Docker-in-docker/GitLab CI: adding and using credential helper

Joshua Schroijen

12/13/23, 1:12 PM

For my organization I am building a GitLab CI/CD pipeline for one of our projects. One job in this pipeline will be executed on a Docker executor GitLab runner running on one of our own servers. The job involves using image docker:20.10.20 together with service docker:20.10.20-dind. The goal is to build a Docker image from my project that is uploaded in the project's container registry hosted on gitlab.com itself (so NOT on Amazon ECR). I have this up and running with the following job configuration in .gitlab-ci.yml:

docker-image-build:
  stage: Docker image build
  image: docker:20.10.20
  services:
    - name: docker:20.10.20-dind
      alias: docker
  tags:
    - docker-runner
  script:
    - echo $CI_REGISTRY_PASSWORD | docker login -u $CI_REGISTRY_USER $CI_REGISTRY --password-stdin
    - docker build --pull -m 3g --memory-swap -1 -t $CI_REGISTRY_IMAGE --build-arg FOO=$FOO --build-arg BAR=$BAR .
    - docker push $CI_REGISTRY_IMAGE

However, at the docker login command in the script I get a cybersecurity related warning:

Login Succeeded
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Storing credentials unencrypted in an artefact that might stick around is a big problem for us, as we are very concerned about cybersecurity. However, I can't seem to find a way to install docker-credential-helpers in the docker-in-docker container. (I'd like to or think I have to use the pass```` based credential helper.) It seems to be a very barebone Linux image without a package manager or compiler. It only has tools such as wget and tar, so I could be able to download binaries and I can in fact install the docker-credential-passbinary itself. But I'm mostly stuck with no way to getpassinstalled, let alone its dependencygpg``` along with a sufficient source of entropy.

I'm stuck and don't know how to proceed. Any suggestions would be very appreciated. Should I switch to a shell executor in this case?

Thank you in advance!
Joshua

843

0 + 0

gitlab

docker

docker-registry

gitlab-auto-devops

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Docker-in-docker/GitLab CI: adding and using credential helper

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.