Secrets aren't added correctly

After trying to figure out forever why the docker plugin wasn’t authenticating, I tried setting a secret as an environment variable and logging it.

This is the pipeline:

kind: pipeline
type: docker
name: default

steps:
  - name: Test
    image: busybox:latest
    command:
      - env
    environment:
      TEST:
        from_secret: test_secret

This is what popped up:

TEST=[secret:test_secret]

It’s supposed to be “asdfasdf”. Any idea what might be wrong?

when the system finds a secret in plain text in your logs, it replaces the text. So the fact that you are seeing [secret:test_secret] in your logs is expected. It shows that the secret was injected and was masked.

Thanks. Any idea why this might not be authenticating? Authentication via docker login works fine.

  - name: Build
    image: plugins/docker
    settings:
      repo: hornet.garden/postgres-postgis
      registry: docker.b12f.io
      username:
        from_secret: docker_username
      password:
        from_secret: docker_password

we would need to see the following information:

1. version of Drone you are using
2. a copy of your yaml configuration file.
3. the output of drone secret ls for your repository.
4. the output of drone build info for the failing build.
5. if you are using drone exec please make this clear
6. the logs for the relevant step

although one thing that jumps out is your repo does not use the full qualified image name, which is required when using a custom registry.

I tried both for repo name, threw the same error.

per the docs, you need to use the fully qualified repository name so that needs to be fixed in your yaml, regardless of what other problems you are experiencing.

steps:
- name: docker  
  image: plugins/docker
  settings:
    username: kevinbacon
    password: pa55word
    repo: index.company.com/foo/bar
    registry: index.company.com

1. drone/drone:1 with drone/drone-runner-docker:1
2. I’m not using one, but the env variables are as follows:

      DRONE_AGENTS_ENABLED: "true"
      DRONE_GITEA_CLIENT_ID: $DRONE_GITEA_CLIENT_ID
      DRONE_GITEA_CLIENT_SECRET: $DRONE_GITEA_CLIENT_SECRET
      DRONE_SERVER_HOST: $CI_HOST
      DRONE_SERVER_PROTO: https
      DRONE_GITEA_SERVER: https://${GIT_HOST}
      DRONE_RPC_SECRET: $DRONE_SECRET

And for the runner:

      DRONE_RPC_HOST: drone-server
      DRONE_RPC_PROTO: http
      DRONE_RPC_SECRET: $DRONE_SECRET
      DRONE_RUNNER_CAPACITY: $CPU_NUM

# drone secret ls hornet.garden/postgres-postgis
docker_password 
Pull Request Read:  false
Pull Request Write: false

docker_username 
Pull Request Read:  false
Pull Request Write: false

test_secret 
Pull Request Read:  true
Pull Request Write: false

# drone build info hornet.garden/postgres-postgis
Number: 18
Status: failure
Event: push
Commit: bd55ba230378ef3d3c0aeea7c92e97bd2063be52
Branch: master
Ref: refs/heads/master
Author:  <hello@benjaminbaedorf.eu>
Message: trying with changed image name

5. I am not

latest: Pulling from plugins/docker
Digest: sha256:e4d532a1d03ce874241103eacc8f8d410c1c4dc163beed063e392ba68ce078c4
Status: Image is up to date for plugins/docker:latest
+ /usr/local/bin/dockerd --data-root /var/lib/docker
time="2019-11-08T16:24:14Z" level=fatal msg="Error authenticating: exit status 1"

I recommend adding debug: true to your configuration and re-posting the logs:

  settings:
    username: kevinbacon
    password: pa55word
    repo: index.company.com/foo/bar
    registry: index.company.com
+   debug: true

latest: Pulling from plugins/docker
Digest: sha256:e4d532a1d03ce874241103eacc8f8d410c1c4dc163beed063e392ba68ce078c4
Status: Image is up to date for plugins/docker:latest
+ /usr/local/bin/dockerd --data-root /var/lib/docker
time="2019-11-08T17:56:26.338720382Z" level=warning msg="could not change group /var/run/docker.sock to docker: group docker not found"
time="2019-11-08T17:56:26.339195510Z" level=info msg="libcontainerd: started new containerd process" pid=33
time="2019-11-08T17:56:26.339217608Z" level=info msg="parsed scheme: \"unix\"" module=grpc
time="2019-11-08T17:56:26.339224393Z" level=info msg="scheme \"unix\" not registered, fallback to default scheme" module=grpc
time="2019-11-08T17:56:26.339262330Z" level=info msg="ccResolverWrapper: sending new addresses to cc: [{unix:///var/run/docker/containerd/containerd.sock 0  <nil>}]" module=grpc
time="2019-11-08T17:56:26.339271869Z" level=info msg="ClientConn switching balancer to \"pick_first\"" module=grpc
time="2019-11-08T17:56:26.339336272Z" level=info msg="pickfirstBalancer: HandleSubConnStateChange: 0xc420851b20, CONNECTING" module=grpc
time="2019-11-08T17:56:26Z" level=info msg="starting containerd" revision=468a545b9edcd5932818eb9de8e72413e616e86e version=v1.1.2 
time="2019-11-08T17:56:26Z" level=info msg="loading plugin "io.containerd.content.v1.content"..." type=io.containerd.content.v1 
time="2019-11-08T17:56:26Z" level=info msg="loading plugin "io.containerd.snapshotter.v1.btrfs"..." type=io.containerd.snapshotter.v1 
time="2019-11-08T17:56:26Z" level=warning msg="failed to load plugin io.containerd.snapshotter.v1.btrfs" error="path /var/lib/docker/containerd/daemon/io.containerd.snapshotter.v1.btrfs must be a btrfs filesystem to be used with the btrfs snapshotter" 
time="2019-11-08T17:56:26Z" level=info msg="loading plugin "io.containerd.snapshotter.v1.aufs"..." type=io.containerd.snapshotter.v1 
time="2019-11-08T17:56:26Z" level=warning msg="failed to load plugin io.containerd.snapshotter.v1.aufs" error="modprobe aufs failed: "ip: can't find device 'aufs'\naufs                  258048  0 \nmodprobe: can't change directory to '/lib/modules': No such file or directory\n": exit status 1" 
time="2019-11-08T17:56:26Z" level=info msg="loading plugin "io.containerd.snapshotter.v1.native"..." type=io.containerd.snapshotter.v1 
time="2019-11-08T17:56:26Z" level=info msg="loading plugin "io.containerd.snapshotter.v1.overlayfs"..." type=io.containerd.snapshotter.v1 
time="2019-11-08T17:56:26Z" level=info msg="loading plugin "io.containerd.snapshotter.v1.zfs"..." type=io.containerd.snapshotter.v1 
time="2019-11-08T17:56:26Z" level=warning msg="failed to load plugin io.containerd.snapshotter.v1.zfs" error="path /var/lib/docker/containerd/daemon/io.containerd.snapshotter.v1.zfs must be a zfs filesystem to be used with the zfs snapshotter" 
time="2019-11-08T17:56:26Z" level=info msg="loading plugin "io.containerd.metadata.v1.bolt"..." type=io.containerd.metadata.v1 
time="2019-11-08T17:56:26Z" level=warning msg="could not use snapshotter btrfs in metadata plugin" error="path /var/lib/docker/containerd/daemon/io.containerd.snapshotter.v1.btrfs must be a btrfs filesystem to be used with the btrfs snapshotter" 
time="2019-11-08T17:56:26Z" level=warning msg="could not use snapshotter aufs in metadata plugin" error="modprobe aufs failed: "ip: can't find device 'aufs'\naufs                  258048  0 \nmodprobe: can't change directory to '/lib/modules': No such file or directory\n": exit status 1" 
time="2019-11-08T17:56:26Z" level=warning msg="could not use snapshotter zfs in metadata plugin" error="path /var/lib/docker/containerd/daemon/io.containerd.snapshotter.v1.zfs must be a zfs filesystem to be used with the zfs snapshotter" 
time="2019-11-08T17:56:26Z" level=info msg="loading plugin "io.containerd.differ.v1.walking"..." type=io.containerd.differ.v1 
time="2019-11-08T17:56:26Z" level=info msg="loading plugin "io.containerd.gc.v1.scheduler"..." type=io.containerd.gc.v1 
time="2019-11-08T17:56:26Z" level=info msg="loading plugin "io.containerd.service.v1.containers-service"..." type=io.containerd.service.v1 
time="2019-11-08T17:56:26Z" level=info msg="loading plugin "io.containerd.service.v1.content-service"..." type=io.containerd.service.v1 
