Local user and idempotent operation with registry logins to same host, different users

[elijahsgh]

What happened?

My registry logins are overwritten by logins to registries on the same server.

What did I expect?

I expected to be able to log in to the same registry with different users.

When using docker::registry to log in to a registry, it appears that it will overwrite a previous login if the server name (and local user) matches. The docker::registry resources run first, which causes some registries to be overwritten.

In the code,

# [*local_user*]
#   The local user to log in as. Docker will store credentials in this
#   users home directory

It appears that the receipts are stored in /root, though? This seems fine for my use-case, but it seems like having the receipt generated with a resource name or similar could be beneficial. It also seems to be a bug in the code comment since it seems fixed to store those receipts in /root, but that's nonsensical as the $local_user wouldn't have access to write to /root

[davejrt]

Hi

As per our template can you please provide manifests and log files to replicate the issue?

[elijahsgh]

This should probably be split into two different issues but the code should make it much clearer to follow than log files.

The first issue is the Registry resource being anchored here:
https://github.com/puppetlabs/puppetlabs-docker/blob/master/manifests/init.pp#L625

All Registry resources are anchored before images. If I wanted to pull two different images that required logins from two different users but are at the same registry the second Registry resource will overwrite the first before any Image resources are pulled. Gitlab, for example, has the concept of Deploy Tokens that are different for each project and the last Registry resource will overwrite the first Registry resource.

It is important to note that if the local_user parameter worked correctly then this would be an issue that could be worked around.

Then the local_user problem:
It's probably easier to see how this resource cannot work correctly by reviewing the code.

This exec resource has a user:
https://github.com/puppetlabs/puppetlabs-docker/blob/master/manifests/registry.pp#L92

That user is expected to be able to rm files in /root per this command:
https://github.com/puppetlabs/puppetlabs-docker/blob/master/manifests/registry.pp#L80

And all receipt files are created in /root:
https://github.com/puppetlabs/puppetlabs-docker/blob/master/manifests/registry.pp#L82

This can't ever work as written with a local_user defined as they cannot remove files from /root (unless, of course, they are root).

[mleklund]

We have some code that works pretty well for this that I would not mind contributing to the cause, but I am not sure I have the time to work up tests in your testing frameworks. Let me know if you would like me to create a pull request for it.

[Jeoffreybauvin]

Hi there,

We have the same issue. If you use docker::registry with a non root local_user, it is not working. See this : d0f55db

It seems to be fixed with this commit in master. Can you make a release to the forge please ?

[davejrt]

We are planning to release very shortly. Apologies with the delays in getting something out there.

[venushka]

There still seems to be assumptions in the code that the non root user can delete files in /root. i.e.

$_auth_command = "${auth_cmd} || rm -f \"/root/registry-auth-puppet_receipt_${server_strip}_${local_user}\""

on line 106 in registry.pp assumes that if the command fails, the file in /root will be deleted. However, the exec on line 142 executes this command as the local_user.