[JIRA] (JENKINS-51949) Docker agent in declarative pipeline failing to login to custom registry

39 views
Skip to first unread message

danielfosbery125@gmail.com (JIRA)

unread,
Jun 14, 2018, 12:33:01 PM6/14/18
to jenkinsc...@googlegroups.com
Daniel Fosbery created an issue
 
Jenkins / Bug JENKINS-51949
Docker agent in declarative pipeline failing to login to custom registry
Issue Type: Bug Bug
Assignee: Unassigned
Components: docker-workflow-plugin
Created: 2018-06-14 16:32
Environment: Jenkins 2.124
Docker Commons 1.13
Docker Workflow 1.17
Labels: docker plugin
Priority: Major Major
Reporter: Daniel Fosbery

We have an image that is stored in AWS ECR. Previously this step has been working but broke when we updated the Docker Workflow plugin from 1.15.1 to 1.17. We now get a `docker login failed` message.

This is for a declarative pipeline and our configuration is as follows.

```
stage('Docker step') {
    agent {
        docker {
            image "xxxxxxxx"
            registryUrl "https://xxxxxxxxx.dkr.ecr.us-east-1.amazonaws.com"
            registryCredentialsId "credentials-id"
        }
    }
}
```
When we roll the plugin back to 1.15.1 the issue no longer occurs.
This may be related to JENKINS-38018
Add Comment Add Comment
 
This message was sent by Atlassian JIRA (v7.3.0#73011-sha1:3c73d0e)
Atlassian logo

danielfosbery125@gmail.com (JIRA)

unread,
Jun 14, 2018, 12:35:02 PM6/14/18
to jenkinsc...@googlegroups.com
Daniel Fosbery updated an issue
Change By: Daniel Fosbery
We have an image that is stored in AWS ECR. Previously this step has been working but broke when we updated the Docker Workflow plugin from 1.15.1 to 1.17. We now get a `docker login failed` message.

This is for a declarative pipeline and our configuration is as follows.
{code:java}
```
 stage('Docker step') \ {
    agent \ {
        docker \
{

            image "xxxxxxxx"
            registryUrl "https://xxxxxxxxx.dkr.ecr.us-east-1.amazonaws.com"
            registryCredentialsId "credentials-id"
        }
    }
} {code}
```
When we roll the plugin back to 1.15.1 the issue no longer occurs.
This may be related to  - JENKINS-38018 -

jarrett@famous.co (JIRA)

unread,
Jun 29, 2018, 11:58:02 PM6/29/18
to jenkinsc...@googlegroups.com
Jarrett G commented on Bug JENKINS-51949
 
Re: Docker agent in declarative pipeline failing to login to custom registry

This breaks a key step in my build pipeline. Looks like the culprit is `src/main/java/org/jenkinsci/plugins/docker/commons/impl/RegistryKeyMaterialFactory.java`

    public KeyMaterial materialize() throws IOException, InterruptedException {
        FilePath dockerConfig = createSecretsDirectory();
        try {
            // TODO on Docker 17.07+ use --password-stdin
            EnvVars envWithConfig = new EnvVars(env);
            envWithConfig.put("DOCKER_CONFIG", dockerConfig.getRemote());
            if (launcher.launch().cmds(new ArgumentListBuilder(dockerExecutable, "login", "-u", username, "-p").add(password, true).add(endpoint)).envs(envWithConfig).stdout(listener).join() != 0) {
                throw new AbortException("docker login failed");
            }
        } catch (IOException | InterruptedException x) {
            try {
                dockerConfig.deleteRecursive();
            } catch (Exception x2) {
                x.addSuppressed(x2);
            }
            throw x;
        }
        return new RegistryKeyMaterial(dockerConfig, new EnvVars("DOCKER_CONFIG", dockerConfig.getRemote()));
    }

Looks like this was intentionally passed over, possibly due to some security issue. Jesse Glick - any reason why this hasn't been updated yet?
This message was sent by Atlassian JIRA (v7.10.1#710002-sha1:6efc396)

jglick@cloudbees.com (JIRA)

unread,
Jul 20, 2018, 4:04:01 PM7/20/18
to jenkinsc...@googlegroups.com

Daniel Fosbery not sure offhand. No developer of this plugin that I know of tests against AWS ECR. It may have specialized requirements for running docker login that go beyond what a generic registry does. If in doubt, avoid use of agent docker and run Docker commands directly from sh.

Jarrett G any reason why what has not been updated yet?

jarrett@famous.co (JIRA)

unread,
Jul 23, 2018, 2:12:03 PM7/23/18
to jenkinsc...@googlegroups.com

Jesse Glick - Wow, I did not describe that well. Sorry for the ambiguity 

 

I meant that Docker throws an error and exits with a 1 if `p` or `–password` is passed in as an arg. It looks like it only wants `-password-stdin` now.

jarrett@famous.co (JIRA)

unread,
Jul 23, 2018, 2:13:01 PM7/23/18
to jenkinsc...@googlegroups.com
Jarrett G edited a comment on Bug JENKINS-51949
[~jglick] - Wow, I did not describe that well. Sorry for the ambiguity :P

 

I meant that Docker throws an error and exits with a 1 if ` - p` or ` -- password` is passed in as an arg. It looks like it only wants `--password-stdin` now.

jarrett@famous.co (JIRA)

unread,
Jul 23, 2018, 2:15:03 PM7/23/18
to jenkinsc...@googlegroups.com
Jarrett G edited a comment on Bug JENKINS-51949
[~jglick] - Wow, I did not describe that well. Sorry for the ambiguity  :P !/images/icons/emoticons/tongue.png|width=16,height=16,align=absmiddle!

 

I meant that Docker throws an error and exits with a 1 if
`
{code:java}
- p ` {code}
 or `
{code:java}
 --password ` {code}
is passed in as an arg. It looks like it only wants  `

{code:java}
 --password-stdin ` {code}
 now.

jarrett@famous.co (JIRA)

unread,
Jul 23, 2018, 2:15:03 PM7/23/18
to jenkinsc...@googlegroups.com
Jarrett G edited a comment on Bug JENKINS-51949
[~jglick] - Wow, I did not describe that well. Sorry for the ambiguity  !/images/icons/emoticons/tongue.png|width=16,height=16,align=absmiddle!  :P

 

I meant that Docker throws an error and exits with a 1 if
{code:java}
-p{code}

or
{code:java}
--password{code}
is passed in as an arg. It looks like it only wants 
{code:java}
--password-stdin{code}
now.

savages@savages.com (JIRA)

unread,
Oct 4, 2019, 7:15:02 PM10/4/19
to jenkinsc...@googlegroups.com

This is as close to my problem that I can find.  I am "new(1 month)" to jenkins.  I have an existing pipeline. that pulls a docker image from an insecure repo.  We are moving to a secure server.   I have copied the images to the new repo.  I can pull from the command line and it prompts from username and password and from then on I can pull and push images. 

From Jenkins it fails to pull the image.    

```

agent {
   docker {
      args "-v /srv/docker-helper/shares/bin/:/opt/pws/mnt/bin -v /srv/docker-helper/shares/cache/:/opt/pws/mnt/cache -v /srv/docker-helper/shares/inject-home.ro/:/opt/pws/mnt/inject-home:ro"
      image "${jobParams.DOCKER_IMAGE}"
      label "${jobParams.NODE_LABEL}"
      registryCredentialsId 'mig/****** (Jenkins Artifactory user - mig)'
      registryUrl "${jobParams.DOCKER_REGISTRY}"
   }
}

```

Where "mig/****** (Jenkins Artifactory user - mig)" i the name of a credential in jenkins.

 

```

[Pipeline] withDockerRegistry
[Pipeline]

{ [Pipeline] sh + docker inspect -f . mig Error: No such object: mig [Pipeline] sh + docker inspect -f . af01p.devtools.tst:6560/mig Error: No such object: af01p.devtools.tst:6560/mig [Pipeline] sh + docker pull af01p.devtools.tst:6560/mig Using default tag: latest Error response from daemon: unauthorized: The client does not have permission for manifest [Pipeline] }

[Pipeline] // withDockerRegistry

```
This message was sent by Atlassian Jira (v7.13.6#713006-sha1:cc4451f)
Atlassian logo

jglick@cloudbees.com (JIRA)

unread,
Oct 6, 2019, 8:33:03 AM10/6/19
to jenkinsc...@googlegroups.com

Again,

If in doubt, avoid use of agent docker and run Docker commands directly from sh.

Reply all
Reply to author
Forward
0 new messages