Plugins/docker cannot pull the image from a custom Docker registry

arno01 · February 11, 2018, 9:47pm

Hi,

The following configuration does not work when there are “docker_username” & “docker_password” secrets set along with the repo’s registry, having “image:” & “repo:” set to the same custom Docker registry.

But it will work only when I set “image: plugins/docker:17.10”. (Publicly accessible image at the official Docker Hub image repository).

Example configuration:

pipeline:
  publish:
    image: custom-docker-registry.com:5010/plugins/docker:17.10
    registry: custom-docker-registry.com:5010
    repo: custom-docker-registry.com:5010/andrey01/testapp1
    tag: latest
    dockerfile: Dockerfile
    secrets: [ docker_username, docker_password ]
    when:
      event: [push, tag]

Error message:

+ /usr/local/bin/dockerd -g /var/lib/docker
time="2018-02-11T21:22:55Z" level=fatal msg="Error authenticating: exit status 1"

Repo configuration:

$ drone registry ls arno/testapp1
custom-docker-registry.com:5010 
Username: arno
Email: 

$ drone repo info arno/testapp1
Owner: arno
Repo: testapp1
Type: git
Config: .drone.yml
Visibility: private
Private: true
Trusted: false
Gated: false
Remote: https://redacted.com/arno/testapp1.git

$ drone secret ls arno/testapp1
docker_username 
Events: push, tag, deployment
Images: <any>

docker_password 
Events: push, tag, deployment
Images: <any>

docker_username & docker_password are the same as I have set for the registry.

drone v0.8.4

I have also tried plugins/docker:17.12.

The following code is working fine:

pipeline:
  kubectl:
    image: custom-docker-registry.com:5010/andrey01/kubectl:1.9.1
    pull: true
    commands:
      - "sh .drone.sh"

My first guess is that the “docker_username” & “docker_password” secrets set in “publish:” are somehow preventing from reading the docker username & password set in repo’s registry, breaking “image:” pulling.

How Drone / Docker would behave when there are “docker_username” & “docker_password” secrets set along with the repo’s registry, having “image:” & “repo:” set to the same custom Docker registry.
Do “docker_username” & “docker_password” secrets have something to do with “image:” ?
Does “registry:” apply only to “repo:” ?

It would have been great to see in the log additional bits of information which could show the stage when auth breaks - at the image: pull or at the repo: push?

Thanks,
Andrey Arapov

arno01 · February 11, 2018, 10:37pm

Okay, I have found the reason why it was not working.

My guess was wrong and all it had to do was that the plugins/docker image was not running in privileged mode.
When using a custom Docker registry for the “plugins/docker” image, one has to make sure the privileged flag is set to true as well as the repo has Trusted set to true.

Working configuration:

pipeline:
  publish:
    image: custom-docker-registry.com:5010/plugins/docker:17.10
    privileged: true
    registry: custom-docker-registry.com:5010
    repo: custom-docker-registry.com:5010/andrey01/testapp1
    tag: latest
    dockerfile: Dockerfile
    secrets: [ docker_username, docker_password ]
    when:
      event: [push, tag]

I am wondering, is this expected that plugins/docker container is automatically starting in a privileged mode without having the privileged: true in .drone.yml ?

It is clear that whoever uses plugins/docker would need to run it in a privileged mode.

But how would one prevent a non-admin user from setting privileged: true (when the repo Trusted: false), while keeping the same behavior, except when the plugins/docker is running from a custom docker registry?

How does Drone decide that plugins/docker needs to run in a privileged mode and is this valid only to this particular plugin when it is pulled from the official Docker Hub registry?

I have created a follow-up to warn a user when the plugins/docker is running non-privileged and have included the above 3 questions there as well https://github.com/drone-plugins/drone-docker/issues/170

bradrydzewski · February 11, 2018, 11:20pm

Hey there, lets avoid creating discourse threads and github issues for the same topic.

I am wondering, is this expected that plugins/docker container is automatically starting in a privileged mode without having the privileged: true in .drone.yml ?

Yes, but in this case you are not using plugins/docker … you are using custom-docker-registry.com:5010/plugins/docker which is not the same thing. If you would like your plugin to automatically run in privileged mode, you need to pass the following environment variable to your drone server installation.

DRONE_ESCALATE=custom-docker-registry.com:5010/plugins/docker

Topic		Replies	Views
Error Authenticating, Plugins/Docker Drone Support	4	570	March 31, 2020
Pull custom plugin from insecure registry Drone Support	2	1349	June 12, 2019
Pulling from private registry Drone Support	1	365	April 2, 2021
Plugins/docker (Error authenticating: exit status 1) Drone Support	1	909	March 17, 2020
How to pull private images with 1.0 Drone FAQ	47	19233	January 4, 2022

Plugins/docker cannot pull the image from a custom Docker registry

Related topics