Docker Private Registries

Matt_Hughes · September 4, 2014, 8:10pm

Trying to use the docker module to run images from a docker private registry.

I’m using the current master branch of Ansible as that supports username/password. Playbook is:

name: run app
docker: registry=https://private-repo.com:443 image:443=private-repo.com/busycorp/app:1.0.0 username={{ docker_registry_username }} password={{ docker_registry_password }} email=mhughes@busicorp.us

It appears to successfully log in, but can’t find that tag:

ESTABLISH CONNECTION FOR USER: mhughes
REMOTE_MODULE docker registry=https://private-repo.com:443 image:443=private-repo.com/busicorp/app:1.0.0 username=mhughes password=VALUE_HIDDEN email=mhughes@busicorp.us
EXEC ssh -C -tt -vvv -o ControlMaster=auto -o ControlPersist=60s -o ControlPath=/Users/mhughes/.ansible/cp/ansible-ssh-%h-%p-%r -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o ConnectTimeout=10 test /bin/sh -c ‘mkdir -p $HOME/.ansible/tmp/ansible-tmp-1409858894.29-223607362771114 && chmod a+rx $HOME/.ansible/tmp/ansible-tmp-1409858894.29-223607362771114 && echo $HOME/.ansible/tmp/ansible-tmp-1409858894.29-223607362771114’
PUT /var/folders/_n/6r_pnw9d1jg33_chqmcpyvn00000gn/T/tmpm2Jl5K TO /home/clduser/.ansible/tmp/ansible-tmp-1409858894.29-223607362771114/docker
EXEC ssh -C -tt -vvv -o ControlMaster=auto -o ControlPersist=60s -o ControlPath=/Users/mhughes/.ansible/cp/ansible-ssh-%h-%p-%r -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o ConnectTimeout=10 test /bin/sh -c ‘sudo -k && sudo -H -S -p “[sudo via ansible, key=mlompfrrydppecgwsjntwvxuyqknbxtf] password: " -u root /bin/sh -c '”’“‘echo SUDO-SUCCESS-mlompfrrydppecgwsjntwvxuyqknbxtf; LANG=en_US.UTF-8 LC_CTYPE=en_US.UTF-8 /usr/bin/python /home/clduser/.ansible/tmp/ansible-tmp-1409858894.29-223607362771114/docker; rm -rf /home/clduser/.ansible/tmp/ansible-tmp-1409858894.29-223607362771114/ >/dev/null 2>&1’”‘"’’
failed: [test] => {“changed”: true, “failed”: true}
msg: Docker API error: No such image: private-repo.com:443/busicorp/app:1.0.0 (tag: 1.0.0)

FATAL: all hosts have already failed – aborting

I have tried with and without the registry name in the image. I can take the same image parameter above and successfully do a ‘docker pull’ on the machine. Is there some way to see the logs of ansible on the remote server so I can see exactly what commands it is calling? Or maybe there is just an issue with use of Docker namespaces?

Michael_DeHaan1 · September 5, 2014, 1:31am

For starters, can you share the version of Ansible you are using?

Matt_Hughes · September 5, 2014, 1:33am

I’m using master branch. To be specific, commit 4f55bcc298669f61ee11fb244ec447762b01edba.

Michael_DeHaan1 · September 5, 2014, 1:53am

Hmmm… I don’t have a private registry running/available at the moment, is this something you might like to help work on/debug?

We can definitely private some pointers.

–Michael

Matt_Hughes · September 5, 2014, 2:45am

Done a bit more digging. I can see the calls being made on the server via /var/log/docker and they all look right. It does the auth and then tries to pull, but the pull fails with:

2014/09/05 02:18:04 POST /v1.12/auth
[3d312112] +job auth()
[3d312112] -job auth() = OK (0)
2014/09/05 02:18:05 POST /v1.12/images/create?tag=1.0.0&fromImage=private-repo.com%3A443%2Fbusicorp%2Fapp
[3d312112] +job pull(private-repo.com:443/busicorp/app, 1.0.0)
Authentication is required.
[3d312112] -job pull(private-repo.com:443/busicorp/app, 1.0.0) = ERR (1)

If I use the exact same credentials and do a ‘docker login’ on the server, everything works. And a ‘docker pull’ from the server looks exactly like the POST command above, just that it succeeds.

I found this issue referencing a similar problem on the docker-py group: https://github.com/docker/docker-py/issues/241

By adding /v1/ to the end of my repository parameter, the login and basic auth worked on the pull. Not really sure what to make of this, but it’s a workaround at least.

Michael_DeHaan1 · September 5, 2014, 7:04pm

Urg.

Might be worth contacting Docker to see if they can light a fire under the python bindings?

Eli_Finkelshteyn · November 20, 2014, 10:10pm

Any updates here? I’m running into the same issue. Also, as of Ansible 1.7.2, the username and registry commands still haven’t been merged, so as far as I can tell you have to be using the master branch of Ansible to run Docker images from private repos (which I still haven’t gotten to actually work).

Michael_DeHaan1 · November 21, 2014, 1:55pm

Not sure what problems you are having with 1.8 - would need more info - but it will release next week.

Eli_Finkelshteyn · November 23, 2014, 11:59pm

I was still having issues-- specifically that I could pull and authenticate with an owner account, but not with a collaborator account, so I just used my .dockercfg as a workaround. Just do:

name: move docker cfg over so we don’t have to log in each time
copy: src=.dockercfg dest=/root/.dockercfg
name: now download the image
shell: docker pull {{ docker_image }}
name: now run the docker image (no more need for authentication because it’s already been pulled)
docker:
image={{ docker_image }}
ports={{ docker_ports }}

Topic		Replies	Views
docker module Ansible Project	1	0	July 7, 2014
Ansible-builder using private registry Get Help documentation , ansible-builder , ee	2	235	October 24, 2023
Ansible not pulling images from private Docker repository Ansible Developer	2	1	February 11, 2015
invalid output was: Traceback - KeyError: 'ApiVersion' Ansible Developer ubuntu	4	0	May 28, 2014
community.docker.docker_login issue Ansible Project	4	5	June 29, 2023

Docker Private Registries

Related topics