Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-67633

Cannot use an environment variable like ${REGISTRY} as part of the docker registry name any more

      Until now we had a parametrized name of our internal Docker registry configured in the Jenkins main config. We used an environment variable like ${REGISTRY} which was evaluated/expanded properly.

      However, after updating the Docker Commons and Docker Workflow plugins to their current latest versions, this is no longer supported.

      The workaround that worked is to just hardcode the Docker registry name instead.

          [JENKINS-67633] Cannot use an environment variable like ${REGISTRY} as part of the docker registry name any more

          This is almost certainly due to the security fix for SECURITY-1878 in docker-workflow-plugin gb3a6996 (included in release 1.27), which stopped the parameters passed in from being evaluated in the shell environment context.

          Based on the example given in https://github.com/jenkinsci/docker-commons-plugin/pull/93#issuecomment-1028331791, the issue was seen with

          DOCKER_IMAGE = docker.build('${ECR_REGISTRY}/${ECR_REPO}:${COMMIT_HASH}')
          

          and I believe the intended fix is to instead call

          DOCKER_IMAGE = docker.build("${env.ECR_REGISTRY}/${env.ECR_REPO}:${env.COMMIT_HASH}")
          

          i.e. to evaluate those variables in the Pipeline script using ", so that the values passed into the shell do not need to be evaluated again, and can be treated literally as the current code intends.

          However, this will not be so trivial if the image name depends on environment variables available in the shell but not available in the Pipeline script, or even depended on more-complex expansions, e.g. shell built-ins or inline exec.

          Paul "TBBle" Hampson added a comment - This is almost certainly due to the security fix for SECURITY-1878 in docker-workflow-plugin gb3a6996 (included in release 1.27) , which stopped the parameters passed in from being evaluated in the shell environment context. Based on the example given in https://github.com/jenkinsci/docker-commons-plugin/pull/93#issuecomment-1028331791 , the issue was seen with DOCKER_IMAGE = docker.build( '${ECR_REGISTRY}/${ECR_REPO}:${COMMIT_HASH}' ) and I believe the intended fix is to instead call DOCKER_IMAGE = docker.build( "${env.ECR_REGISTRY}/${env.ECR_REPO}:${env.COMMIT_HASH}" ) i.e. to evaluate those variables in the Pipeline script using " , so that the values passed into the shell do not need to be evaluated again, and can be treated literally as the current code intends. However, this will not be so trivial if the image name depends on environment variables available in the shell but not available in the Pipeline script, or even depended on more-complex expansions, e.g. shell built-ins or inline exec.

          Jesse Glick added a comment -

          Does not seem like a bug. If docker.build('const-$VAR') ever worked, it was by accident. Use docker.build("const-$VAR"). If you need more complex scenarios, run docker build yourself from inside a shell script somewhere. Which is really what you should be doing anyway—this plugin is best avoided.

          Jesse Glick added a comment - Does not seem like a bug. If docker.build('const-$VAR') ever worked, it was by accident. Use docker.build("const-$VAR") . If you need more complex scenarios, run docker build yourself from inside a shell script somewhere. Which is really what you should be doing anyway—this plugin is best avoided.

            Unassigned Unassigned
            turbobobi Borislav
            Votes:
            1 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated: