Commit c345edcb authored by Achilleas Pipinellis's avatar Achilleas Pipinellis

Document the need to use a PAT with Registry when 2FA is on

GitLab 8.12 introduced a new permissions model which tightened the
security of Container Registry. It is now required to use a personal
token if 2FA is enabled.

[ci skip]
parent 42dc2033
...@@ -270,12 +270,16 @@ which can be avoided if a different driver is used, for example `overlay`. ...@@ -270,12 +270,16 @@ which can be avoided if a different driver is used, for example `overlay`.
## Using the GitLab Container Registry ## Using the GitLab Container Registry
> **Note:** > **Notes:**
This feature requires GitLab 8.8 and GitLab Runner 1.2. - This feature requires GitLab 8.8 and GitLab Runner 1.2.
- Starting from GitLab 8.12, if you have 2FA enabled in your account, you need
Once you've built a Docker image, you can push it up to the built-in [GitLab Container Registry](../../user/project/container_registry.md). For example, if you're using to pass a personal access token instead of your password in order to login to
docker-in-docker on your runners, this is how your `.gitlab-ci.yml` could look: GitLab's Container Registry.
Once you've built a Docker image, you can push it up to the built-in
[GitLab Container Registry](../../user/project/container_registry.md). For example,
if you're using docker-in-docker on your runners, this is how your `.gitlab-ci.yml`
could look like:
```yaml ```yaml
build: build:
...@@ -354,10 +358,20 @@ deploy: ...@@ -354,10 +358,20 @@ deploy:
``` ```
Some things you should be aware of when using the Container Registry: Some things you should be aware of when using the Container Registry:
* You must log in to the container registry before running commands. Putting this in `before_script` will run it before each build job.
* Using `docker build --pull` makes sure that Docker fetches any changes to base images before building just in case your cache is stale. It takes slightly longer, but means you don’t get stuck without security patches to base images. - You must log in to the container registry before running commands. Putting
* Doing an explicit `docker pull` before each `docker run` makes sure to fetch the latest image that was just built. This is especially important if you are using multiple runners that cache images locally. Using the git SHA in your image tag makes this less necessary since each build will be unique and you shouldn't ever have a stale image, but it's still possible if you re-build a given commit after a dependency has changed. this in `before_script` will run it before each build job.
* You don't want to build directly to `latest` in case there are multiple builds happening simultaneously. - Using `docker build --pull` makes sure that Docker fetches any changes to base
images before building just in case your cache is stale. It takes slightly
longer, but means you don’t get stuck without security patches to base images.
- Doing an explicit `docker pull` before each `docker run` makes sure to fetch
the latest image that was just built. This is especially important if you are
using multiple runners that cache images locally. Using the git SHA in your
image tag makes this less necessary since each build will be unique and you
shouldn't ever have a stale image, but it's still possible if you re-build a
given commit after a dependency has changed.
- You don't want to build directly to `latest` in case there are multiple builds
happening simultaneously.
[docker-in-docker]: https://blog.docker.com/2013/09/docker-can-now-run-within-docker/ [docker-in-docker]: https://blog.docker.com/2013/09/docker-can-now-run-within-docker/
[docker-cap]: https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities [docker-cap]: https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities
...@@ -4,13 +4,15 @@ ...@@ -4,13 +4,15 @@
--- ---
> **Note** >**Notes:**
Docker Registry manifest `v1` support was added in GitLab 8.9 to support Docker - Docker Registry manifest `v1` support was added in GitLab 8.9 to support Docker
versions earlier than 1.10. versions earlier than 1.10.
> - This document is about the user guide. To learn how to enable GitLab Container
This document is about the user guide. To learn how to enable GitLab Container Registry across your GitLab instance, visit the
Registry across your GitLab instance, visit the [administrator documentation](../../administration/container_registry.md).
[administrator documentation](../../administration/container_registry.md). - Starting from GitLab 8.12, if you have 2FA enabled in your account, you need
to pass a personal access token instead of your password in order to login to
GitLab's Container Registry.
With the Docker Container Registry integrated into GitLab, every project can With the Docker Container Registry integrated into GitLab, every project can
have its own space to store its Docker images. have its own space to store its Docker images.
......
...@@ -187,11 +187,17 @@ To properly configure submodules with GitLab CI, read the ...@@ -187,11 +187,17 @@ To properly configure submodules with GitLab CI, read the
With the update permission model we also extended the support for accessing With the update permission model we also extended the support for accessing
Container Registries for private projects. Container Registries for private projects.
> **Note:** > **Notes:**
As GitLab Runner 1.6 doesn't yet incorporate the introduced changes for - GitLab Runner versions prior to 1.8 don't incorporate the introduced changes
permissions, this makes the `image:` directive to not work with private projects for permissions. This makes the `image:` directive to not work with private
automatically. The manual configuration by an Administrator is required to use projects automatically and it needs to be configured manually on Runner's host
private images. We plan to remove that limitation in one of the upcoming releases. with a predefined account (for example administrator's personal account with
access token created explicitly for this purpose). This issue is resolved with
latest changes in GitLab Runner 1.8 which receives GitLab credentials with
build data.
- Starting with GitLab 8.12, if you have 2FA enabled in your account, you need
to pass a personal access token instead of your password in order to login to
GitLab's Container Registry.
Your builds can access all container images that you would normally have access Your builds can access all container images that you would normally have access
to. The only implication is that you can push to the Container Registry of the to. The only implication is that you can push to the Container Registry of the
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment