Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-44249

withRegistry authentication fails in swarm container while using docker.inside

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Open (View Workflow)
    • Priority: Major
    • Resolution: Unresolved
    • Component/s: docker
    • Labels:
    • Environment:
      Jenkins 2.59 (in container), swam plugin 3.4 (in container), RHEL 7
    • Similar Issues:

      Description

      I'm running Jenkins and Jenkins swarm, both in containers in a Rancher environment with a private registry.  I've set up some swarm clients and for the most part everything works well.  Except for one scenario:

      If I try to run a build with docker.inside on the swarm client while using withRegistry, the authentication fails the to the private registry

      I'm not sure if this is a bug, or if I'm doing too much docker nesting.

      What I have found is the the docker credentials are written by Jenkins to the swarm container (/root/.docker/config.json), as opposed to in the build container.  I think this explains why it's not working.  

      I thought I could get around it by mounting /root on the swarm container with /root in the build container, but all that did was instead mount /root on the build container with /root in on swarm HOST instead (NOT the swarm container). e.g:

       

          agent {
              docker {
                  image 'shared-rep-01:5001/loans/ci-base'
                  args '-v /root:/root'
              }
          }
      

      I can do a 'docker login' in the Jenkinsfile as a workaround, but not ideal, as this makes the use of withReigstry pointless.

      Anyhow, like I said not sure if this a bug or not, as this use case doesn't seem all that crazy to me (but feel free to set me straight if it is!)

      Here is the Jenkinsfile:

      pipeline {
          agent {
              docker {
                  image 'shared-rep-01:5001/repo/ci-base'
              }
           }
           stages {
               stage('Build and Push Docker Image') {
                   steps {
                       script {
                           docker.withRegistry("$\{env.DOCKERHOST}",'nexusCredentials') {
                               def image = docker.build("repo/jenkins-test",'.')
                               image.push()
                           }
                       }
                   }
               }
          }
      }
      

      This ends up with:

      [loans-docker-test] Running shell script
      + docker pull shared-rep-01:5001/repo/ci-base
      Using default tag: latest
      latest: Pulling from repo/ci-base
      Digest: sha256:5937a61d8fa675b9e923c282db0c0c03c475a818f951db89c73669bc83a7246d
      Status: Image is up to date for shared-rep-01:5001/repo/ci-base:latest
      [Pipeline] }
      [Pipeline] // stage
      [Pipeline] sh
      [loans-docker-test] Running shell script
      + docker inspect -f . shared-rep-01:5001/repo/ci-base
      .
      [Pipeline] withDockerContainer
      swarm-client-95db6fe7 seems to be running inside container 2d8a8cca6f9974472269954e810d583e135f8f607b345e7c16288a7b40e06a43
      $ docker run -t -d -u 0:0 -w /var/tmp/workspace/loans-docker-test --volumes-from 2d8a8cca6f9974472269954e810d583e135f8f607b345e7c16288a7b40e06a43 -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** -e ******** --entrypoint cat shared-rep-01:5001/repo/ci-base
      [Pipeline] {
      [Pipeline] stage
      [Pipeline] { (Build and Push Docker Image)
      [Pipeline] script
      [Pipeline] {
      [Pipeline] withEnv
      [Pipeline] {
      [Pipeline] withDockerRegistry
      Wrote authentication to /root/.docker/config.json
      [Pipeline] {
      [Pipeline] sh
      [loans-docker-test] Running shell script
      + docker build -t repo/jenkins-test .
      Sending build context to Docker daemon 113.2 kB
      
      Step 1/2 : FROM shared-rep-01:5000/jenkinsci/jenkins
       ---> f7222aadcfeb
      Step 2/2 : ENV TEST test
       ---> Using cache
       ---> 3e1e8283f5c2
      Successfully built 3e1e8283f5c2
      [Pipeline] dockerFingerprintFrom
      [Pipeline] sh
      [loans-docker-test] Running shell script
      + docker tag --force=true repo/jenkins-test shared-rep-01:5001/repo/jenkins-test:latest
      unknown flag: --force
      See 'docker tag --help'.
      + docker tag repo/jenkins-test shared-rep-01:5001/repo/jenkins-test:latest
      [Pipeline] sh
      [loans-docker-test] Running shell script
      + docker push shared-rep-01:5001/repo/jenkins-test:latest
      The push refers to a repository [shared-rep-01:5001/repo/jenkins-test]
      958bfe9e37a0: Preparing
      ...
      no basic auth credentials
      

        Attachments

          Activity

          Hide
          garethdanielsmith Gareth Smith added a comment -

          I am having the same problem, but I am not using docker swarm: I just have a docker container that I want to be able to pull images inside of.

          Show
          garethdanielsmith Gareth Smith added a comment - I am having the same problem, but I am not using docker swarm: I just have a docker container that I want to be able to pull images inside of.
          Hide
          timwebster9 Tim Webster added a comment -

          Gareth Smith to be clear I wasn't using Docker Swarm, it was Jenkins swarm agent running in a container.  Rancher was the orchestrator.

          Show
          timwebster9 Tim Webster added a comment - Gareth Smith to be clear I wasn't using Docker Swarm, it was Jenkins swarm agent running in a container.  Rancher was the orchestrator.

            People

            Assignee:
            Unassigned Unassigned
            Reporter:
            timwebster9 Tim Webster
            Votes:
            1 Vote for this issue
            Watchers:
            3 Start watching this issue

              Dates

              Created:
              Updated: