I've installed Watchtower, and followed the docs for setting up private registry auth with auth helpers. In debug mode, I see it logging a message that auth value was obtained, but then it fails to pull image with "no basic auth credentials." Inspecting auth value, it's just host name from my config, and no credential. I verified that on the host system (Raspbian) I'm able to pull new version using the same docker config, without having to do any custom auth, everything works out of the box, using the same binary.
Here's my docker config:
{
"auths" : {
"0000000000.dkr.ecr.us-east-1.amazonaws.com" : {}
},
"credHelpers": {
"0000000000.dkr.ecr.us-east-1.amazonaws.com": "ecr-login"
}
}
Here's my docker compose:
version: "3"
services:
cavo:
image: 0000000000.dkr.ecr.us-east-1.amazonaws.com/test:1
ports:
- "8080:80"
restart: always
watchtower:
image: containrrr/watchtower
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- /root/.docker/config.json:/config.json
- /usr/bin/docker-credential-ecr-login:/bin/docker-credential-ecr-login
environment:
- AWS_REGION=us-east-1
- AWS_ACCESS_KEY_ID=AAAAAAAAAAAAA
- AWS_SECRET_ACCESS_KEY=aaaaaaaaaaaaaaa
command: --debug --interval 30
restart: always
And when watchtower attempts to check for new image, here is the log file:
watchtower_1 | time="2019-12-25T22:49:34Z" level=debug msg="Pulling 0000000000.dkr.ecr.us-east-1.amazonaws.com/test:1 for /root_test_1"
watchtower_1 | time="2019-12-25T22:49:34Z" level=debug msg="Loaded auth credentials { 0000000000.dkr.ecr.us-east-1.amazonaws.com } from /config.json"
watchtower_1 | time="2019-12-25T22:49:34Z" level=debug msg="Got auth value: eyJzZXJ2ZXJhZGRyZXNzIjoiMDAwMDAwMDAwMC5ka3IuZWNyLnVzLWVhc3QtMS5hbWF6b25hd3MuY29tIn0="
watchtower_1 | time="2019-12-25T22:49:34Z" level=debug msg="Got image name: 0000000000.dkr.ecr.us-east-1.amazonaws.com/test:1"
watchtower_1 | time="2019-12-25T22:49:35Z" level=debug msg="Error pulling image 0000000000.dkr.ecr.us-east-1.amazonaws.com/sump-pump-v2:1, Error response from daemon: Get https://0000000000.dkr.ecr.us-east-1.amazonaws.com/v2/test/manifests/1: no basic auth credentials"
watchtower_1 | time="2019-12-25T22:49:35Z" level=info msg="Unable to update container /root_test_1. Proceeding to next."
watchtower_1 | time="2019-12-25T22:49:35Z" level=debug msg="Error response from daemon: Get https://0000000000.dkr.ecr.us-east-1.amazonaws.com/v2/test/manifests/1: no basic auth credentials"
Unpacking the auth value, it just has the hostname. No repository credential.
I was trying to follow "Credential helpers" documentation, but I'm not sure I understand where the aforementioned Dockerfile belongs.
Any pointers in the right direction would be appreciated. Thanks!
Try the folowing:
Create a docker volume named helper
docker volume create helper
Build de image from de Dockerfile in the docs
docker build -t aws-ecr-dock-cred-helper .
Run the container
docker run -d --rm --name aws-cred-helper --volume helper:/go/bin aws-ecr-dock-cred-helper
The container will start and mount helper volume into /go/bin where is the docker-credential-ecr-login and then stop.
You can check the content of helper volume with
docker run --rm --it -v helper:/go/bin alpine
then do
ls /go/bin
you should see the docker-credential-ecr-login binary.
I didn't use docker compose, but you have to mount the helper volume into the watchtower container on /go/bin and for some reason export your $PATH with /go/bin
like in the docs:
environment:
- HOME=/
- PATH=$PATH:/go/bin
Related
UPDATE:
I've tried implementing the accepted answer from here Telegraf can not connect to Docker sock like this in my docker compose file:
telegraf3:
image: telegraf
user: telegraf:$$(stat -c '%g' /var/run/docker.sock)
volumes:
- ./telegraf/telegraf3.conf:/etc/telegraf/telegraf.conf
- /var/run/docker.sock:/var/run/docker.sock
I am getting this error:
Error response from daemon: unable to find group $(stat -c '%g' /var/run/docker.sock): no matching entries in group file
How can i fix this issue? :)
Background:
I'm trying to run Telegraf (https://github.com/influxdata/telegraf) with the docker input. I'm running Telegraf via Docker Compose, and i've configured it roughly like this:
telegraf3:
image: telegraf
volumes:
- ./telegraf/telegraf3.conf:/etc/telegraf/telegraf.conf
- /var/run/docker.sock:/var/run/docker.sock:rw
env_file:
- ./telegraf/telegraf.env
depends_on:
- influxdb
The telegraf configuration uses a docker input plugin to interact with the docker.sock. It doesn't work, i get a permission related error:
test-grafana-telegraf3-1 | 2022-12-29T12:09:10Z E! [inputs.docker] Error in plugin: Got permission denied while trying to connect to the Docker daemon socket at unix:///docker.sock: Get "http://%2Fdocker.sock/v1.24/info": dial unix /docker.sock: connect: permission denied
Basically, the entrypoint.sh script runs telegraf (the application) with the telegraf user, which can't access the docker.sock
There's a fix for this issue described here: Telegraf can not connect to Docker sock
Issue
As i am using docker compose, i would like this fix to be defined in the compose file, and not be dependent on me starting the container with docker run.
I've tried this:
telegraf3:
image: telegraf
volumes:
- ./telegraf/telegraf3.conf:/etc/telegraf/telegraf.conf
- /var/run/docker.sock:/var/run/docker.sock:rw
env_file:
- ./telegraf/telegraf.env
depends_on:
- influxdb
command: ["bash -c -u telegraf $$(stat -c '%g' /var/run/docker.sock)", "/entrypoint.sh"]
But then i get this error:
test-grafana-telegraf3-1 | setpriv: failed to execute bash -c -u telegraf $(stat -c '%g' /var/run/docker.sock): No such file or directory
test-grafana-telegraf3-1 exited with code 127
I'm trying to access a gitlab-service from a container started with docker run, but it doesn't seem to work.
They actually have a nice section on gitlab about this: https://docs.gitlab.com/ee/ci/services/#using-services-with-docker-run-docker-in-docker-side-by-side
However, even after a 1:1 copy of their code:
access-service:
stage: build
image: docker:19.03.1
before_script:
- echo "Overriding default before_script"
services:
- docker:dind # necessary for docker run
- tutum/wordpress:latest
variables:
FF_NETWORK_PER_BUILD: "true" # activate container-to-container networking
script: |
docker run --rm --name curl \
--volume "$(pwd)":"$(pwd)" \
--workdir "$(pwd)" \
--network=host \
curlimages/curl:7.74.0 curl "http://tutum-wordpress"
I get an error:
Running with gitlab-runner 14.3.4 (77516d85)
on gitlab-aws-autoscaler 7ee750d2
feature flags: FF_NETWORK_PER_BUILD:true, FF_DISABLE_UMASK_FOR_DOCKER_EXECUTOR:true
Preparing the "docker+machine" executor 02:34
Using Docker executor with image docker:19.03.1 ...
WARNING: Container based cache volumes creation is disabled. Will not create volume for "/cache"
Starting service docker:dind ...
Authenticating with credentials from $DOCKER_AUTH_CONFIG
Pulling docker image docker:dind ...
Using docker image sha256:1a42336ff683d7dadd320ea6fe9d93a5b101474346302d23f96c9b4546cb414d for docker:dind with digest docker#sha256:6f2ae4a5fd85ccf85cdd829057a34ace894d25d544e5e4d9f2e7109297fedf8d ...
Starting service tutum/wordpress:latest ...
Authenticating with credentials from $DOCKER_AUTH_CONFIG
Pulling docker image tutum/wordpress:latest ...
Using docker image sha256:7e7f97a602ff0c3a30afaaac1e681c72003b4c8a76f8a90696f03e785bf36b90 for tutum/wordpress:latest with digest tutum/wordpress#sha256:2aa05fd3e8543b615fc07a628da066b48e6bf41cceeeb8f4b81e189de6eeda77 ...
Waiting for services to be up and running...
*** WARNING: Service runner-7ee750d2-project-2-concurrent-0-483783518ce3e922-docker-0 probably didn't start properly.
Health check error:
service "runner-7ee750d2-project-2-concurrent-0-483783518ce3e922-docker-0-wait-for-service" timeout
Health check container logs:
Service container logs:
2022-02-22T20:44:10.523612305Z Generating RSA private key, 4096 bit long modulus (2 primes)
2022-02-22T20:44:11.037778878Z ...................................................................................++++
2022-02-22T20:44:11.319540033Z ..................................++++
2022-02-22T20:44:11.320611978Z e is 65537 (0x010001)
2022-02-22T20:44:11.341349948Z Generating RSA private key, 4096 bit long modulus (2 primes)
2022-02-22T20:44:11.360835661Z .++++
2022-02-22T20:44:11.678902603Z ...................................................++++
2022-02-22T20:44:11.679451336Z e is 65537 (0x010001)
2022-02-22T20:44:11.719133216Z Signature ok
2022-02-22T20:44:11.719148571Z subject=CN = docker:dind server
2022-02-22T20:44:11.719151811Z Getting CA Private Key
2022-02-22T20:44:11.734914635Z /certs/server/cert.pem: OK
2022-02-22T20:44:11.738748856Z Generating RSA private key, 4096 bit long modulus (2 primes)
2022-02-22T20:44:11.993700065Z .........................................++++
2022-02-22T20:44:12.036121070Z .....++++
2022-02-22T20:44:12.036364885Z e is 65537 (0x010001)
2022-02-22T20:44:12.067743203Z Signature ok
2022-02-22T20:44:12.067755273Z subject=CN = docker:dind client
2022-02-22T20:44:12.067758449Z Getting CA Private Key
2022-02-22T20:44:12.081823033Z /certs/client/cert.pem: OK
2022-02-22T20:44:12.174949567Z time="2022-02-22T20:44:12.174783104Z" level=info msg="Starting up"
2022-02-22T20:44:12.177055953Z time="2022-02-22T20:44:12.176931675Z" level=warning msg="could not change group /var/run/docker.sock to docker: group docker not found"
2022-02-22T20:44:12.177086275Z failed to load listeners: can't create unix socket /var/run/docker.sock: device or resource busy
*********
Authenticating with credentials from $DOCKER_AUTH_CONFIG
Pulling docker image docker:19.03.1 ...
Using docker image sha256:0cecfefe921f22fc898f7a0055358380c8870ab6f05b01999367911714fe9d00 for docker:19.03.1 with digest docker#sha256:2dcf87c9893b05ab815880e3d223cd6976c388a6f6697de10e90523255259ca4 ...
Not using umask - FF_DISABLE_UMASK_FOR_DOCKER_EXECUTOR is set!
...
$ docker run --rm --name curl \ # collapsed multi-line command
Unable to find image 'curlimages/curl:7.74.0' locally
7.74.0: Pulling from curlimages/curl
aad63a933944: Pulling fs layer
...
3d4876cbff99: Pull complete
110e7f874674: Pull complete
Digest: sha256:a3e534fced74aeea171c4b59082f265d66914d09a71062739e5c871ed108a46e
Status: Downloaded newer image for curlimages/curl:7.74.0
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0curl: (6) Could not resolve host: tutum-wordpress
Can anyone give me a pointer why this is not working? Does this have to do with the fact that this is the executer docker+machine and not docker?
