I am using self-hosted Gitlab and enabled Gitlab container registry to build, push and store images. My gitlab-runner is running in a container and I am using rootless-docker because security from my organisation does not allow to use the full suite docker.
I am trying to use docker-in-docker and did all the set up following this documentation - https://docs.gitlab.com/ee/ci/docker/using_docker_build.html#use-docker-in-docker-workflow-with-docker-executor
Now when i try to authenticate to my container registry using docker login registry.gitlab.systems -u $username -p $PAT I am able to authenticate it successfully and also able to build and push the images successfully using build and push commands. BUT when i try to do the same from my Gitlab pipeline I am seeing the below error -
$ docker login registry.gitlab.systems -u $username-p $PAT
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
Error response from daemon: Get https://registry.gitlab.systems/v2/: net/http: TLS handshake timeout
My gitlab-ci.yml file -
stages:
- build
variables:
DOCKER_DRIVER: overlay2
DOCKER_TLS_CERTDIR: ""
docker-build:
image: docker:latest
stage: build
services:
- docker:dind
before_script:
- docker info
- docker login registry.gitlab.systems -u $username-p $PAT
Full output of the pipeline job -
Running with gitlab-runner 13.5.0 (ece86343)
on My Docker Runner Nw3Z89BR
Preparing the "docker" executor
Using Docker executor with image docker:latest ...
Starting service docker:dind ...
Pulling docker image docker:dind ...
Using docker image sha256:jdbcajdcnlkdnjbsdhcbhsbdjkbdsbjds87756565tubmdn for docker:dind with digest docker@sha256:7877989978677tjkbmbjbhvhjg67687687878jknky8 ...
Waiting for services to be up and running...
*** WARNING: Service runner-nw3z89br-project-23-concurrent-0-0444ae016309d9d8-docker-0 probably didn't start properly.
Health check error:
start service container: Error response from daemon: Cannot link to a non running container: /runner-nw3z89br-project-23-concurrent-0-0444ae016309d9d8-docker-0 AS /runner-nw3z89br-project-23-concurrent-0-0444ae016309d9d8-docker-0-wait-for-service/service (docker.go:1271:0s)
Service container logs:
2020-12-08T13:26:38.262883588Z mount: permission denied (are you root?)
2020-12-08T13:26:38.262943608Z Could not mount /sys/kernel/security.
2020-12-08T13:26:38.262966886Z AppArmor detection and --privileged mode might break.
2020-12-08T13:26:38.344450436Z time="2020-12-08T13:26:38.342564548Z" level=info msg="Starting up"
2020-12-08T13:26:38.346064501Z time="2020-12-08T13:26:38.345847145Z" level=warning msg="could not change group /var/run/docker.sock to docker: group docker not found"
2020-12-08T13:26:38.346467932Z failed to load listeners: can't create unix socket /var/run/docker.sock: device or resource busy
*********
Pulling docker image docker:latest ...
Using docker image sha256:gdfgsdksdcjkblkxnvknsdklnvjkbxjvnkfxl989for docker:latest with digest docker@sha256:adkfhklsnvjlkbjkbcklnmvbj\bzjkchsjncvk.lkvsfy8...
Preparing environment
00:01
Running on runner-nw3z89br-project-23-concurrent-0 via 1b495184edc9...
Getting source from Git repository
Fetching changes with git depth set to 50...
Reinitialized existing Git repository in /builds/root/test-container-registry/.git/
Checking out 0d15685a as master...
Skipping Git submodules setup
Executing "step_script" stage of the job script
$ docker info
Client:
Debug Mode: false
Server:
Containers: 7
Running: 2
Paused: 0
Stopped: 5
Images: 36
Server Version: 19.03.9
Storage Driver: vfs
Logging Driver: json-file
Cgroup Driver: none
Plugins:
Volume: local
Network: bridge host ipvlan macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 7ad184331fa3e55e52b890ea95e65ba581ae3429
runc version: dc9208a3303feef5b3839f4323d9beb36df0a9dd
init version: fec3683
Security Options:
seccomp
Profile: default
rootless
Kernel Version: 3.10.0-1160.6.1.el7.x86_64
Operating System: Red Hat Enterprise Linux Server 7.9 (Maipo)
OSType: linux
Architecture: x86_64
CPUs: 4
Total Memory: 15.51GiB
Name: gitrunoid-kn-p1
ID: 3A54:NKR7:QSJL:WBYV:EFTH:WFXQ:Q7EC:F4OU:TMMM:UZNJ:N557:ZUFK
Docker Root Dir: /app/docker
Debug Mode: false
HTTP Proxy: http://myproxy.co:8080
HTTPS Proxy: http://myproxy.co:8080
Registry: https://index.docker.io/v1/
Labels:
Experimental: true
Insecure Registries:
127.0.0.0/8
Live Restore Enabled: false
Product License: Community Engine
WARNING: bridge-nf-call-iptables is disabled
WARNING: bridge-nf-call-ip6tables is disabled
$ docker login registry.gitlab.systems -u $username -p $PAT
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
Error response from daemon: Get https://registry.gitlab.systems/v2/: net/http: TLS handshake timeout
Cleaning up file based variables
00:01
ERROR: Job failed: exit code 1
I had a very similar problem - I couldn't access the registry of my Omnibus GitLab installation (not Docker-in-Docker) over the Internet. I got the same handshake timeout error the OP mentioned.
It turns out my GitLab Debian distribution only allows specific ports through UFW by default:
I fixed it by allowing the registry's public-facing port:
This may or may not be adaptable to the OP's situation, but hopefully it helps some wayward Googlers.