debian-mirror-gitlab/doc/ci/docker/authenticate_registry.md

---
stage: Verify
group: Pipeline Execution
info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/product/ux/technical-writing/#assignments
type: concepts, howto
---

# Authenticate with registry in Docker-in-Docker

When you use Docker-in-Docker, the
[standard authentication methods](using_docker_images.md#access-an-image-from-a-private-container-registry)
do not work, because a fresh Docker daemon is started with the service.

## Option 1: Run `docker login`

In [`before_script`](../yaml/index.md#before_script), run `docker
login`:

```yaml
image: docker:20.10.16

variables:
  DOCKER_TLS_CERTDIR: "/certs"

services:
  - docker:20.10.16-dind

build:
  stage: build
  before_script:
    - echo "$DOCKER_REGISTRY_PASS" | docker login $DOCKER_REGISTRY --username $DOCKER_REGISTRY_USER --password-stdin
  script:
    - docker build -t my-docker-image .
    - docker run my-docker-image /script/to/run/tests
```

To sign in to Docker Hub, leave `$DOCKER_REGISTRY`
empty or remove it.

## Option 2: Mount `~/.docker/config.json` on each job

If you are an administrator for GitLab Runner, you can mount a file
with the authentication configuration to `~/.docker/config.json`.
Then every job that the runner picks up is already authenticated. If you
are using the official `docker:20.10.16` image, the home directory is
under `/root`.

If you mount the configuration file, any `docker` command
that modifies the `~/.docker/config.json` fails. For example, `docker login`
fails, because the file is mounted as read-only. Do not change it from
read-only, because this causes problems.

Here is an example of `/opt/.docker/config.json` that follows the
[`DOCKER_AUTH_CONFIG`](using_docker_images.md#determine-your-docker_auth_config-data)
documentation:

```json
{
    "auths": {
        "https://index.docker.io/v1/": {
            "auth": "bXlfdXNlcm5hbWU6bXlfcGFzc3dvcmQ="
        }
    }
}
```

### Docker

Update the
[volume mounts](https://docs.gitlab.com/runner/configuration/advanced-configuration.html#volumes-in-the-runnersdocker-section)
to include the file.

```toml
[[runners]]
  ...
  executor = "docker"
  [runners.docker]
    ...
    privileged = true
    volumes = ["/opt/.docker/config.json:/root/.docker/config.json:ro"]
```

### Kubernetes

Create a [ConfigMap](https://kubernetes.io/docs/concepts/configuration/configmap/) with the content
of this file. You can do this with a command like:

```shell
kubectl create configmap docker-client-config --namespace gitlab-runner --from-file /opt/.docker/config.json
```

Update the [volume mounts](https://docs.gitlab.com/runner/executors/kubernetes.html#using-volumes)
to include the file.

```toml
[[runners]]
  ...
  executor = "kubernetes"
  [runners.kubernetes]
    image = "alpine:3.12"
    privileged = true
    [[runners.kubernetes.volumes.config_map]]
      name = "docker-client-config"
      mount_path = "/root/.docker/config.json"
      # If you are running GitLab Runner 13.5
      # or lower you can remove this
      sub_path = "config.json"
```

## Option 3: Use `DOCKER_AUTH_CONFIG`

If you already have
[`DOCKER_AUTH_CONFIG`](using_docker_images.md#determine-your-docker_auth_config-data)
defined, you can use the variable and save it in
`~/.docker/config.json`.

You can define this authentication in several ways:

- In [`pre_build_script`](https://docs.gitlab.com/runner/configuration/advanced-configuration.html#the-runners-section)
  in the runner configuration file.
- In [`before_script`](../yaml/index.md#before_script).
- In [`script`](../yaml/index.md#script).

The following example shows [`before_script`](../yaml/index.md#before_script).
The same commands apply for any solution you implement.

```yaml
image: docker:20.10.16

variables:
  DOCKER_TLS_CERTDIR: "/certs"

services:
  - docker:20.10.16-dind

build:
  stage: build
  before_script:
    - mkdir -p $HOME/.docker
    - echo $DOCKER_AUTH_CONFIG > $HOME/.docker/config.json
  script:
    - docker build -t my-docker-image .
    - docker run my-docker-image /script/to/run/tests
```
New upstream version 15.11.6+ds1 2023-06-20 00:43:36 +05:30			`---`
			`stage: Verify`
			`group: Pipeline Execution`
			`info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/product/ux/technical-writing/#assignments`
			`type: concepts, howto`
			`---`

			`# Authenticate with registry in Docker-in-Docker`

			`When you use Docker-in-Docker, the`
			`[standard authentication methods](using_docker_images.md#access-an-image-from-a-private-container-registry)`
			`do not work, because a fresh Docker daemon is started with the service.`

			## Option 1: Run `docker login`

			In [`before_script`](../yaml/index.md#before_script), run `docker
			login`:

			```yaml
			`image: docker:20.10.16`

			`variables:`
			`DOCKER_TLS_CERTDIR: "/certs"`

			`services:`
			`- docker:20.10.16-dind`

			`build:`
			`stage: build`
			`before_script:`
			`- echo "$DOCKER_REGISTRY_PASS" \| docker login $DOCKER_REGISTRY --username $DOCKER_REGISTRY_USER --password-stdin`
			`script:`
			`- docker build -t my-docker-image .`
			`- docker run my-docker-image /script/to/run/tests`
			```

			To sign in to Docker Hub, leave `$DOCKER_REGISTRY`
			`empty or remove it.`

			## Option 2: Mount `~/.docker/config.json` on each job

			`If you are an administrator for GitLab Runner, you can mount a file`
			with the authentication configuration to `~/.docker/config.json`.
			`Then every job that the runner picks up is already authenticated. If you`
			are using the official `docker:20.10.16` image, the home directory is
			under `/root`.

			If you mount the configuration file, any `docker` command
			that modifies the `~/.docker/config.json` fails. For example, `docker login`
			`fails, because the file is mounted as read-only. Do not change it from`
			`read-only, because this causes problems.`

			Here is an example of `/opt/.docker/config.json` that follows the
			[`DOCKER_AUTH_CONFIG`](using_docker_images.md#determine-your-docker_auth_config-data)
			`documentation:`

			```json
			`{`
			`"auths": {`
			`"https://index.docker.io/v1/": {`
			`"auth": "bXlfdXNlcm5hbWU6bXlfcGFzc3dvcmQ="`
			`}`
			`}`
			`}`
			```

			`### Docker`

			`Update the`
			`[volume mounts](https://docs.gitlab.com/runner/configuration/advanced-configuration.html#volumes-in-the-runnersdocker-section)`
			`to include the file.`

			```toml
			`[[runners]]`
			`...`
			`executor = "docker"`
			`[runners.docker]`
			`...`
			`privileged = true`
			`volumes = ["/opt/.docker/config.json:/root/.docker/config.json:ro"]`
			```

			`### Kubernetes`

			`Create a [ConfigMap](https://kubernetes.io/docs/concepts/configuration/configmap/) with the content`
			`of this file. You can do this with a command like:`

			```shell
			`kubectl create configmap docker-client-config --namespace gitlab-runner --from-file /opt/.docker/config.json`
			```

			`Update the [volume mounts](https://docs.gitlab.com/runner/executors/kubernetes.html#using-volumes)`
			`to include the file.`

			```toml
			`[[runners]]`
			`...`
			`executor = "kubernetes"`
			`[runners.kubernetes]`
			`image = "alpine:3.12"`
			`privileged = true`
			`[[runners.kubernetes.volumes.config_map]]`
			`name = "docker-client-config"`
			`mount_path = "/root/.docker/config.json"`
			`# If you are running GitLab Runner 13.5`
			`# or lower you can remove this`
			`sub_path = "config.json"`
			```

			## Option 3: Use `DOCKER_AUTH_CONFIG`

			`If you already have`
			[`DOCKER_AUTH_CONFIG`](using_docker_images.md#determine-your-docker_auth_config-data)
			`defined, you can use the variable and save it in`
			`~/.docker/config.json`.

			`You can define this authentication in several ways:`

			- In [`pre_build_script`](https://docs.gitlab.com/runner/configuration/advanced-configuration.html#the-runners-section)
			`in the runner configuration file.`
			- In [`before_script`](../yaml/index.md#before_script).
			- In [`script`](../yaml/index.md#script).

			The following example shows [`before_script`](../yaml/index.md#before_script).
			`The same commands apply for any solution you implement.`

			```yaml
			`image: docker:20.10.16`

			`variables:`
			`DOCKER_TLS_CERTDIR: "/certs"`

			`services:`
			`- docker:20.10.16-dind`

			`build:`
			`stage: build`
			`before_script:`
			`- mkdir -p $HOME/.docker`
			`- echo $DOCKER_AUTH_CONFIG > $HOME/.docker/config.json`
			`script:`
			`- docker build -t my-docker-image .`
			`- docker run my-docker-image /script/to/run/tests`
			```