Perhaps there's a caching problem as apt-get update works locally and Docker doesn't pull newer images unless necessary. You can use the digest of your apache/airflow:slim-2.11.2-python3.10 to ensure both computers have the same version. It's surprising that your sudo apt-get update works because I get "sudo: a terminal is required to read the password" on the latest version. You can use the Dockerfile command USER to switch to root and back:
FROM apache/airflow@sha256:32ef1c1927c47e55fd05f65e7da7b60ff7c431d0cca5c27972c7f436fff9cb56
USER root
# Debug 1
RUN sha256sum /etc/apt/sources.list.d/debian.sources /usr/share/keyrings/debian-archive-keyring.gpg
# You should see:
# fba4b66c95952e28af3fda06211991a51dc83d5448c2a4d262ec736b12323edb /etc/apt/sources.list.d/debian.sources
# 506b815cbb32d9b6066b4a2aa524071e071761e7e7f68c3ac74f3061ba852017 /usr/share/keyrings/debian-archive-keyring.gpg
# Debug 2
RUN curl http://deb.debian.org/debian/dists/bookworm/InRelease
# Then check that the PGP SIGNATURE section printed in the GitLab Runner
# is the same as the one you see in a broswser
RUN apt-get update && \
apt-get install -y neofetch # example
USER airflow
The other possibility is that your GitLab Runner has the wrong configuration. Let's print the Dockerfile using cat. Your entire .gitlab-ci.yml should look like:
# Replace this first half with no-tls-docker-runner is you're using that
default:
image: docker:24.0.5-cli
services:
- docker:24.0.5-dind
before_script:
- docker info
variables:
DOCKER_TLS_CERTDIR: "/certs"
build:
stage: build
tags:
- tls-docker-runner
script:
- cat Dockerfile
- docker build --no-cache --progress=plain -t my-docker-image .
- docker run --rm -iti my-docker-image bash -c neofetch
# Then verify the printed Dockerfile contents are exactly what you saved