Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

race condition for logout: true #173

Closed
hholst80 opened this issue Mar 23, 2022 · 4 comments
Closed

race condition for logout: true #173

hholst80 opened this issue Mar 23, 2022 · 4 comments

Comments

@hholst80
Copy link

There is an obvious race condition if logout: true is used.

One job runs concurrently with another and the second job logsout after the first job finished logging in.

What I would like to do is to run an explicit docker/logout action to remove any credentials as part of an explicit cleanup.
@crazy-max
Copy link
Member

@hholst80 Can you give a link to your repo or post your workflow please? Thanks.

@hholst80
Copy link
Author

hholst80 commented Mar 23, 2022
edited

We have several workers running on the same docker machine. The credential store is shared between the runners.

- name: Login build and test machine to myreg.azurecr.io
  uses: docker/login-action@v1
  with:
    registry: myreg.azurecr.io
    username: myreg
    password: ${{ secrets.AZURECR_PASSWORD }}
    # logout: true  # default is true
- name: build stuff # this can fail due to race condition from concurrent build & push job
  run: docker-compose build --pull
- name: push it # and so can this fail for the same reason
  run: docker-compose push

@hholst80
Copy link
Author

hholst80 commented Mar 26, 2022
edited

I researched this a bit and it seems that the only portable way to deal with credentials with Docker is to write those to a credentials store in the current users home directory.

The login and log-out needs to be coordinated carefully to avoid a race condition due to the shared state.

The only possible way to avoid the race condition would be to create a throwaway context in docker. Be aware that many tools will not honor this unless they use a recent version of a client SDK or use the docker cli directly.

@crazy-max
Copy link
Member

crazy-max commented Mar 26, 2022
edited

Yes if you're using a self-hosted runner, you're sharing the same configuration. logout is useful for ephemeral runners like the default GitHub Runners but in your case it doesn't make sense so I suggest to disable logout:

- name: Login build and test machine to myreg.azurecr.io
  uses: docker/login-action@v1
  with:
    registry: myreg.azurecr.io
    username: myreg
    password: ${{ secrets.AZURECR_PASSWORD }}
    logout: false

If you still want to logout in this case, you have to create a dedicated DOCKER_CONFIG for each triggered workflow using the unique GITHUB_RUN_ID. Something like this should work:

- name: Set DOCKER_CONFIG
  run: |
    mkdir -p $HOME/${{ env.GITHUB_RUN_ID }}/.docker
    echo "DOCKER_CONFIG=$HOME/${{ env.GITHUB_RUN_ID }}/.docker" >> $GITHUB_ENV

- name: Login build and test machine to myreg.azurecr.io
  uses: docker/login-action@v1
  with:
    registry: myreg.azurecr.io
    username: myreg
    password: ${{ secrets.AZURECR_PASSWORD }}

You might also need to prune DOCKER_CONFIG in a post step.

@crazy-max crazy-max mentioned this issue Aug 8, 2023
Closed
@crazy-max crazy-max mentioned this issue Nov 13, 2023
Closed
dderyldowney added a commit to dderyldowney/devops-docker that referenced this issue Feb 26, 2024
@dderyldowney
Working on image push
0989a67 
This seems to be a case of the following:

docker/login-action#173
@SimonSQLML SimonSQLML mentioned this issue Jun 18, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@crazy-max @hholst80