when I play around with a private Docker Registry which is authenticated by the Gitlab JWT auth with my personal login credentials, then I'm able to delete old Docker images (tags). (Docker Registry v2 API, delete storage option enabled) - This works like expected.
On a CI build I have full read and push permission. So listing the tags, and pushing new tags is working fine. Unfortunately the CI_JOB_TOKEN is not permitted to perform the deletion of tags.
This is quite bad on the storage (and backup) level. I built a new job at the end of my pipeline to cleanup old (and unused) tags to free up memory.
I did not looked to the Gitlab source code yet, but I'm willing to contribute a PR for this.
Steps to reproduce
- Create new job in pipeline (See: https://github.com/Jack12816/plankton#gitlab-ci)
- Run the job (See output: https://github.com/Jack12816/plankton/issues/1#issue-260113071)
- Job fails
What is the current bug behavior?
The CI_JOB_TOKEN is not permitted to perform deletion requests on the connected Docker Registry.
What is the expected correct behavior?
The CI_JOB_TOKEN is permitted to perform deletion requests on the connected Docker Registry.
Relevant logs and/or screenshots
$ plankton cleanup --keep 1 --no-confirm fancy/app Tags to keep: 1 (377.26 MiB) Image tag Created at Size 6af2cdb9de85733d8169f84f68020e472bfed9d5 2017-09-24T20:13:44+00:00 377.26 MiB Tags to delete: 5 (1.64 GiB) Image tag Created at Size 542f39e834da997f7c5a67123edb116e737729c2 2017-09-24T19:58:43+00:00 377.57 MiB 361ea2a2a69a701e406f912ea3d3923b07bf76bd 2017-09-24T19:35:30+00:00 377.56 MiB fe6ea4720f41e1970641bc7d79f12ef640cdcdd6 2017-09-24T19:22:38+00:00 377.55 MiB 1f4c65c0b5025da0927fbee7bca09b67cf5c13b2 2017-09-24T16:36:00+00:00 273.27 MiB e0e19e81f15d03775e1b01bdd1eb753a275d386e 2017-09-24T16:32:56+00:00 273.27 MiB bundler: failed to load command: exe/plankton (exe/plankton) DockerRegistry2::RegistryAuthenticationException: DockerRegistry2::RegistryAuthenticationException /usr/lib/ruby/gems/2.4.0/gems/docker_registry2-1.0.0/lib/registry/registry.rb:179:in `rescue in do_bearer_req' /usr/lib/ruby/gems/2.4.0/gems/docker_registry2-1.0.0/lib/registry/registry.rb:169:in `do_bearer_req' /app/lib/plankton/monkey_patches.rb:50:in `do_bearer_req' /usr/lib/ruby/gems/2.4.0/gems/docker_registry2-1.0.0/lib/registry/registry.rb:141:in `rescue in doreq' /usr/lib/ruby/gems/2.4.0/gems/docker_registry2-1.0.0/lib/registry/registry.rb:125:in `doreq' /app/lib/plankton/monkey_patches.rb:63:in `rescue in doreq' /app/lib/plankton/monkey_patches.rb:58:in `doreq' /usr/lib/ruby/gems/2.4.0/gems/docker_registry2-1.0.0/lib/registry/registry.rb:24:in `dodelete' /usr/lib/ruby/gems/2.4.0/gems/docker_registry2-1.0.0/lib/registry/registry.rb:82:in `rmtag' /app/lib/plankton/monkey_patches.rb:130:in `rmtag' /app/lib/plankton/commands/cleanup.rb:47:in `block in cleanup' /app/lib/plankton/commands/cleanup.rb:46:in `each' /app/lib/plankton/commands/cleanup.rb:46:in `cleanup' /usr/lib/ruby/gems/2.4.0/gems/thor-0.20.0/lib/thor/command.rb:27:in `run' /usr/lib/ruby/gems/2.4.0/gems/thor-0.20.0/lib/thor/invocation.rb:126:in `invoke_command' /usr/lib/ruby/gems/2.4.0/gems/thor-0.20.0/lib/thor.rb:387:in `dispatch' /usr/lib/ruby/gems/2.4.0/gems/thor-0.20.0/lib/thor/base.rb:466:in `start' exe/plankton:70:in `<top (required)>' The latest bundler is 1.16.0.pre.2, but you are currently running 1.15.0. To update, run `gem install bundler --pre` ERROR: Job failed: exit code 1
Until this is fixed, you could use a temporary workaround: https://github.com/Jack12816/plankton/issues/1#issuecomment-333797086