stackoom
  简体   繁体   中英

How to safely login to private docker registry in gitlab?

 原文  2018-03-12 09:38:50       security/ docker/ passwords/ gitlab/ gitlab-ci

Question

I know there are secret variables and I tried passing the secret to a bash script. When used on a bash script that has #!/bin/bash -x the password can be seen in clear text when using the docker login command like this:

docker login "$USERNAME" "$PASSWORD" $CONTAINERREGISTRY

Is there a way to safely login to a container registry in gitlab-ci?

2 answers

solution1
 3 ACCPTED  2018-08-14 08:19:43

You can use before_script at the beginning of the gitlab-ci.yml file or inside each job if you need several authentifications:

before_script:
  - echo "$CI_REGISTRY_PASSWORD" | docker login -u "$CI_REGISTRY_USER" --password-stdin

Where $CI_REGISTRY_USER and CI_REGISTRY_PASSWORD would be secret variables.

And after each script or at the beginning of the whole file:

after_script:
    - docker logout

I wrote an answer about using Gitlab CI and Docker to build docker images : https://stackoverflow.com/a/50684269/8247069

solution2
 1  2020-09-15 23:32:06

GitLab provides an array of environment variables when running a job. You'll want to become familiar and use them while developing (running test builds and such) so that you won't need to do anything except set the CI/CD variables in GitLab accordingly (like ENV) and Gitlab will provide most of what you'd want.See GitLab Environment variables .

Just a minor tweak on what has been suggested previously (combining the GitLab suggested with this one.)

For more information on where/how to use before_script and after_script, see .gitlab-ci-yml Configuration parameters I tend to put my login command as one of the last in my main before_script (not in the stages) and my logout in a final "after_script".

before_script:
  - echo "$CI_REGISTRY_PASSWORD" | docker login "$CI_REGISTRY" -u "$CI_REGISTRY_USER" --password-stdin;

Then futher down your .gitlab-ci.yml...

after_script:
  - docker logout;

For my local development, I create a .env file that follows a common convention then the following bash snippet will check if the file exists and import the values into your shell. To make my project secure AND friendly, .env is ignored, but I maintain a .env.sample with safe example values and I DO include that.

if [ -f .env ]; then printf "\n\n::Sourcing .env\n" && set -o allexport; source .env; set +o allexport; fi

Here's a mostly complete example:

image: docker:19.03.9-dind

stages:
  - buildAndPublish

variables:
  DOCKER_TLS_CERTDIR: "/certs"
  DOCKER_DRIVER: overlay2
services:
  - docker:19.03.9-dind

before_script:
  - printf "::GitLab ${CI_BUILD_STAGE} stage starting for ${CI_PROJECT_URL}\n";
  - printf "::JobUrl=${CI_JOB_URL}\n";
  - printf "::CommitRef=${CI_COMMIT_REF_NAME}\n";
  - printf "::CommitMessage=${CI_COMMIT_MESSAGE}\n\n";
  - printf "::PWD=${PWD}\n\n";
  - echo "$CI_REGISTRY_PASSWORD" | docker login $CI_REGISTRY -u $CI_REGISTRY_USER --password-stdin;

build-and-publish:
  stage: buildAndPublish
  script:
    - buildImage;
    - publishImage;
  rules:
    - if: '$CI_COMMIT_REF_NAME == "master"' # Run for master, but not otherwise
      when: always
    - when: never

after_script:
  - docker logout registry.gitlab.com;

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How to use docker-credential-pass to login to a private registry? How to login users safely How to store private in server safely? How the Private keys are distributed safely? How to deliver private keys for later decryption safely? How to store private file on iOS safely How to run an application inside docker safely Docker Registry and Basic Auth How do I create a public-key/private-key pair and safely store them into a key container? Securing local docker registry
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM