Authenticate with registry in Docker-in-Docker

Tier: Free, Premium, Ultimate
Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated

When you use Docker-in-Docker, the standard authentication methods do not work, because a fresh Docker daemon is started with the service.

Option 1: Run `docker login`

In before_script, run docker login:

default:
  image: docker:24.0.5
  services:
    - docker:24.0.5-dind

variables:
  DOCKER_TLS_CERTDIR: "/certs"

build:
  stage: build
  before_script:
    - echo "$DOCKER_REGISTRY_PASS" | docker login $DOCKER_REGISTRY --username $DOCKER_REGISTRY_USER --password-stdin
  script:
    - docker build -t my-docker-image .
    - docker run my-docker-image /script/to/run/tests

To sign in to Docker Hub, leave $DOCKER_REGISTRY empty or remove it.

Option 2: Mount `~/.docker/config.json` on each job

If you are an administrator for GitLab Runner, you can mount a file with the authentication configuration to ~/.docker/config.json. Then every job that the runner picks up is already authenticated. If you are using the official docker:24.0.5 image, the home directory is under /root.

If you mount the configuration file, any docker command that modifies the ~/.docker/config.json fails. For example, docker login fails, because the file is mounted as read-only. Do not change it from read-only, because this causes problems.

Here is an example of /opt/.docker/config.json that follows the DOCKER_AUTH_CONFIG documentation:

{
    "auths": {
        "https://index.docker.io/v1/": {
            "auth": "bXlfdXNlcm5hbWU6bXlfcGFzc3dvcmQ="
        }
    }
}

Docker

Update the volume mounts to include the file.

[[runners]]
  ...
  executor = "docker"
  [runners.docker]
    ...
    privileged = true
    volumes = ["/opt/.docker/config.json:/root/.docker/config.json:ro"]

Kubernetes

Create a ConfigMap with the content of this file. You can do this with a command like:

kubectl create configmap docker-client-config --namespace gitlab-runner --from-file /opt/.docker/config.json

Update the volume mounts to include the file.

[[runners]]
  ...
  executor = "kubernetes"
  [runners.kubernetes]
    image = "alpine:3.12"
    privileged = true
    [[runners.kubernetes.volumes.config_map]]
      name = "docker-client-config"
      mount_path = "/root/.docker/config.json"
      # If you are running GitLab Runner 13.5
      # or lower you can remove this
      sub_path = "config.json"

Option 3: Use `DOCKER_AUTH_CONFIG`

If you already have DOCKER_AUTH_CONFIG defined, you can use the variable and save it in ~/.docker/config.json.

You can define this authentication in several ways:

In pre_build_script in the runner configuration file.
In before_script.
In script.

The following example shows before_script. The same commands apply for any solution you implement.

default:
  image: docker:24.0.5
  services:
    - docker:24.0.5-dind

variables:
  DOCKER_TLS_CERTDIR: "/certs"

build:
  stage: build
  before_script:
    - mkdir -p $HOME/.docker
    - echo $DOCKER_AUTH_CONFIG > $HOME/.docker/config.json
  script:
    - docker build -t my-docker-image .
    - docker run my-docker-image /script/to/run/tests

Docs

Edit this page to fix an error or add an improvement in a merge request.

Create an issue to suggest an improvement to this page.

Product

Create an issue if there's something you don't like about this feature.

Propose functionality by submitting a feature request.

Feature availability and product trials

View pricing to see all GitLab tiers and features, or to upgrade.

Try GitLab for free with access to all features for 30 days.

Get help

If you didn't find what you were looking for, search the docs.

If you want help with something specific and could use community support, post on the GitLab forum.

For problems setting up or using this feature (depending on your GitLab subscription).

Request support