无法从流水线将 Docker 镜像推送到 Gitlab 注册表: “拒绝访问”

huangapple go评论56阅读模式
英文:

Can't push docker image to Gitlab registry from pipeline: "denied: access forbidden"

问题

我使用[Gitlab][1](不是自托管)进行CI/CD,但在流水线中无法将Docker镜像推送到Gitlab的容器注册表。虽然登录和构建镜像似乎运行正常,但推送时出现错误:denied: access forbidden。我不明白为什么访问被禁止。

我的 .gitlab-ci.yml 文件如下:

Deploy backend:
    before_script:
        - docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY
    image: docker:latest
    script:
      - docker build -t registry.gitlab.com/profilename/projectname/backend .
      - docker push registry.gitlab.com/profilename/projectname/backend
    services:
      - docker:dind
    stage: deploy

这是作业的日志:

[0KRunning with gitlab-runner 15.9.0~beta.115.g598a7c91 (598a7c91)
[0K  on blue-5.shared.runners-manager.gitlab.com/default -AzERasQ, system ID: s_8a38c517a741
section_start:1676491269:prepare_executor
[0KPreparing the "docker+machine" executor
[0KUsing Docker executor with image docker:latest ...
[0KStarting service docker:dind ...
[0KPulling docker image docker:dind ...
[0KUsing docker image sha256:1278207f64426065791cb1a0a8967c69327c962f83273e57b63da0c55eb045ce for docker:dind with digest docker@sha256:44cd33fb5235eb32c853f17b6ae6dea3cc3fb9239b83f2e732c7de6f94829a72 ...
[0KWaiting for services to be up and running (timeout 30 seconds)...
[0KPulling docker image docker:latest ...
[0KUsing docker image sha256:1278207f64426065791cb1a0a8967c69327c962f83273e57b63da0c55eb045ce for docker:latest with digest docker@sha256:44cd33fb5235eb32c853f17b6ae6dea3cc3fb9239b83f2e732c7de6f94829a72 ...
section_end:1676491303:prepare_executor
[0Ksection_start:1676491303:prepare_script
[0KPreparing environment
Running on runner--azerasq-project-42230322-concurrent-0 via runner-azerasq-shared-1676491230-d30ae835...
section_end:1676491304:prepare_script
[0Ksection_start:1676491304:get_sources
[0KGetting source from Git repository
[32;1m$ eval "$CI_PRE_CLONE_SCRIPT"
[32;1mFetching changes with git depth set to 20...
Initialized empty Git repository in /builds/profilename/projectname/.git/
[32;1mCreated fresh repository.
[32;1mChecking out a693f85a as detached HEAD (ref is 1-remove-login-barrier)...
[32;1mSkipping Git submodules setup
section_end:1676491307:get_sources
[0Ksection_start:1676491307:download_artifacts
[0KDownloading artifacts
[32;1mDownloading artifacts for Build backend (3778290090)...
Downloading artifacts from coordinator... ok      [0;m  host[0;m=storage.googleapis.com id[0;m=3778290090 responseStatus[0;m=200 OK token[0;m=64_EXTxB
section_end:1676491309:download_artifacts
[0Ksection_start:1676491309:step_script
[0KExecuting "step_script" stage of the job script
[0KUsing docker image sha256:1278207f64426065791cb1a0a8967c69327c962f83273e57b63da0c55eb045ce for docker:latest with digest docker@sha256:44cd33fb5235eb32c853f17b6ae6dea3cc3fb9239b83f2e732c7de6f94829a72 ...
[32;1m$ docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
[32;1m$ docker build -t registry.gitlab.com/profilename/projectname/backend .
#1 [internal] load build definition from Dockerfile
#1 transferring dockerfile: 121B done
#1 DONE 0.0s
#2 [internal] load .dockerignore
#2 transferring context: 134B done
#2 DONE 0.0s
#3 [auth] library/golang:pull token for registry-1.docker.io
#3 DONE 0.0s
#4 [internal] load metadata for docker.io/library/golang:alpine
#4 DONE 0.5s
#5 [1/3] FROM docker.io/library/golang:alpine@sha256:48f336ef8366b9d6246293e3047259d0f614ee167db1869bdbc343d6e09aed8a
#5 resolve docker.io/library/golang:alpine@sha256:48f336ef8366b9d6246293e3047259d0f614ee167db1869bdbc343d6e09aed8a 0.0s done
#5 sha256:18da4399cedd9e383beb6b104d43aa1d48bd41167e312bb5306d72c51bd11548 1.16kB / 1.16kB done
#5 sha256:0b94e5e3eec1be96be80bab3ffc3186af109233342f79fb5051b45ba4beb6bd5 5.11kB / 5.11kB done
#5 sha256
<details>
<summary>英文:</summary>
I&#39;m using [Gitlab][1] (not self hosted) for CI/CD and fail to push a docker image to Gitlab&#39;s container registry from the pipeline. While logging in and building the image appear to work, pushing it produces an error: `denied: access forbidden`. I don&#39;t understand why the access is forbidden.
My .gitlab-ci.yml looks like this:
Deploy backend:
before_script:
- docker login -u &quot;$CI_REGISTRY_USER&quot; -p &quot;$CI_REGISTRY_PASSWORD&quot; $CI_REGISTRY
image: docker:latest
script:
- docker build -t registry.gitlab.com/profilename/projectname/backend .
- docker push registry.gitlab.com/profilename/projectname/backend
services:
- docker:dind
stage: deploy
This is the log from the job:

[0KRunning with gitlab-runner 15.9.0~beta.115.g598a7c91 (598a7c91)
  on blue-5.shared.runners-manager.gitlab.com/default -AzERasQ, system ID: s_8a38c517a741
section_start:1676491269:prepare_executor
Preparing the &quot;docker+machine&quot; executor
Using Docker executor with image docker:latest ...
Starting service docker:dind ...
Pulling docker image docker:dind ...
Using docker image sha256:1278207f64426065791cb1a0a8967c69327c962f83273e57b63da0c55eb045ce for docker:dind with digest docker@sha256:44cd33fb5235eb32c853f17b6ae6dea3cc3fb9239b83f2e732c7de6f94829a72 ...
Waiting for services to be up and running (timeout 30 seconds)...
Pulling docker image docker:latest ...
Using docker image sha256:1278207f64426065791cb1a0a8967c69327c962f83273e57b63da0c55eb045ce for docker:latest with digest docker@sha256:44cd33fb5235eb32c853f17b6ae6dea3cc3fb9239b83f2e732c7de6f94829a72 ...
section_end:1676491303:prepare_executor
section_start:1676491303:prepare_script
Preparing environment
Running on runner--azerasq-project-42230322-concurrent-0 via runner-azerasq-shared-1676491230-d30ae835...
section_end:1676491304:prepare_script
section_start:1676491304:get_sources
Getting source from Git repository
$ eval &quot;$CI_PRE_CLONE_SCRIPT&quot;
Fetching changes with git depth set to 20...
Initialized empty Git repository in /builds/profilename/projectname/.git/
Created fresh repository.
Checking out a693f85a as detached HEAD (ref is 1-remove-login-barrier)...
Skipping Git submodules setup
section_end:1676491307:get_sources
section_start:1676491307:download_artifacts
Downloading artifacts
Downloading artifacts for Build backend (3778290090)...
Downloading artifacts from coordinator... ok        host=storage.googleapis.com id=3778290090 responseStatus=200 OK token=64_EXTxB
section_end:1676491309:download_artifacts
section_start:1676491309:step_script
Executing &quot;step_script&quot; stage of the job script
Using docker image sha256:1278207f64426065791cb1a0a8967c69327c962f83273e57b63da0c55eb045ce for docker:latest with digest docker@sha256:44cd33fb5235eb32c853f17b6ae6dea3cc3fb9239b83f2e732c7de6f94829a72 ...
$ docker login -u &quot;$CI_REGISTRY_USER&quot; -p &quot;$CI_REGISTRY_PASSWORD&quot; $CI_REGISTRY
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
$ docker build -t registry.gitlab.com/profilename/projectname/backend .
#1 [internal] load build definition from Dockerfile
#1 transferring dockerfile: 121B done
#1 DONE 0.0s
#2 [internal] load .dockerignore
#2 transferring context: 134B done
#2 DONE 0.0s
#3 [auth] library/golang:pull token for registry-1.docker.io
#3 DONE 0.0s
#4 [internal] load metadata for docker.io/library/golang:alpine
#4 DONE 0.5s
#5 [1/3] FROM docker.io/library/golang:alpine@sha256:48f336ef8366b9d6246293e3047259d0f614ee167db1869bdbc343d6e09aed8a
#5 resolve docker.io/library/golang:alpine@sha256:48f336ef8366b9d6246293e3047259d0f614ee167db1869bdbc343d6e09aed8a 0.0s done
#5 sha256:18da4399cedd9e383beb6b104d43aa1d48bd41167e312bb5306d72c51bd11548 1.16kB / 1.16kB done
#5 sha256:0b94e5e3eec1be96be80bab3ffc3186af109233342f79fb5051b45ba4beb6bd5 5.11kB / 5.11kB done
#5 sha256:63b65145d645c1250c391b2d16ebe53b3747c295ca8ba2fcb6b0cf064a4dc21c 3.37MB / 3.37MB 0.2s done
#5 sha256:a2d21d5440ebff5aaaaeb115a003f7a4a3897f1866a87de95bc4a21436fc563c 284.82kB / 284.82kB 0.1s done
#5 sha256:752c438cb1864d6b2151010a811031b48f0c3511c7aa49f540322590991c949d 0B / 100.63MB 0.2s
#5 sha256:48f336ef8366b9d6246293e3047259d0f614ee167db1869bdbc343d6e09aed8a 1.65kB / 1.65kB done
#5 sha256:07244a03b3147bcdf5c1256e62110d50e31af7af76ef53aae3bcc9da8410dcdc 0B / 155B 0.2s
#5 sha256:752c438cb1864d6b2151010a811031b48f0c3511c7aa49f540322590991c949d 5.24MB / 100.63MB 0.3s
#5 sha256:07244a03b3147bcdf5c1256e62110d50e31af7af76ef53aae3bcc9da8410dcdc 155B / 155B 0.3s done
#5 extracting sha256:63b65145d645c1250c391b2d16ebe53b3747c295ca8ba2fcb6b0cf064a4dc21c
#5 sha256:752c438cb1864d6b2151010a811031b48f0c3511c7aa49f540322590991c949d 13.41MB / 100.63MB 0.4s
#5 sha256:752c438cb1864d6b2151010a811031b48f0c3511c7aa49f540322590991c949d 19.92MB / 100.63MB 0.5s
#5 sha256:752c438cb1864d6b2151010a811031b48f0c3511c7aa49f540322590991c949d 27.26MB / 100.63MB 0.6s
#5 sha256:752c438cb1864d6b2151010a811031b48f0c3511c7aa49f540322590991c949d 47.19MB / 100.63MB 0.8s
#5 sha256:752c438cb1864d6b2151010a811031b48f0c3511c7aa49f540322590991c949d 56.62MB / 100.63MB 0.9s
#5 ...
#6 [internal] load build context
#6 transferring context: 22.68MB 1.0s done
#6 DONE 1.1s
#5 [1/3] FROM docker.io/library/golang:alpine@sha256:48f336ef8366b9d6246293e3047259d0f614ee167db1869bdbc343d6e09aed8a
#5 sha256:752c438cb1864d6b2151010a811031b48f0c3511c7aa49f540322590991c949d 67.11MB / 100.63MB 1.0s
#5 sha256:752c438cb1864d6b2151010a811031b48f0c3511c7aa49f540322590991c949d 73.40MB / 100.63MB 1.1s
#5 extracting sha256:63b65145d645c1250c391b2d16ebe53b3747c295ca8ba2fcb6b0cf064a4dc21c 0.9s done
#5 extracting sha256:a2d21d5440ebff5aaaaeb115a003f7a4a3897f1866a87de95bc4a21436fc563c
