14

When configuring a gitlab-ci for building docker images and pushing them to my gitlab's insecure registry, I encountered several errors. My gitlab-ci.yaml is laid out below:

stages:
  - build
  - deploy

variables:
  GIT_SUBMODULE_STRATEGY: recursive
  CONTAINER_IMAGE: XXX:$CI_COMMIT_REF_NAME

# The insecure-registry flag 
services:
  - docker:dind

build_container:
  image: docker:latest
  stage: build
  before_script:
    - echo "$CI_REGISTRY_PASSWORD" | docker login -u "$CI_REGISTRY_USER" "$CI_REGISTRY" --password-stdin

  script:
    - docker build --pull -t $CONTAINER_IMAGE .
    - docker push $CONTAINER_IMAGE

The first error was:

  $ docker login -u gitlab-ci-token -p $CI_JOB_TOKEN myregistry.gitlab.com
  WARNING! Using --password via the CLI is insecure. Use --password-stdin.
  Warning: failed to get default registry endpoint from daemon (Cannot connect 
  to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon 
  running?). Using system default: https://index.docker.io/v1/
  Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the 
  docker daemon running?

This was resolved by updating the login command to 

echo "$CI_REGISTRY_PASSWORD" | docker login -u "$CI_REGISTRY_USER" myregistry.gitlab.com --password-stdin

Unfortunately after updating, I encountered another error:

$ echo "$CI_REGISTRY_PASSWORD" | docker login -u "$CI_REGISTRY_USER" myregistry.gitlab.com --password-stdin
Error response from daemon: Get https://myregistry.gitlab.com/v2/: dial tcp XX.XX.XXX.XXX:443: getsockopt: connection refused

How Can I resolve this?

David Maze
  • 130,717
  • 29
  • 175
  • 215
mcguip
  • 5,947
  • 5
  • 25
  • 32

1 Answers1

49

Like any other docker installation, it is necessary to instruct the docker daemon to allow connections to insecure registries. In order to do this in the context of the docker-in-docker service, one must pass this configuration to the service. This can be done by updating your gitlab-ci.yaml to specify the service as:

services:
  - name: docker:dind
    command: ["--insecure-registry=myregistry.gitlab.com"]
mcguip
  • 5,947
  • 5
  • 25
  • 32
  • 4
    You saved my day. Thanks – debuti Nov 08 '18 at 09:46
  • @mcguip do you know some way to use an environment variable in this context ($CI_REGISTRY)? – mathiasfk Apr 18 '19 at 19:56
  • @mathiasfk, The example already uses several environment variables. Is there something more specific you’re after? – mcguip Apr 19 '19 at 21:26
  • 7
    I mean using something like `command: ["--insecure-registry=$CI_REGISTRY"]`. In this case the context belongs to the runner, so the variable is not visible to the service. – mathiasfk Apr 20 '19 at 23:37
  • I see. A good question; however, I don't have the answer off the top of my head nor could I find anything in the docker documentation. Perhaps you might raise as a separate question as this would more generally apply to variable substitution in dockerfile command statements. – mcguip Apr 23 '19 at 06:23
  • To use variables and pass them to dind, have a look at https://github.com/LordGaav/dind-options/ – Lubo Jan 19 '22 at 20:14
  • You also need the port, at least if you are using an IP address: `command: ["--tls=false", "--insecure-registry=192.168.34.20:5000"]` – Gionata Oct 26 '22 at 11:59