gitlab-ci-multi-runner cannot read from Gitlab private registry with 2FA enabled
Summary
Using gitlab-ci-multi-runner on a private server. .gitlab-ci.yml
uses a Gitlab private docker registry image as a build step.
Without two-factor authentication on the project owner's account, then gitlab-ci-multi-runner works as expected. When 2FA is enabled, then gitlab-ci-multi-runner cannot read from project registry.
(When 2FA is subsequently disabled again, then gitlab-ci-multi-runner succeeds as before.)
Steps to reproduce
-
Enable two-factor authentication for your account
-
Install
gitlab-ci-multi-runner
on a private server -
Register the runner using the project token (
gitlab-ci-multi-runner register
...) -
Create a project using a Gitlab private registry image as a pipeline step. For example:
rubocop: stage: test image: registry.gitlab.com/organization/project/image:1.0 script: - bundle exec rubocop -D
-
Trigger a build (
git push
)
Actual behavior
The build step fails with "ERROR: Preparation failed: Error response from daemon: Get https://registry.gitlab.com/v2/organization/project/image:1.0: unauthorized: HTTP Basic: Access denied"
Expected behavior
The build should proceed and succeed as normal.
Relevant logs and/or screenshots
Pulling docker image registry.gitlab.com/organization/project/image:1.0 ...
ERROR: Preparation failed: Error response from daemon: Get https://registry.gitlab.com/v2/organization/project/image:1.0: unauthorized: HTTP Basic: Access denied
You must use a personal access token with 'api' scope for Git over HTTP.
You can generate one at https://gitlab.com/profile/personal_access_tokens
Environment description
Custom gitlab-ci-multi-runner
on a GCP compute node (Ubuntu), installed using the standard installation instructions.
Using docker
executor, Docker version 17.05.0-ce, build 89658be
Used GitLab Runner version
# gitlab-ci-multi-runner --version
Version: 9.4.2
Git revision: 6d06f2e
Git branch: 9-4-stable
GO version: go1.8.3
Built: Wed, 02 Aug 2017 12:46:17 +0000
OS/Arch: linux/amd64
Gitlab Runner config
# cat /etc/gitlab-runner/config.toml
concurrent = 3
check_interval = 0
[[runners]]
name = "my-gitlab-ci"
url = "https://gitlab.com/"
token = "redacted"
executor = "docker"
[runners.docker]
tls_verify = false
image = "ruby:2.4.1"
privileged = false
disable_cache = false
volumes = ["/cache", "/var/run/docker.sock:/var/run/docker.sock"]
shm_size = 0
[runners.cache]