time="2019-11-08T17:56:26Z" level=info msg="loading plugin "io.containerd.service.v1.diff-service"..." type=io.containerd.service.v1 
time="2019-11-08T17:56:26Z" level=info msg="loading plugin "io.containerd.service.v1.images-service"..." type=io.containerd.service.v1 
time="2019-11-08T17:56:26Z" level=info msg="loading plugin "io.containerd.service.v1.leases-service"..." type=io.containerd.service.v1 
time="2019-11-08T17:56:26Z" level=info msg="loading plugin "io.containerd.service.v1.namespaces-service"..." type=io.containerd.service.v1 
time="2019-11-08T17:56:26Z" level=info msg="loading plugin "io.containerd.service.v1.snapshots-service"..." type=io.containerd.service.v1 
time="2019-11-08T17:56:26Z" level=info msg="loading plugin "io.containerd.monitor.v1.cgroups"..." type=io.containerd.monitor.v1 
time="2019-11-08T17:56:26Z" level=info msg="loading plugin "io.containerd.runtime.v1.linux"..." type=io.containerd.runtime.v1 
time="2019-11-08T17:56:26Z" level=info msg="loading plugin "io.containerd.service.v1.tasks-service"..." type=io.containerd.service.v1 
time="2019-11-08T17:56:26Z" level=info msg="loading plugin "io.containerd.grpc.v1.containers"..." type=io.containerd.grpc.v1 
time="2019-11-08T17:56:26Z" level=info msg="loading plugin "io.containerd.grpc.v1.content"..." type=io.containerd.grpc.v1 
time="2019-11-08T17:56:26Z" level=info msg="loading plugin "io.containerd.grpc.v1.diff"..." type=io.containerd.grpc.v1 
time="2019-11-08T17:56:26Z" level=info msg="loading plugin "io.containerd.grpc.v1.events"..." type=io.containerd.grpc.v1 
time="2019-11-08T17:56:26Z" level=info msg="loading plugin "io.containerd.grpc.v1.healthcheck"..." type=io.containerd.grpc.v1 
time="2019-11-08T17:56:26Z" level=info msg="loading plugin "io.containerd.grpc.v1.images"..." type=io.containerd.grpc.v1 
time="2019-11-08T17:56:26Z" level=info msg="loading plugin "io.containerd.grpc.v1.leases"..." type=io.containerd.grpc.v1 
time="2019-11-08T17:56:26Z" level=info msg="loading plugin "io.containerd.grpc.v1.namespaces"..." type=io.containerd.grpc.v1 
time="2019-11-08T17:56:26Z" level=info msg="loading plugin "io.containerd.grpc.v1.snapshots"..." type=io.containerd.grpc.v1 
time="2019-11-08T17:56:26Z" level=info msg="loading plugin "io.containerd.grpc.v1.tasks"..." type=io.containerd.grpc.v1 
time="2019-11-08T17:56:26Z" level=info msg="loading plugin "io.containerd.grpc.v1.version"..." type=io.containerd.grpc.v1 
time="2019-11-08T17:56:26Z" level=info msg="loading plugin "io.containerd.grpc.v1.introspection"..." type=io.containerd.grpc.v1 
time="2019-11-08T17:56:26Z" level=info msg=serving... address="/var/run/docker/containerd/containerd-debug.sock" 
time="2019-11-08T17:56:26Z" level=info msg=serving... address="/var/run/docker/containerd/containerd.sock" 
time="2019-11-08T17:56:26Z" level=info msg="containerd successfully booted in 0.134218s" 
time="2019-11-08T17:56:26.481479258Z" level=info msg="pickfirstBalancer: HandleSubConnStateChange: 0xc420851b20, READY" module=grpc
time="2019-11-08T17:56:26.486593535Z" level=info msg="parsed scheme: \"unix\"" module=grpc
time="2019-11-08T17:56:26.486642909Z" level=info msg="scheme \"unix\" not registered, fallback to default scheme" module=grpc
time="2019-11-08T17:56:26.486828661Z" level=info msg="ccResolverWrapper: sending new addresses to cc: [{unix:///var/run/docker/containerd/containerd.sock 0  <nil>}]" module=grpc
time="2019-11-08T17:56:26.486873080Z" level=info msg="parsed scheme: \"unix\"" module=grpc
time="2019-11-08T17:56:26.486877735Z" level=info msg="ClientConn switching balancer to \"pick_first\"" module=grpc
time="2019-11-08T17:56:26.486896514Z" level=info msg="scheme \"unix\" not registered, fallback to default scheme" module=grpc
time="2019-11-08T17:56:26.487035420Z" level=info msg="pickfirstBalancer: HandleSubConnStateChange: 0xc420851ec0, CONNECTING" module=grpc
time="2019-11-08T17:56:26.487182926Z" level=info msg="ccResolverWrapper: sending new addresses to cc: [{unix:///var/run/docker/containerd/containerd.sock 0  <nil>}]" module=grpc
time="2019-11-08T17:56:26.487277955Z" level=info msg="ClientConn switching balancer to \"pick_first\"" module=grpc
