Batch Pool does not support private org dockerhub repositories

[arun-nemani]

Problem Description

Azure batch integration with dockerhub repositories during pool creation works as expected for public repositories (both user based and org based, but not for org private repositories. I have also confirmed that private repository connections work as expected when the target private repository is under the user dockerhub account, and the exact user login credentials are provided.

However, private dockerhub connections do not work as expected for organization based private repositories, where member dockerhub login credentials are provided.

Steps to Reproduce

Azure Batch --> Add Pool
Image Type: Marketplace
Publisher: microsoft-azure-batch
Offer: ubuntu-server-container
Sku: 20-04-lts
Container Configuration:

• Container image names: XXXXXXXXXX
• Registry username: XXXXXX
• Password: XXXXXX
• Registry server: index.docker.io

Expected Results

Idle State for VM node upon Pool creation

Actual Results

Message - pull access denied for XXXXXXXX, repository does not exist or may require 'docker login': denied: requested access to the resource is denied

Additional Comments

Further confirmations:

• Confirmed dockerhub member access credentials are correct for the private repo housed under organization (confirmed via docker login and docker pull...
• Confirmed dockerhub organization is correctly allowing read access to desired dockerhub team members.
• Confirmed org repository when converted to public, works as expected on Azure Batch
• Confirmed that simply converting org repository to private results in Pool errors on Azure Batch
  I have confirmed that if I make this repository named XXXXX when designates as public works as expected when creating a pool (even with registry username and password already specified). However, converting this repository to private, causes the error stated above.

[alfpark]

Tagging @bgklein and @staer.

[okofish]

I got this to work by setting "registryServer": "docker.io" and, crucially, explicitly qualifying the registry in the container image name like docker.io/myorg/myrepo.

I suspect Batch might be naively looking for a domain component in the image name to match against the list of defined registries.

[staer]

thanks for the update, I'll take a look to see what is going on under the hood here

[staer]

I believe that I have identified the code at fault being the bit that maps the repository to authentication. As @okofish noted, a temporary workaround is to specify the full docker.io repository URL in the image name. I will work on a more permanent fix.