Docker-in-Docker Registry authentication from Gitlab CI

Question

I am using docker-in-docker to pull images from a registry in a Gitlab CI pipeline. This works fine if I use the docker image as shown in the config below:

working-job:
  image: docker:24.0.5 
  services:
    - name: docker:24.0.5-dind
  variables:
    DOCKER_HOST: tcp://docker:2376/
    DOCKER_TLS_CERTDIR: "/certs"
  script:
    - docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY

However, I need to use another image in the job (to run some further commands). The image also has docker installed. I added the DOCKER_HOST to point to the correct socket:

failing-job:
  image: my_custom_image
  services:
    - name: docker:24.0.5-dind
  variables:
    DOCKER_HOST: tcp://docker:2376/
    DOCKER_TLS_CERTDIR: "/certs"
  script:
    - docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY

I get the following error message: Error response from daemon: Client sent an HTTP request to an HTTPS server.

Is there another environment variable that is automatically set in the docker image, that I miss on my custom image?

Answer 1

I have found the difference in the environment variables by using printenv in the different containers.

The DOCKER_TLS_VERIFY variable is set to true in the docker image and was missing from my image. Also the certificate in the DOCKER_CERT_PATH was not set correctly.

The working setup for the CI job with a custom image is:

job:
  image: my_custom_image
  services:
    - name: docker:24.0.5-dind
  variables:
    DOCKER_HOST: tcp://docker:2376/
    DOCKER_TLS_CERTDIR: "/certs"
    DOCKER_TLS_VERIFY: 1
    DOCKER_CERT_PATH: "/certs/client"
  script:
    - docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY