I have store docker token in aws secrets manager and i am trying to fetch it from buildspec.yml file but i am getting this error.
Error response from daemon: Get "https://registry-1.docker.io/v2/": unauthorized: incorrect username or password
The token is correct but i think, i am not using the correct approach to fetch the token.
version: 0.2
env:
secrets-manager:
DOCKER_TOKEN: dockertoken
phases:
pre_build:
commands:
- echo Logging in to Docker Hub
- echo $DOCKER_TOKEN | docker login -u dockeraccount --password-stdin
Related
Trying to upload compose.yml to aws with docker-compose [ecs context];
Have my private repositories in https://hub.docker.com/.
Created ecs context, started to use it (docker context use)
Executed docker login -> login succeeded
Executed docker compose up
It fails and returns the error
ServerService TaskFailedToStart: CannotPullContainerError: inspect image has been retried 1 time(s): failed to resolve ref "docker.io/myrepo/server:latest": pull access denied, the repository does not exist or may require authorization: server message: insufficient_scope: authorization...'
How should I get access to this 'docker ecs compose' tool? Is it related somehow to aws credentials?
You want to use the x-aws-pull_credentials key, which points to a secretsmanager ARN, as described here: https://docs.docker.com/cloud/ecs-integration/#private-docker-images
Create a secret using docker secret:
echo '{"username":"joe","password":"hunter2"}' | docker secret create myToken -
arn:aws:secretsmanager:eu-west-3:12345:secret:myToken
In your compose file:
services:
worker:
image: mycompany/privateimage
x-aws-pull_credentials: "arn:aws:secretsmanager:eu-west-3:12345:secret:myToken"
I have a simple docker-compose file like the following:
version: "3.7"
services:
mongo:
image: asia.gcr.io/myproj/mymongo:latest
hostname: mongo
volumes:
- type: bind
source: $MONGO_DB_DATA
target: /data/db
command: [ "--bind_ip_all", "--replSet", "rs0", "--wiredTigerCacheSizeGB", "1.5"]
I am launching it in Kubernetes using the following command
docker-compose config | docker stack deploy --orchestrator kubernetes --compose-file - mystack
However, when the pod fails with this error
Failed to pull image "asia.gcr.io/myproj/mymongo:latest": rpc error: code = Unknown desc = Error response from daemon: unauthorized: You don't have the needed permissions to perform this operation, and you may have invalid credentials. To authenticate your request, follow the steps in: https://cloud.google.com/container-registry/docs/advanced-authentication
My private registry is the gcloud one. I have already logged in docker like the following using the service account keyfile.
docker login -u _json_key -p "$(cat keyfile.json)" https://asia.gcr.io
The image is pulled correctly when I run
docker-compose pull
From this link https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/, I found that I need to create ImagePullSecrets
I have two questions.
How can I write the ImagePullSecrets syntax in my docker-compose so that it is referred correctly.
The method that the links mentions asks you to use .docker/config.json file. However, my config.json has
"auths": {
"asia.gcr.io": {},
},
It doesn't include the username and password since I configured it using the keyfile. How can I do this?
Or is there any simpler way to do this?
I solved this issue by first creating a secret like this
kubectl create secret docker-registry regcred --docker-server https://<docker registry> --docker-username _json_key --docker-password <json key> --docker-email=<email>
and then adding it to the default service account
kubectl patch serviceaccount default -p '{"imagePullSecrets": [{"name": "regcred"}]}'
I am having issues while I am pushing my docker image to my private GCP registry.
I created a new Service account with Owner role from Google Cloud Platform. Then I created a service key and copied the content of the json file (that I downloaded from the Service Account) in the $GCP_SERVICE_KEY variable in Gitlab CI/CD Variables.
This my .gitlab-ci.yaml file:
image: python:3.6
stages:
- push
before_script:
- mkdir -p $HOME/.docker
- echo "$GCP_SERVICE_KEY" >> "$HOME/.docker/config.json"
dockerpush:
stage: push
image: docker:stable
services:
- docker:dind
script:
- docker build --build-arg MONGODB_URI=$MONGODB_URI -t my_image_name .
- docker login -u _json_key --password-stdin https://gcr.io < $HOME/.docker/config.json
- docker tag my_image_name eu.gcr.io/my_project_id/my_image_name
- docker push eu.gcr.io/my_project_id/my_image_name
When I check the console logs, I see "Login succeeded". But I cannot push to my GCP registry. I checked the Project ID, Roles of my user, everything seems okay. But why do I still see the "unauthorized "error?
$ docker login -u _json_key -p "$GCP_SERVICE_KEY" https://gcr.io
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
$ docker tag my_image_name eu.gcr.io/my_project_id/my_image_name
$ docker push eu.gcr.io/my_project_id/my_image_name
The push refers to repository
Preparing
Preparing
unauthorized: You don't have the needed permissions to perform this operation, and you may have invalid credentials.
To authenticate your request, follow the steps in: https://cloud.google.com/container-registry/docs/advanced-authentication
You're logging in to https://gcr.io, but pushing to https://eu.gcr.io
Update your docker login command to https://eu.gcr.io
From my local PC, I can login fine into the Repo, but when I try to log in from within the CI in gitlab, it always fails with the message denied: access forbidden.
This is the output from the CI:
-----
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
Error response from daemon: Get https://gitlab.domain.nl:5002/v2/: denied: access forbidden
----
This is my project file:
# Official docker image.
image: docker:latest
services:
- docker:dind
build-master:
stage: build
script:
- docker login -u gitlab-ci-token -p $CI_BUILD_TOKEN gitlab.domain.nl:5002
only:
- master
If your GitLab instance is up to date, you should use the CI_REGISTRY_* variables for all parts of the docker login ….
docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY
See GitLab CI/CD Variables for details.
Ideally the answer is the same as mentioned above
docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY
But i have encountered the issue from docker registry side. Make sure your registry is configured with valid ssl certificate. https://docs.docker.com/registry/deploying/#get-a-certificate.
Check with
curl https://<$CI_REGISTRY>/v2/
Which should return
{}
And you should also need to add this variable in Project settings.
DOCKER_AUTH_CONFIG : <paste the contents of ~/.docker/config.json>
I think this should solve the issue.
I have a docker registry setup on my gitlab server. Here is my .gitlab-ci.yml file:
image: docker:18.05.0-ce
services:
- docker:dind
stages:
- build
- test
- release
variables:
TEST_IMAGE: http://my.gitlab.ip:4444/path/to/project:$CI_COMMIT_REF_NAME
RELEASE_IMAGE: http://my.gitlab.ip:4444/path/to/project:latest
before_script:
- docker login -u $USERNAME -p $PASSWORD http://my.gitlab.ip:4444
build:
stage: build
script:
- docker build --pull -t $TEST_IMAGE .
- docker push $TEST_IMAGE
# ...
# more commands
I am using a secret variable for my username and password. When I push code and the runner runs through this file, I get the following error:
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
Error response from daemon: Get https://my.gitlab.ip:4444/v2/: http: server gave HTTP response to HTTPS client
So I tried using --password-stdin instead like this:
docker login -u $USERNAME --password-stdin $PASSWORD http://my.gitlab.ip:4444
And I get this error:
"docker login" requires at most 1 argument.
See 'docker login --help'.
Usage: docker login [OPTIONS] [SERVER] [flags]
Edit:
I have also tried this for my docker login command:
docker login -u gitlab-ci-token -p $CI_JOB_TOKEN $CI_REGISTRY
and received this error:
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
Error response from daemon: Get https://my.gitlab.ip:4444/v2/: http: server gave HTTP response to HTTPS client
I have made the following changes on my gitlab server:
In /etc/default/docker:
DOCKER_OPTS="--insecure-registry http://my.gitlab.ip:4444"
In /etc/docker/daemon.json:
{
"insecure-registries" : ["http://my.gitlab.ip:4444"]
}
I have also done the same on my gitlab runner (different server).
Why is it showing that I'm using https in the error and how do I change it to http?
I'm not sure when you set this up, but there is an updated permission model after GitLab 8.12 when using GitLab runners and logging into the GitLab Container registry.
As per the docs, you can do:
before_script:
- docker login -u gitlab-ci-token -p $CI_JOB_TOKEN $CI_REGISTRY
Not sure if you already resolved your issue, but while searching for the difference of the login options (and best practises) I noticed your error is actually not even about that, is it?
The error we see is the following:
Error response from daemon: Get https://my.gitlab.ip:4444/v2/: http: server gave HTTP response to HTTPS client
but in your .gitlab-ci.yml file you list https://my.gitlab.ip:4444/v2/ as your URL. While this doesn't have to be related, it seems to me that ssl is missing somewhere, e.g. http vs https.
According to gitlab docs --password-stdin is a flag not a command line variable. In the example provided the password was being read from a file not directly through command line.