CI_JOB_TOKEN does not allow to delete images from the Docker Registry
Summary
Hey guys,
when I play around with a private Docker Registry which is authenticated by the Gitlab JWT auth with my personal login credentials, then I'm able to delete old Docker images (tags). (Docker Registry v2 API, delete storage option enabled) - This works like expected.
On a CI build I have full read and push permission. So listing the tags, and pushing new tags is working fine. Unfortunately the CI_JOB_TOKEN is not permitted to perform the deletion of tags.
This is quite bad on the storage (and backup) level. I built a new job at the end of my pipeline to cleanup old (and unused) tags to free up memory.
I did not looked to the Gitlab source code yet, but I'm willing to contribute a PR for this.
Steps to reproduce
- Create new job in pipeline (See: https://github.com/Jack12816/plankton#gitlab-ci)
- Run the job (See output: https://github.com/Jack12816/plankton/issues/1#issue-260113071)
- Job fails
Example Project
See: https://github.com/Jack12816/plankton#gitlab-ci
What is the current bug behavior?
The CI_JOB_TOKEN is not permitted to perform deletion requests on the connected Docker Registry.
What is the expected correct behavior?
The CI_JOB_TOKEN is permitted to perform deletion requests on the connected Docker Registry.
Relevant logs and/or screenshots
$ plankton cleanup --keep 1 --no-confirm fancy/app
Tags to keep: 1 (377.26 MiB)
Image tag Created at Size
6af2cdb9de85733d8169f84f68020e472bfed9d5 2017-09-24T20:13:44+00:00 377.26 MiB
Tags to delete: 5 (1.64 GiB)
Image tag Created at Size
542f39e834da997f7c5a67123edb116e737729c2 2017-09-24T19:58:43+00:00 377.57 MiB
361ea2a2a69a701e406f912ea3d3923b07bf76bd 2017-09-24T19:35:30+00:00 377.56 MiB
fe6ea4720f41e1970641bc7d79f12ef640cdcdd6 2017-09-24T19:22:38+00:00 377.55 MiB
1f4c65c0b5025da0927fbee7bca09b67cf5c13b2 2017-09-24T16:36:00+00:00 273.27 MiB
e0e19e81f15d03775e1b01bdd1eb753a275d386e 2017-09-24T16:32:56+00:00 273.27 MiB
bundler: failed to load command: exe/plankton (exe/plankton)
DockerRegistry2::RegistryAuthenticationException: DockerRegistry2::RegistryAuthenticationException
/usr/lib/ruby/gems/2.4.0/gems/docker_registry2-1.0.0/lib/registry/registry.rb:179:in `rescue in do_bearer_req'
/usr/lib/ruby/gems/2.4.0/gems/docker_registry2-1.0.0/lib/registry/registry.rb:169:in `do_bearer_req'
/app/lib/plankton/monkey_patches.rb:50:in `do_bearer_req'
/usr/lib/ruby/gems/2.4.0/gems/docker_registry2-1.0.0/lib/registry/registry.rb:141:in `rescue in doreq'
/usr/lib/ruby/gems/2.4.0/gems/docker_registry2-1.0.0/lib/registry/registry.rb:125:in `doreq'
/app/lib/plankton/monkey_patches.rb:63:in `rescue in doreq'
/app/lib/plankton/monkey_patches.rb:58:in `doreq'
/usr/lib/ruby/gems/2.4.0/gems/docker_registry2-1.0.0/lib/registry/registry.rb:24:in `dodelete'
/usr/lib/ruby/gems/2.4.0/gems/docker_registry2-1.0.0/lib/registry/registry.rb:82:in `rmtag'
/app/lib/plankton/monkey_patches.rb:130:in `rmtag'
/app/lib/plankton/commands/cleanup.rb:47:in `block in cleanup'
/app/lib/plankton/commands/cleanup.rb:46:in `each'
/app/lib/plankton/commands/cleanup.rb:46:in `cleanup'
/usr/lib/ruby/gems/2.4.0/gems/thor-0.20.0/lib/thor/command.rb:27:in `run'
/usr/lib/ruby/gems/2.4.0/gems/thor-0.20.0/lib/thor/invocation.rb:126:in `invoke_command'
/usr/lib/ruby/gems/2.4.0/gems/thor-0.20.0/lib/thor.rb:387:in `dispatch'
/usr/lib/ruby/gems/2.4.0/gems/thor-0.20.0/lib/thor/base.rb:466:in `start'
exe/plankton:70:in `<top (required)>'
The latest bundler is 1.16.0.pre.2, but you are currently running 1.15.0.
To update, run `gem install bundler --pre`
ERROR: Job failed: exit code 1Possible fixes
Until this is fixed, you could use a temporary workaround: https://github.com/Jack12816/plankton/issues/1#issuecomment-333797086
This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.