#5 sha256:752c438cb1864d6b2151010a811031b48f0c3511c7aa49f540322590991c949d 79.69MB / 100.63MB 1.2s
#5 sha256:752c438cb1864d6b2151010a811031b48f0c3511c7aa49f540322590991c949d 98.57MB / 100.63MB 1.4s
#5 extracting sha256:a2d21d5440ebff5aaaaeb115a003f7a4a3897f1866a87de95bc4a21436fc563c 0.2s done
#5 sha256:752c438cb1864d6b2151010a811031b48f0c3511c7aa49f540322590991c949d 100.63MB / 100.63MB 2.1s done
#5 extracting sha256:752c438cb1864d6b2151010a811031b48f0c3511c7aa49f540322590991c949d
#5 extracting sha256:752c438cb1864d6b2151010a811031b48f0c3511c7aa49f540322590991c949d 5.1s done
#5 extracting sha256:07244a03b3147bcdf5c1256e62110d50e31af7af76ef53aae3bcc9da8410dcdc
#5 extracting sha256:07244a03b3147bcdf5c1256e62110d50e31af7af76ef53aae3bcc9da8410dcdc done
#5 DONE 7.7s
#7 [2/3] COPY ./backend .
#7 DONE 2.3s
#8 [3/3] COPY ./.env .
#8 DONE 0.0s
#9 exporting to image
#9 exporting layers
#9 exporting layers 0.1s done
#9 writing image sha256:a68871721d60f549d798eeed6b0ee2cc341363fd92dc27b02226edb35715fdcd done
#9 naming to registry.gitlab.com/profilename/projectname/backend done
#9 DONE 0.1s
WARNING: buildx: git was not found in the system. Current commit information was not captured by the build
$ docker push registry.gitlab.com/profilename/projectname/backend
Using default tag: latest
The push refers to repository [registry.gitlab.com/profilename/projectname/backend]
c7f4a40df92d: Preparing
ee97383dd371: Preparing
3ade35e5a1f0: Preparing
c6bcad44cf36: Preparing
d270ab11cf6e: Preparing
7cd52847ad77: Preparing
7cd52847ad77: Waiting
denied: access forbidden
section_end:1676491322:step_script
section_start:1676491322:cleanup_file_variables
Cleaning up project directory and file based variables
section_end:1676491322:cleanup_file_variables
ERROR: Job failed: exit code 1

Building it locally and then uploading it to the Gitlab registry works perfectly. What am I missing here?
[1]: https://gitlab.com
</details>
# 答案1
**得分**: 1
我在Gitlab中前往`设置 > CI/CD > 变量`,删除了`CI_REGISTRY_USER`和`CI_REGISTRY`。这些变量的值在我看来似乎是正确的,但显然,如果未定义,它们将自动填充为其他有效值。
<details>
<summary>英文:</summary>
I went to `Settings &gt; CI/CD &gt; Variables` in Gitlab and deleted `CI_REGISTRY_USER` and `CI_REGISTRY`. The values of those variables looked ok to me, but apparently they get auto-populated if not defined with something else that works. 
</details>

huangapple
  • 本文由 发表于 2023年2月16日 06:08:26
  • 转载请务必保留本文链接:https://go.coder-hub.com/75465878.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定