This is from my dockerfile:
FROM node:8-slim
RUN ...
....
And this is my .drone.yaml
pipeline:
install:
image: node:8-slim
commands:
- node -v
- npm -v
- yarn --version
- yarn config set cache-folder .yarn-cache
- yarn install
publish:
image: plugins/docker
repo: my-private-registry.com/${DRONE_REPO_OWNER}/${DRONE_REPO_NAME}
registry: my-private-registry.com
dockerfile: Dockerfile
secrets: [ docker_username, docker_password ]
tags:
- ${DRONE_BRANCH}-latest
when:
branch: develop
event: push
status: success
docker:
image: plugins/docker
repo: ${DRONE_REPO_OWNER}/${DRONE_REPO_NAME}
dockerfile: Dockerfile
secrets:
- source: docker_hub_username
target: docker_username
- source: docker_hub_password
target: docker_password
tags:
- ${DRONE_BRANCH}-latest
when:
branch: [ develop, master ]
event: push
status: success
Above is working perfectly fine. However when I change base image to private registry like this:
FROM my-private-registry.com
RUN ...
....
My publish step is working, but docker step is not working with following reason:
pull access denied formy-private-registry.como/node/runner, repository does not exist or may require 'docker login'
I’ve already setup my private registry in Registries menu… and I assume it’s working because publish step is successfully downloading image from my private registry but docker step cannot download it… What should I do else?
I think in this case there is a misunderstanding how registry credentials works. They are only used to pull images defined in the yaml (i.e. image: <image>). The credentials are never exposed to your pipeline steps, and therefore, are not available to the Docker plugin.
If you want to pass credentials to the Docker plugin, you need to configure secrets. For more details see https://0-8-0.docs.drone.io/manage-secrets/
Ahh I understood secrets and registry credentials. However I was misunderstood that secrets or credentials never exposed to dockerfile directly. Unfortunately I couldn’t understand the example written on docs.
Could you show me how can I use private repository in my dockerfile?
Oh wait: If registry credentials are not exposed to dockerfile, why is my publish step works and docker is not working? Which is confusing me, because they’re using exact same dockerfile.
Oh wait: If registry credentials are not exposed to dockerfile, why is my publish step works and docker is not working? Which is confusing me, because they’re using exact same dockerfile.
so assuming they use the same dockerfile …
- in your publish step you provide your dockerhub username and password (via secrets)
- the dockerfile in your publish steps uses a private image from a private registry in the FROM directive
- the publish step does not have access to your private registry username and password. it only has your dockerhub username and password.
So do you see the issue here?
You cannot pass the Docker plugin multiple username and password combinations via secrets. You can only pass a single username and password via secrets. This particular use case is therefore not supported by the Docker plugin, because your example requires multiple sets of credentials.
So why do the registry credentials (that you configured via the UI) not work? Because this is not how registry credentials are used. Registry credentials are only used internally, but Drone, to pull Docker images that are defined in an image tag in the yaml (example below). Registry credentials are not passed to plugins. Only secrets are passed to plugins.
pipeline:
foo:
+ image: formy-private-registry.com/node/runner
But isn’t Drone pulling my Docker image in the publish step? No. Drone is not pulling the Docker image. The Docker Plugin is pulling the Docker image. This is an important distinction to make.
I see, so I can only pass single docker_username, docker_password secrets into docker plugin. I’ve pushed my runner image to docker hub and problem is solved.
Thanks for the explanation for this limits.