Drone pushing to Dockerhub fails due to access denied - dockerhub

I have set up Drone with the Docker plugin. It is building just fine, but fails to push to a private Dockerhub repo.
I have confirmed that dockerhub_username and dockerhub_password are environment variables.
kind: pipeline
type: exec
name: default
steps:
- name: docker
image: plugins/docker
settings:
repo: jbc22/myrepo
username:
from_secret: dockerhub_username
password:
from_secret: dockerhub_password
publish:
image: jbc22/myrepo
report: jbc22/myrepo
Drone returns with:
denied: requested access to the resource is denied
time="2019-09-03T19:34:32Z" level=fatal msg="exit status 1"
I would expect to see the image pushed to Dockerhub.

Just fixed the same issue... Code down below works for me!
name: default
kind: pipeline
steps:
- name: backend
image: python:3.7
commands:
- pip3 install -r req.txt
- python manage.py test
- name: publish
image: plugins/docker
settings:
username: dockerhub_username
password: dockerhub_password
repo: user/repo_name

Related

How can I use DooD in github actions

I want to automatically create an image using github actions and upload it after testing
However, when this build is executed inside the container, Unable to connect to newly launched container. (probably the execution was successful)
Of course it works when I try to do the same thing without using containers (on the machine).
Why the connection was failed when I tried in docker container?
jobs:
build_and_test:
runs-on: my-runner
container:
image: my-image:tag
credentials:
username: ${{ secrets.ID }}
password: ${{ secrets.PW }}
volumes:
- /var/run/docker.sock:/var/run/docker.sock
options: --user root
steps:
- uses: actions/checkout#v2
- name: build_image
run: |
...
# build image
...
- name: bvt_test
run: |
container=$(docker run --rm -itd -p ${port}:1234 ${new_image})
...
# test, but the connection failed
Thanks.

How to specify Google Cloud Run metadata in Github Actions?

I have a Github Action which builds a docker image then uploads it to the Container Registry.
Next I want to deploy this container to a Cloud Run service with some specific settings for the min and max instances, ensure CPU is always on, internal ingress only, etc. The documentation says these settings are set using metadata, but no example is shown. What format should this metadata take?
name: Push code to GCP
on:
push:
branches: [ main ]
jobs:
container-build-push-deploy:
name: Build Container Push to Registry Deploy to Cloud Run
runs-on: ubuntu-latest
env:
IMAGE_NAME: my-image
PROJECT_ID: my-project-123456
REGION: us-central1
steps:
- name: Checkout
uses: actions/checkout#v2
- name: Authenticate With GCP
id: auth
uses: google-github-actions/auth#v0
with:
credentials_json: ${{ secrets.GCP_CREDENTIALS }}
- name: Setup Cloud SDK
uses: google-github-actions/setup-gcloud#v0
with:
project_id: ${{ env.PROJECT_ID }}
- name: Tag Release
id: increment-git-tag
run: |
bash ./scripts/git_update.sh -v patch
- name: Build Docker Image
run: docker build -t $IMAGE_NAME:latest .
- name: Configure Docker Client
run: |-
gcloud auth configure-docker --quiet
- name: Push Docker Image to Container Registry
env:
GIT_TAG: ${{ steps.increment-git-tag.outputs.git-tag }}
run: |-
docker tag $IMAGE_NAME:latest gcr.io/$PROJECT_ID/$IMAGE_NAME:latest
docker tag $IMAGE_NAME:latest gcr.io/$PROJECT_ID/$IMAGE_NAME:$GIT_TAG
docker push gcr.io/$PROJECT_ID/$IMAGE_NAME:latest
docker push gcr.io/$PROJECT_ID/$IMAGE_NAME:$GIT_TAG
- name: Deploy to Cloud Run
env:
GIT_TAG: ${{ steps.increment-git-tag.outputs.git-tag }}
uses: google-github-actions/deploy-cloudrun#v0
with:
service: my-service
image: 'gcr.io/${{ env.PROJECT_ID }}/${{ env.IMAGE_NAME }}:${{ env.GIT_TAG }}'
region: ${{ env.REGION }}
secrets: |
/app/path/to/my-secret=my-secret:latest
metadata:
min-instances: 1
max-instances: 1
ingress: internal
tag: ${{ env.GIT_TAG }}
no-cpu-throttling: true
command: node
args: |
/app/path/to/main.js
arg-1
Obviously this last metadata piece is wrong since with is supposed to be key-value pairs of string. What is the correct format here?
According to the link that you share, the specs of your Cloud Run Service can be stored in a yaml file.
You can store your service specification in a YAML file
So I created a yaml (ex: service.yaml) file and pushed it to the github repository.
Sample service.yaml file code with min and max instances, number of cpu and internal ingress
apiVersion: serving.knative.dev/v1
kind: Service
metadata:
name: my-service
annotations:
run.googleapis.com/ingress: internal
run.googleapis.com/cpu-throttling: 'False'
spec:
template:
metadata:
annotations:
autoscaling.knative.dev/minScale: '2'
autoscaling.knative.dev/maxScale: '50'
spec:
containers:
- image: <IMAGE_URL>
resources:
limits:
cpu: '2'
And here is the Deploy to Cloud Run steps yaml file
- name: Deploy to Cloud Run
uses: google-github-actions/deploy-cloudrun#v0
with:
region: ${{ env.REGION }}
metadata: service.yaml
Additional Info: You can use the sed command in linux to edit or replace string of a files even without opening them
- name: Set Image Name
run: your_sed_command
I ended up going the pure CLI route in the interest of saving time
- name: Deploy to Cloud Run
env:
GIT_TAG: ${{ steps.increment-git-tag.outputs.git-tag }}
SERVICE: my-service
MY_ARG: arg-1
run: |
gcloud run deploy $SERVICE --image=gcr.io/$PROJECT_ID/$IMAGE_NAME:$GIT_TAG \
--platform=managed --region=$REGION --min-instances=1 --max-instances=1 \
--ingress=internal --tag=latest --no-cpu-throttling --no-allow-unauthenticated \
--command=node --args=/app/path/to/main.js,$MY_ARG \
--set-secrets=/app/path/to/my-secret=my-secret:latest
It would be nice to get another answer on how to use the pre-built setup-gcloud Github Action though from someone who knows.

Run entire GitHub Actions workflow job in private docker container

I am trying to use the container option in a GitHub Actions workflow to run the entire job in a docker container. How do I specify the login credentials to retrieve this docker image from a private repository on docker hub?
jobs:
build:
runs-on: ubuntu-18.04
container: private_org/test-runner:1.0
I have successfully used the following docker-login "action" to authenticate with docker hub as a "step", but this does not get performed until after the job-level container gets initialized.
jobs:
build:
runs-on: ubuntu-18.04
steps:
- uses: azure/docker-login#v1
with:
username: me
password: ${{ secrets.MY_DOCKERHUB_PASSWORD }}
- name: test docker creds
run: docker pull private_org/test-runner:1.0
This was implemented recently. Use the following workflow definition:
jobs:
build:
container:
image: private_org/test-runner:1.0
credentials:
username: me
password: ${{ secrets.MY_DOCKERHUB_PASSWORD }}
Source:
https://github.blog/changelog/2020-09-24-github-actions-private-registry-support-for-job-and-service-containers/

Error connecting: Error while fetching server API version: Ansible

I'm very new at Ansible. I've run following ansible PlayBook and found those errors:
---
- hosts: webservers
remote_user: linx
become: yes
become_method: sudo
tasks:
- name: install docker-py
pip: name=docker-py
- name: Build Docker image from Dockerfile
docker_image:
name: web
path: docker
state: build
- name: Running the container
docker_container:
image: web:latest
path: docker
state: running
- name: Check if container is running
shell: docker ps
Error message:
FAILED! => {"changed": false, "msg": "Error connecting: Error while
fetching server API version: ('Connection aborted.', error(2, 'No such
file or directory'))"}
And here is my folder structure:
.
├── ansible.cfg
├── docker
│   └── Dockerfile
├── hosts
├── main.retry
├── main.yml
I'm confused that docker folder is already inside my local but don't know why I encountered those error message.
I've found solution is Docker daemon is not working after Docker was installed by Ansible. It's required to add following command in my play board.
---
- hosts: webservers
remote_user: ec2-user
become: yes
become_method: sudo
tasks:
- name: install docker
yum: name=docker
**- name: Ensure service is enabled
command: service docker restart***
- name: copying file to remote
copy:
src: ./docker
dest: /home/ec2-user/docker
- name: Build Docker image from Dockerfile
docker_image:
name: web
path: /home/ec2-user/docker
state: build
- name: Running the container
docker_container:
image: web:latest
name: web
- name: Check if container is running
shell: docker ps
I have faced the same problem. I am trying to perform a docker login and get the same weird error. In my case, the ansible user does not have the necessary docker credentials. The solution, in that case, is to switch to a user with docker credentials:
- name: docker login
hosts: my_server
become: yes
become_user: docker_user
tasks:
- docker_login:
registry: myregistry.com
username: myusername
password: mysecret

Drone CI secrets not populating

I am trying to push a docker image into a private registry in Drone 0.8.5 and it works when I hardcode username and password into the pipeline however I have tried adding both the registry details in the registry tab and as secrets.
Registry Pipeline
docker-registry-push:
image: plugins/docker
repo: registry.domain.com:5000/app
registry: registry.domain.com:5000
insecure: true
pull: true
Fails with no basic auth credentials
Finally I've tried variable substitution. (with $REGISTRY_USERNAME and $$REGISTRY_USERNAME variables. All result in a error msg="Error authenticating: exit status 1"
docker-registry-push:
image: plugins/docker
repo: registry.domain.com:5000/app
registry: registry.domain.com:5000
secrets:
- source: registry_username
target: username
- source: registry_password
target: password
insecure: true
pull: true
another attempt
docker-registry-push:
image: plugins/docker
repo: registry.domain.com:5000/app
registry: registry.domain.com:5000
username: ${REGISTRY_USERNAME}
password: ${REGISTRY_PASSWORD}
secrets: [ registry_username, registry_password ]
insecure: true
pull: true
It is really frustrating. I need to add secrets for Rancher accesskey secretkey also after this via the correct method.
I have read other topics and the drone docs and am still stumped.
Thanks in advance.
The secrets need to be injected into the docker container via the environment with the names docker_username and and docker_password.
Your .drone.yml file should look something like this:
pipeline:
docker:
image: plugins/docker
repo: username/app
registry: registry.domain.com:5000
insecure: true
pull: true
secrets:
- source: registry_username
target: docker_username
- source: registry_password
target: docker_password
See the drone plugin docs for more configuration options.
here is to manage drone secret key http://docs.drone.io/manage-secrets/#pull-requests
also, you might wanna consider using .netrc inside Dockerfile on your build, so your credential is embeded inside of your docker images

Resources