apptainer/singularity multi-stage build with different registries

Question

I'm building an apptainer/singularity multi-stage recipe in a gitlab CI environment. The first step of the recipe is built from an image hosted in a private registry, whereas the second built from an image hosted on dockerhub. Something like this:

# First stage
BootStrap: docker
Registry: <my_private_registry>
From: <my_image>
Stage: base
%files
    ...
%post
    ...

# Second stage
BootStrap: docker
Registry: index.docker.io
From: continuumio/miniconda3
Stage: final

%files from base
    ...
%post
    ...

Since the first registry is private, in the gitlab CI instance I'm setting the variables APPTAINER_DOCKER_USERNAME and APPTAINER_DOCKER_PASSWORD, as suggested here for CI/CD workflow. This allows to build the first stage of the recipe succesfully.

Unfortunately, when the build of the second stage starts, it fails with:

> FATAL:   While performing build: conveyor failed to get: unable to retrieve auth token: invalid username/password: unauthorized: incorrect username or password

I think because the credentials for my private registry are passed to dockerhub in the second stage.

How can I login to different registries in multi-stage builds?

Any idea about how to deal with this problem?

Answer 1

I found a way to accomplish what I wanted. The fact was that environment variables overrides other login modes.

So I deleted the APPTAINER_DOCKER_USERNAME and APPTAINER_DOCKER_PASSWORD environment variables and, using this method, I added the following before_script field to my .gitlab-ci.yaml:

apptainer:
  stage: deploy
  image:
    name: kaczmarj/apptainer:1.1.3
    entrypoint: [""]
  tags:
  - privileged
  before_script:
    - echo "$DOCKER_REGISTRY_TOKEN" | apptainer remote login --username <my_username> --password-stdin docker://$CI_REGISTRY

This way, both the private registry (stored in $CI_REGISTRY) and the public one (dockerhub) are available.