Here's our config.toml:
[[runners]]
name = "gitlab-aws-autoscaler"
url = "https://code.example.com"
token = "${TOKEN}"
executor = "docker+machine"
limit = ${LIMIT_MEDIUM_RUNNERS}
[runners.docker]
image = "example/gitlabrunner:2.10"
privileged = true
disable_cache = true
volumes = ["/var/run/docker.sock:/var/run/docker.sock", "/cache", "/builds:/builds"]
wait_for_services_timeout = 120
[runners.cache]
Type = "s3"
ServerAddress = "s3.amazonaws.com"
AccessKey = "${KEY}"
SecretKey = "${SECRET}"
BucketName = "example-gitlab-runner-cache-virginia"
BucketLocation = "us-east-1"
Shared = true
[runners.machine]
IdleCount = 0
IdleTime = 1800
MaxBuilds = 100
MachineDriver = "amazonec2"
MachineName = "gitlab-docker-machine-%s"
MachineOptions = [
"amazonec2-instance-type=t2.medium",
"amazonec2-access-key=${KEY}",
"amazonec2-secret-key=${SECRET}",
"amazonec2-root-size=100", # GB
"amazonec2-region=us-east-1",
"amazonec2-tags=runner-manager-name,gitlab-aws-autoscaler,gitlab,true,gitlab-runner-autoscale,true",
"amazonec2-security-group=EC2-X-ci-runner",
"amazonec2-vpc-id=vpc-XXX",
"amazonec2-subnet-id=subnet-XXX",
"amazonec2-zone=b",
"amazonec2-use-private-address=true",
"amazonec2-private-address-only=true"
]
Edit:
When trying to set the DOCKER_HOST variable as suggested in one answer, I get the following errors:
Running with gitlab-runner 14.3.4 (77516d85)
on gitlab-aws-autoscaler 7ee750d2
feature flags: FF_NETWORK_PER_BUILD:true, FF_DISABLE_UMASK_FOR_DOCKER_EXECUTOR:true
Preparing the "docker+machine" executor 02:42
Using Docker executor with image docker:19.03.1 ...
WARNING: Container based cache volumes creation is disabled. Will not create volume for "/cache"
Starting service docker:dind ...
Authenticating with credentials from $DOCKER_AUTH_CONFIG
Pulling docker image docker:dind ...
Using docker image sha256:1a42336ff683d7dadd320ea6fe9d93a5b101474346302d23f96c9b4546cb414d for docker:dind with digest docker#sha256:6f2ae4a5fd85ccf85cdd829057a34ace894d25d544e5e4d9f2e7109297fedf8d ...
Starting service tutum/wordpress:latest ...
Authenticating with credentials from $DOCKER_AUTH_CONFIG
Pulling docker image tutum/wordpress:latest ...
Using docker image sha256:7e7f97a602ff0c3a30afaaac1e681c72003b4c8a76f8a90696f03e785bf36b90 for tutum/wordpress:latest with digest tutum/wordpress#sha256:2aa05fd3e8543b615fc07a628da066b48e6bf41cceeeb8f4b81e189de6eeda77 ...
Waiting for services to be up and running...
*** WARNING: Service runner-7ee750d2-project-2-concurrent-0-a0ec4dc562ad3891-docker-0 probably didn't start properly.
Health check error:
service "runner-7ee750d2-project-2-concurrent-0-a0ec4dc562ad3891-docker-0-wait-for-service" timeout
Health check container logs:
Service container logs:
2022-02-24T16:21:42.803216350Z time="2022-02-24T16:21:42.803077740Z" level=info msg="Starting up"
2022-02-24T16:21:42.804161387Z time="2022-02-24T16:21:42.804107933Z" level=warning msg="could not change group /var/run/docker.sock to docker: group docker not found"
2022-02-24T16:21:42.804233443Z failed to load listeners: can't create unix socket /var/run/docker.sock: device or resource busy
*********
Authenticating with credentials from $DOCKER_AUTH_CONFIG
Pulling docker image docker:19.03.1 ...
Using docker image sha256:0cecfefe921f22fc898f7a0055358380c8870ab6f05b01999367911714fe9d00 for docker:19.03.1 with digest docker#sha256:2dcf87c9893b05ab815880e3d223cd6976c388a6f6697de10e90523255259ca4 ...
The issue here is that your job is not utilizing the docker:dind service. While you have your job configured mostly correct, your docker GitLab runner defines the following volumes configuration:
volumes = ["/var/run/docker.sock:/var/run/docker.sock", "/cache", "/builds:/builds"]
When bind-mounting /var/run/docker.sock, and not providing the DOCKER_HOST environment variable, your jobs will default to using the bind-mounted docker socket and connect to the daemon on the "metal" host directly, instead of connecting to the docker:dind container, which is required for this services: setup to work correctly.
You can run docker info in your job to confirm this.
You should be able to fix this by setting the DOCKER_HOST environment variable in your job (normally, this is set for you when using gitlab.com runners, which is why it is omitted in their documentation).
access-service:
variables:
DOCKER_HOST: "tcp://docker:2375"
DOCKER_TLS_CERTDIR: ""
# ...
Note: DOCKER_TLS_CERTDIR is also unset here to disable TLS to ensure port 2375 is used. Using TLS is an available option and should be considered more secure.
I've got docker running on my DigitalOcean droplet and I'm trying to pull in images from my gitlab repository using watchtower. I'm using pass (sudo apt-get install pass) to manage the credentials and here is my config.json file:
{
"auths": {
"registry.gitlab.com": {}
},
"HttpHeaders": {
"User-Agent": "Docker-Client/18.09.6 (linux)"
},
"credsStore": "pass",
"credHelpers": {
"registry.gitlab.com": "pass"
}
I'm getting the following errors when I look at watchtower logs:
watchtower | time="2020-10-16T14:24:36Z" level=debug msg="Pulling registry.gitlab.com/myuser/myrepo/image:latest for /image"
watchtower | time="2020-10-16T14:24:36Z" level=debug msg="Loaded auth credentials for user , on registry registry.gitlab.com/myuser/myrepo/image:latest, from file /config.json"
watchtower | time="2020-10-16T14:24:36Z" level=debug msg="Got image name: registry.gitlab.com/myuser/myrepo/image:latest"
watchtower | time="2020-10-16T14:24:36Z" level=debug msg="Error pulling image registry.gitlab.com/myuser/myrepo/image:latest, Error response from daemon: Get https://registry.gitlab.com/v2/myuser/myrepo/image/manifests/latest: denied: access forbidden"
This is my watchtower config for docker-compose:
watchtower:
image: containrrr/watchtower
container_name: watchtower
restart: always
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- ~/.docker/config.json:/config.json
command: --interval 30 --cleanup
Something strange I noticed in those logs is this bit: Loaded auth credentials for user ,. It's almost as if it cannot read some sort of a user.
I have set up a private docker registry with self-signed certificates.
docker run -d -p 443:5000 --restart=always --name registry -v `pwd`/auth:/auth
-e "REGISTRY_AUTH=htpasswd" -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm"
-e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd -v `pwd`/certs:/certs -e REGISTRY_HTTP_TLS_CERTIFICATE=/domain.crt
-e REGISTRY_HTTP_TLS_KEY=/domain.key
domain.crt and domain.key are generated using OpenSSL.
To Connect from a remote host,
cp domain.crt /etc/pki/ca-trust/source/anchors/mydockerregistry.com.crt
update-ca-trust
systemctl daemon-reload
systemctl restart docker
After this able to log in from the remote host
docker login mydockerregistry.com --username=test
password: test
I am able to push/pull the image to this registry and it is successful.
Similarly, I tried to deploy this image in the Kubernetes cluster. I created a secret with the registry with a username and password.
kubectl create secret docker-registry my-registry --docker-server=mydockerregistry.com --docker-username=test --docker-password=test --docker-email=abc.com
Also, I did the self-signed certificates from docker registry steps in worker nodes,
cp domain.crt /etc/pki/ca-trust/source/anchors/mydockerregistry.com.crt
update-ca-trust
systemctl daemon-reload
systemctl restart docker
Given the name in the imagePullSecrets of deployment.yaml file. I am trying to create a POD in the Kubernetes cluster (Calico Network) but it is unable to pull the image.
deployment.yaml
apiVersion: apps/v1beta2
kind: Deployment
metadata:
name: test-image
labels:
app: test-image
chart: test-image
spec:
containers:
- name: {{ .Chart.Name }}
image: "mydockerregistry.com/test-image:latest"
imagePullPolicy: Always
imagePullSecrets:
- name: my-registry
Warning Failed 45s (x2 over 59s) kubelet,
kube-worker-02 Failed to pull image
"mydockerregistry.com/test-image:latest": rpc error: code = Unknown
desc = unauthorized: authentication required
Warning Failed
45s (x2 over 59s) kubelet, kube-worker-02 Error: ErrImagePull
I checked the docker registry logs,
time="2020-01-13T14:58:05.269921112Z" level=error msg="error
authenticating user "": authentication failure" go.version=go1.11.2
http.request.host=mydockerregistry.com
http.request.id=02fcccff-9a30-443c-8a00-48bcacb90e99
http.request.method=GET http.request.remoteaddr="10.76.112.148:35454"
http.request.uri="/v2/test-image/manifests/latest"
http.request.useragent="docker/1.13.1 go/go1.10.8
kernel/3.10.0-957.21.3.el7.x86_64 os/linux arch/amd64
UpstreamClient(Go-http-client/1.1)" vars.name=test-image
vars.reference=latest
time="2020-01-13T14:58:05.269987492Z" level=warning msg="error
authorizing context: basic authentication challenge for realm
"Registry Realm": authentication failure" go.version=go1.11.2
http.request.host=mydockerregistry.com
http.request.id=02fcccff-9a30-443c-8a00-48bcacb90e99
http.request.method=GET http.request.remoteaddr="10.76.112.148:35454"
http.request.uri="/v2/ca-config-calc/manifests/latest"
http.request.useragent="docker/1.13.1 go/go1.10.8
kernel/3.10.0-957.21.3.el7.x86_64 os/linux arch/amd64
UpstreamClient(Go-http-client/1.1)" vars.name=test-image
vars.reference=latest
I am able to do docker login myregistrydomain and pull the image from worker node
Anything I am missing in the configuration?
You have a typo in the registry name in the create secret command.
kubectl create secret docker-registry my-registry --docker-server=myregistryregistry.com --docker-username=test --docker-password=test --docker-email=abc.com
Change myregistryregistry.com to mydockerregistry.com which you have used with docker login.
I've been able to successfully pull an image from a secure, private, docker registry into kubernetes using this link.
actually I'm using gitlab runners, with docker executor, and I'm trying to pull some docker images to do some tests, and to preserve my network connection, I've created a private docker registry, to "cache" the images .
So, my registry is linked to my gitlab runner (with configuration in the config.toml https://docs.gitlab.com/runner/configuration/advanced-configuration.html#the-runnersdocker-section ) .
This work, my image can ask the registry :
$ wget http://registry:5000/v2/_catalog
--2019-02-15 10:40:54-- http://registry:5000/v2/_catalog
Resolving registry... 172.17.0.3
Connecting to registry|172.17.0.3|:5000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 20 [application/json]
Saving to: '_catalog'
0K 100% 1.17M=0s
2019-02-15 10:40:54 (1.17 MB/s) - '_catalog' saved [20/20]
but the DIND service can't :
pull registry:5000/arminc/clair-db:latest
Error response from daemon: Get http://registry:5000/v2/: dial tcp: lookup registry on 192.168.9.254:53: no such host
My gitlab-ci conf for this task
scan:image:
stage: scans
image: docker:git
services:
- name: docker:dind
command: ["--insecure-registry=registry:5000"]
variables:
DOCKER_DRIVER: overlay2
allow_failure: true
script:
- chmod 777 ./docker/scan.sh
- docker login -u $DOCKER_USERNAME -p $DOCKER_PASSWORD $DOCKER_REGISTRY
- ./docker/scan.sh
artifacts:
paths: [gl-container-scanning-report.json]
only:
- master
Probably, you might need to add a DNS entry to your DNS server or dockers host file:
192.168.xx.xxx registry