Docker Private Registries
398 views
Skip to first unread message
Matt Hughes
Sep 4, 2014, 4:10:17 PM9/4/14
to ansible...@googlegroups.com
Trying to use the docker module to run images from a docker private registry.
I'm using the current master branch of Ansible as that supports username/password. Playbook is:
- name: run app
docker: registry=https://private-repo.com:443 image=private-repo.com:443/busycorp/app:1.0.0 username={{ docker_registry_username }} password={{ docker_registry_password }} email=mhu...@busicorp.us
It appears to successfully log in, but can't find that tag:
<test> ESTABLISH CONNECTION FOR USER: mhughes
<test> REMOTE_MODULE docker registry=https://private-repo.com:443 image=private-repo.com:443/busicorp/app:1.0.0 username=mhughes password=VALUE_HIDDEN email=mhu...@busicorp.us
<test> EXEC ssh -C -tt -vvv -o ControlMaster=auto -o ControlPersist=60s -o ControlPath=/Users/mhughes/.ansible/cp/ansible-ssh-%h-%p-%r -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o ConnectTimeout=10 test /bin/sh -c 'mkdir -p $HOME/.ansible/tmp/ansible-tmp-1409858894.29-223607362771114 && chmod a+rx $HOME/.ansible/tmp/ansible-tmp-1409858894.29-223607362771114 && echo $HOME/.ansible/tmp/ansible-tmp-1409858894.29-223607362771114'
<test> PUT /var/folders/_n/6r_pnw9d1jg33_chqmcpyvn00000gn/T/tmpm2Jl5K TO /home/clduser/.ansible/tmp/ansible-tmp-1409858894.29-223607362771114/docker
<test> EXEC ssh -C -tt -vvv -o ControlMaster=auto -o ControlPersist=60s -o ControlPath=/Users/mhughes/.ansible/cp/ansible-ssh-%h-%p-%r -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o ConnectTimeout=10 test /bin/sh -c 'sudo -k && sudo -H -S -p "[sudo via ansible, key=mlompfrrydppecgwsjntwvxuyqknbxtf] password: " -u root /bin/sh -c '"'"'echo SUDO-SUCCESS-mlompfrrydppecgwsjntwvxuyqknbxtf; LANG=en_US.UTF-8 LC_CTYPE=en_US.UTF-8 /usr/bin/python /home/clduser/.ansible/tmp/ansible-tmp-1409858894.29-223607362771114/docker; rm -rf /home/clduser/.ansible/tmp/ansible-tmp-1409858894.29-223607362771114/ >/dev/null 2>&1'"'"''
failed: [test] => {"changed": true, "failed": true}
msg: Docker API error: No such image: private-repo.com:443/busicorp/app:1.0.0 (tag: 1.0.0)
FATAL: all hosts have already failed -- aborting
I have tried with and without the registry name in the image. I can take the same image parameter above and successfully do a 'docker pull' on the machine. Is there some way to see the logs of ansible on the remote server so I can see exactly what commands it is calling? Or maybe there is just an issue with use of Docker namespaces?
I'm using the current master branch of Ansible as that supports username/password. Playbook is:
- name: run app
docker: registry=https://private-repo.com:443 image=private-repo.com:443/busycorp/app:1.0.0 username={{ docker_registry_username }} password={{ docker_registry_password }} email=mhu...@busicorp.us
It appears to successfully log in, but can't find that tag:
<test> ESTABLISH CONNECTION FOR USER: mhughes
<test> REMOTE_MODULE docker registry=https://private-repo.com:443 image=private-repo.com:443/busicorp/app:1.0.0 username=mhughes password=VALUE_HIDDEN email=mhu...@busicorp.us
<test> EXEC ssh -C -tt -vvv -o ControlMaster=auto -o ControlPersist=60s -o ControlPath=/Users/mhughes/.ansible/cp/ansible-ssh-%h-%p-%r -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o ConnectTimeout=10 test /bin/sh -c 'mkdir -p $HOME/.ansible/tmp/ansible-tmp-1409858894.29-223607362771114 && chmod a+rx $HOME/.ansible/tmp/ansible-tmp-1409858894.29-223607362771114 && echo $HOME/.ansible/tmp/ansible-tmp-1409858894.29-223607362771114'
<test> PUT /var/folders/_n/6r_pnw9d1jg33_chqmcpyvn00000gn/T/tmpm2Jl5K TO /home/clduser/.ansible/tmp/ansible-tmp-1409858894.29-223607362771114/docker
<test> EXEC ssh -C -tt -vvv -o ControlMaster=auto -o ControlPersist=60s -o ControlPath=/Users/mhughes/.ansible/cp/ansible-ssh-%h-%p-%r -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o ConnectTimeout=10 test /bin/sh -c 'sudo -k && sudo -H -S -p "[sudo via ansible, key=mlompfrrydppecgwsjntwvxuyqknbxtf] password: " -u root /bin/sh -c '"'"'echo SUDO-SUCCESS-mlompfrrydppecgwsjntwvxuyqknbxtf; LANG=en_US.UTF-8 LC_CTYPE=en_US.UTF-8 /usr/bin/python /home/clduser/.ansible/tmp/ansible-tmp-1409858894.29-223607362771114/docker; rm -rf /home/clduser/.ansible/tmp/ansible-tmp-1409858894.29-223607362771114/ >/dev/null 2>&1'"'"''
failed: [test] => {"changed": true, "failed": true}
msg: Docker API error: No such image: private-repo.com:443/busicorp/app:1.0.0 (tag: 1.0.0)
FATAL: all hosts have already failed -- aborting
I have tried with and without the registry name in the image. I can take the same image parameter above and successfully do a 'docker pull' on the machine. Is there some way to see the logs of ansible on the remote server so I can see exactly what commands it is calling? Or maybe there is just an issue with use of Docker namespaces?
