-
Notifications
You must be signed in to change notification settings - Fork 26
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Not sure how to login to private registry #30
Comments
Maybe copying |
@solidsnack thank you for getting back to me. I'm pretty sure I tried copying the file over to /root/.dockercfg and it didn't work. I'll confirm today and get back to you. Is supporting authenticating with a private registry something that you would like to support in deimos directly by calling the docker 'login' command prior to pull, as opposed to relying on the presence of a .dockercfg file? If so, I'd be happy to take a shot at adding it. |
No dice when copying the file to /root/.dockercfg, still get a 403 when pulling. Just for the hell of it, I hardcoded a "docker login" call right before the pull in docker.py and did a find for the .dockercfg file. It ended up being placed in:
|
It'd be great to have support for it. Given what you've discovered, I'm really not sure what the best way to add it is -- logging in every time seems like a bad pattern -- but I'd be happy to accept what you come up with. Maybe the right thing to do is have Deimos copy a specific |
@solidsnack that would do the trick. The only way that I can think of providing the contents of the .dockercfg file to deimos is via an attribute in deimos.cfg. Perhaps base64 encoding a valid dockercfg file and providing it as a setting? When the executor sets up the working directory deimos can write the contents to the file. The .dockercfg file format allows the specification of credentials for multiple registries, so a global value for the dockercfg files should be able to hold login info for all of the containers expected to be deployed across the cluster. Does that sound like an acceptable approach? It's definitely a kludgy solution but the authentication interface with docker doesn't leave a while lot of options. |
Would it not be better to simply configure Deimos with a path to the [docker.index]
dockercfg = /etc/dockercfg Base64 encoding the file and inlining it would seem to have at the least the disadvantage that one is forced to treat the Deimos configuration file as a holder of secure credentials. |
Yes, that would be better. |
Haven't tested the code in 73b8872 but it's a start. Could you look it over and maybe give it a shot? |
@solidsnack I just tried out that commit but still received a 403. It looks like the docker pull is being executed prior to the dockercfg being placed. I traced it down to somewhere is this block: https://github.com/mesosphere/deimos/blob/dockercfg/deimos/docker.py#L20-L27 . Their is a comment which says "Forces external call to pre-fetch image". I tried moving the 'self.place_dockercfg()' call right before https://github.com/mesosphere/deimos/blob/dockercfg/deimos/containerizer/docker.py#L123, but https://github.com/mesosphere/deimos/blob/dockercfg/deimos/containerizer/docker.py#L328 is evaluating to false, so the config file is not set. |
There was a bug in the config loader. I've pushed a new branch with your changes and the fix to the config file reader. diff --git a/deimos/config.py b/deimos/config.py
index 097a1f2..ab58a1e 100644
--- a/deimos/config.py
+++ b/deimos/config.py
@@ -189,6 +189,9 @@ def parse(f):
del parsed["containers.options"]
if len(containers) > 0:
parsed["containers"] = Containers(**containers)
+ if "docker.index" in parsed:
+ parsed["index"] = parsed["docker.index"]
+ del parsed["docker.index"]
return _Struct(**parsed)
diff --git a/deimos/containerizer/docker.py b/deimos/containerizer/docker.py
index ac1155c..3b750a6 100644
--- a/deimos/containerizer/docker.py
+++ b/deimos/containerizer/docker.py
@@ -120,14 +120,14 @@ class Docker(Containerizer, _Struct):
else:
env += mesos_env() + [("MESOS_DIRECTORY", self.workdir)]
+ self.place_dockercfg()
+
runner_argv = deimos.docker.run(run_options, image, launchy.argv,
env=env, ports=launchy.ports,
cpus=cpus, mems=mems)
log_mesos_env(logging.DEBUG)
- self.place_dockercfg()
-
observer = None
with open("stdout", "w") as o: # This awkward multi 'with' is a
with open("stderr", "w") as e: # concession to 2.6 compatibility |
Just tried and received the following error:
I'm going to try and debug now ... |
@jschneiderhan How is this working out for you today? |
I just tried 95a7677, which is HEAD of the index-config-fixes branch, and it worked perfectly |
This made it in to 0.4.0 |
Great. This will be super-useful for people using a private registry. I'm going to close the issue as my use case is now met. Thanks @solidsnack! |
I'm trying to use mesos/marathon/deimos with an image hosted on a private registry, quay.io in my case. When I try to run the app, it fails with the following error:
Which makes sense. My login shell can pull from the registry because I run
docker login
. which cached my credentials in ~/.dockercfg. It doesn't look likedocker login
is executed here, and even if it did my credentials have not been passed in.Are there any known ways to allow deimos to authenticate with a private registry?
If I can help debug in any way let me know. I'm loving mesos/marathon/deimos so far!
The text was updated successfully, but these errors were encountered: