-
Bug
-
Resolution: Not A Defect
-
Minor
-
Jenkins 2.107.3
Docker Pipeline 1.17
Given these two Jenkinsfile, the one with the cp of the credentials file will be read when trying to do a docker push of a signed image using the private key,
however, if we were to symlink to the file credentials it would not be found when trying to push a signed image.
node('master') { stage('Push to private registry') { withCredentials([ string(credentialsId: 'repo_passphrase', variable: 'SIGNED_PASSPHRASE'), file(credentialsId: 'docker_pw', variable: 'DOCKER_PW'), file(credentialsId: 'trust_key', variable: 'TRUST_KEY')]) { withEnv([ 'DOCKER_CONTENT_TRUST=1', 'DOCKER_CONTENT_TRUST_SERVER=https://privateregistry:4443', "DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE=${NEMOUI_SIGNED_PASSPHRASE}"]) { sh "mkdir -p ${HOME}/.docker/trust/private" sh "ln -s ${TRUST_KEY} ${env.HOME}/.docker/trust/private/`basename ${TRUST_KEY}`" sh 'cat ${DOCKER_PW} | docker login privateregistry.com --username jenkins --password-stdin' sh "docker push privateregistry.com/library/image:${env.BUILD_ID}" sh 'docker logout privateregistry.com' sh "rm ${HOME}/.docker/trust/private/`basename ${TRUST_KEY}`" } } } }
node('master') { stage('Push to private registry') { withCredentials([ string(credentialsId: 'repo_passphrase', variable: 'SIGNED_PASSPHRASE'), file(credentialsId: 'docker_pw', variable: 'DOCKER_PW'), file(credentialsId: 'trust_key', variable: 'TRUST_KEY')]) { withEnv([ 'DOCKER_CONTENT_TRUST=1', 'DOCKER_CONTENT_TRUST_SERVER=https://privateregistry:4443', "DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE=${SIGNED_PASSPHRASE}"]) { sh "if [[ -d ${HOME}/.docker ]]; then rm -rf ${HOME}/.docker; fi" sh "mkdir -p ${HOME}/.docker/trust/private" sh "cp ${TRUST_KEY} ${HOME}/.docker/trust/private/`basename ${TRUST_KEY}`" sh 'ls -lah ${HOME}/.docker/trust/private/' sh 'cat ${DOCKER_PW} | docker login privateregistry.com --username jenkins --password-stdin' sh "docker push privateregistry.com/library/image:${BUILD_ID}" sh 'docker logout privateregistry.com' sh "rm ${HOME}/.docker/trust/private/`basename ${TRUST_KEY}`" } } } }
This has to do with the way Docker CLI interprets symlinks, there are some security issues when Docker CLI tries to resolve symlinks, as such this has nothing to do with Jenkins.
Closing issue.