Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-67324

docker.withRegistry fails to escape quotes (") on Windows when performing docker login

XMLWordPrintable

      Environment:

      • Jenkins 2.303.3
      • Running against a kubernetes cluster with windows and linux nodes
      • Docker Pipeline plugin at version 1.26

      When:

      1. Create a json style credential for a container repository (ours is GCR), with credential type "username and password":

      user: _json_key
      password:

      { "type": "service_account", "project_id": "myproject", "private_key_id": "94c790****************56129", "private_key": "-----BEGIN PRIVATE KEY-----\nMII***cQQ2SH\n-----END PRIVATE KEY-----\n", "client_email": "accountemail@domain.gserviceaccount.com", "client_id": "12345678901234567890", "auth_uri": "https://accounts.google.com/o/oauth2/auth", "token_uri": "https://oauth2.googleapis.com/token", "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs", "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/accountemail%40domain.iam.gserviceaccount.com" }
      

      2. In a declarative pipeline, use the credentials to login to a container registry using a linux node:

      pipeline {
        agent { label 'linux-dockercli' }
        options { skipDefaultCheckout() }
        stages {
          stage('test') {
            steps {
              container('dockercli') {
                script {
                  docker.withRegistry('https://us.gcr.io', 'myproject') {
                    echo "success!"
                  }
                }
              }
            }
          }
        }
      }
      

      3. When running the pipeline, notice that the pipeline succeeds

      Executing sh script inside container dockercli of pod linux-dockercli-277rn
      Executing command: "docker" "login" "-u" "_json_key" "-p" ******** \"type\": \"service_account\", \"project_id\": \"myproject\", \"private_key_id\": \"94c790****************56129\", \"private_key\": \"-----BEGIN PRIVATE KEY-----\nMII***cQQ2SH\n-----END PRIVATE KEY-----\n\", \"client_email\": \"accountemail@domain.iam.gserviceaccount.com\", \"client_id\": \"12345678901234567890\", \"auth_uri\": \"https://accounts.google.com/o/oauth2/auth\", \"token_uri\": \"https://oauth2.googleapis.com/token\", \"auth_provider_x509_cert_url\": \"https://www.googleapis.com/oauth2/v1/certs\", \"client_x509_cert_url\": \"https://www.googleapis.com/robot/v1/metadata/x509accountemail%40domain.iam.gserviceaccount.com\" }" "https://us.gcr.io" 
      exit
      WARNING! Using --password via the CLI is insecure. Use --password-stdin.
      WARNING! Your password will be stored unencrypted in /home/jenkins/agent/workspace/dockers_test@tmp/fd152d38-7cbf-4e0f-89bf-c64e3498048f/config.json.
      Configure a credential helper to remove this warning. See
      https://docs.docker.com/engine/reference/commandline/login/#credentials-store
      
      Login Succeeded
      

      4. Reuse the same pipeline, but now target a windows node:

      pipeline {
        agent { label 'windows-dockercli' }
        options { skipDefaultCheckout() }
        stages {
          stage('test') {
            steps {
              container('dockercli') {
                script {
                  docker.withRegistry('https://us.gcr.io', 'myproject') {
                    echo "success!"
                  }
                }
              }
            }
          }
        }
      }
      

      5. Observe that the pipeline failed because we failed to login with docker

      Executing cmd script inside container dockercli of pod windows-dockercli-h684b
      Microsoft Windows [Version 10.0.17763.2300]
      (c) 2018 Microsoft Corporation. All rights reserved.
      
      C:\home\jenkins\agent>Executing command: "docker" "login" "-u" "_json_key" "-p" ******** "type": "service_account", "project_id": "myproject", "private_key_id": "94c790****************56129", "private_key": "-----BEGIN PRIVATE KEY-----\nMII***cQQ2SH\n-----END PRIVATE KEY-----\n", "client_email": "accountemail@domain.iam.gserviceaccount.com", "client_id": "12345678901234567890", "auth_uri": "https://accounts.google.com/o/oauth2/auth", "token_uri": "https://oauth2.googleapis.com/token", "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs", "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/accountemail%40domain.iam.gserviceaccount.com" }" "https://us.gcr.io" 
      exit
      set BRANCH_NAME=test
      
      C:\home\jenkins\agent>set BUILD_DISPLAY_NAME=#39
      
      C:\home\jenkins\agent>set BUILD_ID=39
      
      C:\home\jenkins\agent>set BUILD_NUMBER=39
      
      [...]
      
      C:\home\jenkins\agent>set WORKSPACE_TMP=C:homejenkinsagent/workspace/dockers_ubuntu-linux-20.04@tmp
      
      C:\home\jenkins\agent>"docker" "login" "-u" "_json_key" "-p" "{ "type": "service_account", "project_id": "myproject", "private_key_id": "94c790****************56129", "private_key": "-----BEGIN PRIVATE KEY-----\nMII***cQQ2SH\n-----END PRIVATE KEY-----\n", "client_email": "accountemail@domain.iam.gserviceaccount.com", "client_id": "12345678901234567890", "auth_uri": "https://accounts.google.com/o/oauth2/auth", "token_uri": "https://oauth2.googleapis.com/token", "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs", "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/accountemail%40domain.iam.gserviceaccount.com" }" "https://us.gcr.io" 
      "docker login" requires at most 1 argument.
      See 'docker login --help'.
      
      Usage:  docker login [OPTIONS] [SERVER]
      
      Log in to a Docker registry
      

      6. Notice that the json key provided with the "-p" argument uses unescaped quotes

      Reported Issues:

      A. [major] The "-p" argument provided to "docker login" should escape quotes
      B. [minor] The secrets retrieved by docker.withRegistry should not appear in clear in the logs, instead the whole json credentials should be blanked

      Workaround:

      When pre-escaping the json credentials, the "docker login" on the windows node succeeds, however the one on the linux node starts failing. Maintaining two sets of credentials, where one is escaped and the other isn't, works as a workaround.

            Unassigned Unassigned
            gpetit Gaspard Petit
            Votes:
            1 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated: