Docker DIND无法访问专用注册表

Question

我正在使用GitLab，以及GitLab runner和DIND。

配置详细信息：

---------------------------------------

docker run --privileged --name gitlab-dind -d --restart=always docker:17.07-dind

---------------------------------------

cat gitlab_runner.sh
docker run -d --name gitlab-runner --restart always \
  -v /mnt/data/gitlab/gitlab-runner:/etc/gitlab-runner \
  --link gitlab-dind:docker \
  gitlab/gitlab-runner:v9.5.0

---------------------------------------

cat /mnt/data/gitlab/gitlab-runner/config.toml
concurrent = 1
check_interval = 0

[[runners]]
  name = "RunnerA"
  url = "https://gitlab.dev.abc.net"
  token = "d8ed43a69ebed74ccab2493857d8cb"
  executor = "docker"
  [runners.docker]
    tls_verify = false
    image = "docker:17.07"
    privileged = false
    disable_cache = false
    volumes = ["/cache"]
    host = "tcp://gitlab-dind:2375"
    shm_size = 0
  [runners.cache]

---------------------------------------

cat ~/wksp/test-proj/.gitlab-ci.yml
image: docker.artifactory.abc.net/docker:17.07

variables:
  DOCKER_HOST: tcp://docker:2375

# This before_script block was added later but it seems this block
# isn't executed before the DIND tries fetching image from Artifactory
before_script:
  - docker login -u svc-art-user -p some-pwd docker.artifactory.abc.net
  - docker info

services:
- docker.artifactory.abc.net/docker:17.07-dind

build:
  stage: build
  script:
  - docker build -t my-docker-node-image .

---------------------------------------

顺便说一句，在上面的配置中，DOCKER_HOST配置在.gitlab-ci.yml中需要吗?还是只需要config.toml中的条目(host = "tcp://gitlab-dind:2375)？

现在，当跑步者运行时，我得到以下错误：

Runner log error:
Running with gitlab-ci-multi-runner 9.5.0 (413da38)
  on RunnerA (d8ed43a6)
Using Docker executor with image docker.artifactory.abc.net/docker:17.07 ...
Starting service docker.artifactory.abc.net/docker:17.07-dind ...
Pulling docker image docker.artifactory.abc.net/docker:17.07-dind ...
ERROR: Preparation failed: Error response from daemon: Get https://docker.artifactory.abc.net/v2/: x509: certificate signed by unknown authority

我可能错了，但这个错误似乎是因为服务帐户(svc-art-user)无法在DIND映像拉拔发生之前登录。

Answer 1

您需要向Gitlab Runner提供身份验证细节，因为它需要提取图像。

您需要使用身份验证详细信息创建DOCKER_AUTH_CONFIG秘密变量，如下所示

{
     "auths": {
         "docker.artifactory.abc.net": {
             "auth": "bXlfdXNlcm5hbWU6bXlfcGFzc3dvcmQ="
         }
     }
 }

这可以通过在本地登录和检查~/.docker/config.json来获得。

文档提供了这方面的详细信息。

images.html#define-an-image-from-a-private-docker-registry

https://docs.gitlab.com/runner/configuration/advanced-configuration.html#using-a-private-container-registry