Michael DeHaan
Sep 4, 2014, 9:31:14 PM9/4/14
to ansible...@googlegroups.com
For starters, can you share the version of Ansible you are using?
--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/412cf480-7e21-4790-9725-98604b4680f1%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Matt Hughes
Sep 4, 2014, 9:33:29 PM9/4/14
to ansible...@googlegroups.com
I'm using master branch. To be specific, commit 4f55bcc298669f61ee11fb244ec447762b01edba.
Michael DeHaan
Sep 4, 2014, 9:53:07 PM9/4/14
to ansible...@googlegroups.com
Hmmm.... I don't have a private registry running/available at the moment, is this something you might like to help work on/debug?
We can definitely private some pointers.
--Michael
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/df1ffc32-1a99-40e3-927b-29bfa44ec738%40googlegroups.com.
Matt Hughes
Sep 4, 2014, 10:45:24 PM9/4/14
to ansible...@googlegroups.com
Done a bit more digging. I can see the calls being made on the server via /var/log/docker and they all look right. It does the auth and then tries to pull, but the pull fails with:
2014/09/05 02:18:04 POST /v1.12/auth
[3d312112] +job auth()
[3d312112] -job auth() = OK (0)
2014/09/05 02:18:05 POST /v1.12/images/create?tag=1.0.0&fromImage=private-repo.com%3A443%2Fbusicorp%2Fapp
[3d312112] +job pull(private-repo.com:443/busicorp/app, 1.0.0)
Authentication is required.
[3d312112] -job pull(private-repo.com:443/busicorp/app, 1.0.0) = ERR (1)
If I use the exact same credentials and do a 'docker login' on the server, everything works. And a 'docker pull' from the server looks exactly like the POST command above, just that it succeeds.
I found this issue referencing a similar problem on the docker-py group: https://github.com/docker/docker-py/issues/241
By adding /v1/ to the end of my repository parameter, the login and basic auth worked on the pull. Not really sure what to make of this, but it's a workaround at least.
2014/09/05 02:18:04 POST /v1.12/auth
[3d312112] +job auth()
[3d312112] -job auth() = OK (0)
2014/09/05 02:18:05 POST /v1.12/images/create?tag=1.0.0&fromImage=private-repo.com%3A443%2Fbusicorp%2Fapp
[3d312112] +job pull(private-repo.com:443/busicorp/app, 1.0.0)
Authentication is required.
[3d312112] -job pull(private-repo.com:443/busicorp/app, 1.0.0) = ERR (1)
If I use the exact same credentials and do a 'docker login' on the server, everything works. And a 'docker pull' from the server looks exactly like the POST command above, just that it succeeds.
I found this issue referencing a similar problem on the docker-py group: https://github.com/docker/docker-py/issues/241
By adding /v1/ to the end of my repository parameter, the login and basic auth worked on the pull. Not really sure what to make of this, but it's a workaround at least.
Michael DeHaan
Sep 5, 2014, 3:04:47 PM9/5/14
to ansible...@googlegroups.com
Urg.
Might be worth contacting Docker to see if they can light a fire under the python bindings?
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/8a85eb59-575d-47d5-97d2-ec53d227dfe2%40googlegroups.com.
Eli Finkelshteyn
Nov 20, 2014, 5:10:39 PM11/20/14
to ansible...@googlegroups.com
Any updates here? I'm running into the same issue. Also, as of Ansible 1.7.2, the username and registry commands still haven't been merged, so as far as I can tell you have to be using the master branch of Ansible to run Docker images from private repos (which I still haven't gotten to actually work).
Michael DeHaan
Nov 21, 2014, 8:55:56 AM11/21/14
to ansible...@googlegroups.com
Not sure what problems you are having with 1.8 - would need more info - but it will release next week.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/e6e24e53-e074-4b18-bbd9-2e53e60abf81%40googlegroups.com.
Eli Finkelshteyn
Nov 23, 2014, 6:59:38 PM11/23/14
to ansible...@googlegroups.com
I was still having issues-- specifically that I could pull and authenticate with an owner account, but not with a collaborator account, so I just used my .dockercfg as a workaround. Just do:
- name: move docker cfg over so we don't have to log in each time
copy: src=.dockercfg dest=/root/.dockercfg
- name: now download the image
shell: docker pull {{ docker_image }}
- name: now run the docker image (no more need for authentication because it's already been pulled)
docker:
image={{ docker_image }}
ports={{ docker_ports }}
Reply all
Reply to author
Forward
0 new messages