time="2019-11-08T17:56:26.487410622Z" level=info msg="pickfirstBalancer: HandleSubConnStateChange: 0xc420851ec0, READY" module=grpc
time="2019-11-08T17:56:26.487525086Z" level=info msg="pickfirstBalancer: HandleSubConnStateChange: 0xc42093e140, CONNECTING" module=grpc
time="2019-11-08T17:56:26.487606886Z" level=info msg="blockingPicker: the picked transport is not ready, loop back to repick" module=grpc
time="2019-11-08T17:56:26.488649659Z" level=info msg="pickfirstBalancer: HandleSubConnStateChange: 0xc42093e140, READY" module=grpc
time="2019-11-08T17:56:26.714227676Z" level=info msg="Graph migration to content-addressability took 0.00 seconds"
time="2019-11-08T17:56:26.714653658Z" level=warning msg="Your kernel does not support swap memory limit"
time="2019-11-08T17:56:26.714766607Z" level=warning msg="Your kernel does not support cgroup rt period"
time="2019-11-08T17:56:26.714801050Z" level=warning msg="Your kernel does not support cgroup rt runtime"
time="2019-11-08T17:56:26.714845437Z" level=warning msg="Your kernel does not support cgroup blkio weight"
time="2019-11-08T17:56:26.714865343Z" level=warning msg="Your kernel does not support cgroup blkio weight_device"
time="2019-11-08T17:56:26.715700822Z" level=info msg="Loading containers: start."
time="2019-11-08T17:56:26.723341096Z" level=warning msg="Running modprobe nf_nat failed with message: `ip: can't find device 'nf_nat'\nnf_nat_ipv4            16384  2 ipt_MASQUERADE,iptable_nat\nnf_nat                 36864  2 xt_nat,nf_nat_ipv4\nnf_conntrack          139264  6 xt_nat,ipt_MASQUERADE,nf_conntrack_netlink,nf_nat_ipv4,xt_conntrack,nf_nat\nlibcrc32c              16384  4 nf_nat,nf_conntrack,btrfs,raid456\nmodprobe: can't change directory to '/lib/modules': No such file or directory`, error: exit status 1"
time="2019-11-08T17:56:26.728677026Z" level=warning msg="Running modprobe xt_conntrack failed with message: `ip: can't find device 'xt_conntrack'\nxt_conntrack           16384 15 \nnf_conntrack          139264  6 xt_nat,ipt_MASQUERADE,nf_conntrack_netlink,nf_nat_ipv4,xt_conntrack,nf_nat\nx_tables               40960  9 xt_nat,xt_tcpudp,ipt_MASQUERADE,xt_addrtype,xt_conntrack,ipt_REJECT,xt_multiport,iptable_filter,ip_tables\nmodprobe: can't change directory to '/lib/modules': No such file or directory`, error: exit status 1"
time="2019-11-08T17:56:27.031405854Z" level=info msg="Default bridge (docker0) is assigned with an IP address 172.17.0.0/16. Daemon option --bip can be used to set a preferred IP address"
time="2019-11-08T17:56:27.192759824Z" level=info msg="Loading containers: done."
time="2019-11-08T17:56:27.645290245Z" level=info msg="Docker daemon" commit=4d60db4 graphdriver(s)=overlay2 version=18.09.0
time="2019-11-08T17:56:27.645468767Z" level=info msg="Daemon has completed initialization"
time="2019-11-08T17:56:27.966932963Z" level=warning msg="Could not register builder git source: failed to find git binary: exec: \"git\": executable file not found in $PATH"
time="2019-11-08T17:56:27.973521127Z" level=info msg="API listen on /var/run/docker.sock"
time="2019-11-08T17:56:28.102160340Z" level=error msg="Handler for POST /v1.39/auth returned error: login attempt to https://docker.b12f.io/v2/ failed with status: 401 Unauthorized"
time="2019-11-08T17:56:28Z" level=fatal msg="Error authenticating: exit status 1"

POST /v1.39/auth returned error: login attempt to https://docker.b12f.io/v2/ failed with status: 401 Unauthorized

In my experience this tells me the username or password is incorrect. If the password were blank (i.e. not injected properly) you would see the following entry in the logs [1]

Registry credentials not provided. Guest mode enabled.

since this entry is not visible, it means the username and password are being correctly provided but the registry is rejecting your credentials. We see this somewhat frequently where people accidentally copy paste and include a space or a newline, or add from the command line and include a newline, or just use the wrong credentials.

[1] https://github.com/drone-plugins/drone-docker/blob/master/docker.go#L86:L99

Ok thanks. I checked that there wasn’t a newline when I added the username/password, but I’ll check if there’s something faulty about the htpasswd file then.