Not sure how to login to private registry about deimos HOT 15 CLOSED

Maybe copying ~/.dockercfg to /root/.dockercfg would work? Deimos runs as root, directly under the slave. There doesn't seem to be much documentation on how to control which .dockercfg file is used for authentication; the name of the file itself turns up only one hit in the Docker docs:

https://www.google.com/#q=site:docs.docker.com+.dockercfg

from deimos.

@solidsnack thank you for getting back to me. I'm pretty sure I tried copying the file over to /root/.dockercfg and it didn't work. I'll confirm today and get back to you.

Is supporting authenticating with a private registry something that you would like to support in deimos directly by calling the docker 'login' command prior to pull, as opposed to relying on the presence of a .dockercfg file? If so, I'd be happy to take a shot at adding it.

from deimos.

No dice when copying the file to /root/.dockercfg, still get a 403 when pulling.

Just for the hell of it, I hardcoded a "docker login" call right before the pull in docker.py and did a find for the .dockercfg file. It ended up being placed in:

/tmp/mesos/slaves/20140703-141945-16842879-5050-9288-0/frameworks/20140703-141945-16842879-5050-9288-0000/executors/ubuntu_0-1404399606067/runs/15363f63-5689-49e2-8038-fc5d45ab34d4/.dockercfg

from deimos.

It'd be great to have support for it. Given what you've discovered, I'm really not sure what the best way to add it is -- logging in every time seems like a bad pattern -- but I'd be happy to accept what you come up with.

Maybe the right thing to do is have Deimos copy a specific .dockercfg into .?

from deimos.

@solidsnack that would do the trick. The only way that I can think of providing the contents of the .dockercfg file to deimos is via an attribute in deimos.cfg. Perhaps base64 encoding a valid dockercfg file and providing it as a setting? When the executor sets up the working directory deimos can write the contents to the file. The .dockercfg file format allows the specification of credentials for multiple registries, so a global value for the dockercfg files should be able to hold login info for all of the containers expected to be deployed across the cluster.

Does that sound like an acceptable approach? It's definitely a kludgy solution but the authentication interface with docker doesn't leave a while lot of options.

from deimos.

Would it not be better to simply configure Deimos with a path to the .dockercfg file?

[docker.index]
dockercfg = /etc/dockercfg

Base64 encoding the file and inlining it would seem to have at the least the disadvantage that one is forced to treat the Deimos configuration file as a holder of secure credentials.

from deimos.

Yes, that would be better.

from deimos.

Haven't tested the code in 73b8872 but it's a start. Could you look it over and maybe give it a shot?

from deimos.

@solidsnack I just tried out that commit but still received a 403. It looks like the docker pull is being executed prior to the dockercfg being placed. I traced it down to somewhere is this block: https://github.com/mesosphere/deimos/blob/dockercfg/deimos/docker.py#L20-L27 . Their is a comment which says "Forces external call to pre-fetch image".

I tried moving the 'self.place_dockercfg()' call right before https://github.com/mesosphere/deimos/blob/dockercfg/deimos/containerizer/docker.py#L123, but https://github.com/mesosphere/deimos/blob/dockercfg/deimos/containerizer/docker.py#L328 is evaluating to false, so the config file is not set.

from deimos.

There was a bug in the config loader.

I've pushed a new branch with your changes and the fix to the config file reader.

diff --git a/deimos/config.py b/deimos/config.py
index 097a1f2..ab58a1e 100644
--- a/deimos/config.py
+++ b/deimos/config.py
@@ -189,6 +189,9 @@ def parse(f):
         del parsed["containers.options"]
     if len(containers) > 0:
         parsed["containers"] = Containers(**containers)
+    if "docker.index" in parsed:
+        parsed["index"] = parsed["docker.index"]
+        del parsed["docker.index"]
     return _Struct(**parsed)


diff --git a/deimos/containerizer/docker.py b/deimos/containerizer/docker.py
index ac1155c..3b750a6 100644
--- a/deimos/containerizer/docker.py
+++ b/deimos/containerizer/docker.py
@@ -120,14 +120,14 @@ class Docker(Containerizer, _Struct):
         else:
             env += mesos_env() + [("MESOS_DIRECTORY", self.workdir)]

+        self.place_dockercfg()
+
         runner_argv = deimos.docker.run(run_options, image, launchy.argv,
                                         env=env, ports=launchy.ports,
                                         cpus=cpus, mems=mems)

         log_mesos_env(logging.DEBUG)

-        self.place_dockercfg()
-
         observer = None
         with open("stdout", "w") as o:        # This awkward multi 'with' is a
             with open("stderr", "w") as e:    # concession to 2.6 compatibility

from deimos.

Just tried and received the following error:

Jul  8 18:24:38 vagrant deimos[4456]: deimos.containerizer.docker.launch()
Jul  8 18:24:38 vagrant deimos[4456]: deimos.state.lock() request // launch EX (60s)
Jul  8 18:24:38 vagrant deimos[4456]: deimos.state.lock() success // launch EX (60s)
Jul  8 18:24:38 vagrant deimos[4456]: deimos.containerizer.docker.launch() eid    = ubuntu_0-1404843876386
Jul  8 18:24:38 vagrant deimos[4456]: deimos.containerizer.docker.launch() mesos  = 50de9b28-f781-481e-a14d-8bcb2e0c54f2
Jul  8 18:24:38 vagrant deimos[4456]: deimos.docker.matching_image_for_host() call // bash -c '#012            set -o errexit -o nounset -o pipefail#012            ( source /etc/os-release && tr A-Z a-z <<<"$ID#011$VERSION_ID" )#012        '
Jul  8 18:24:38 vagrant deimos[4456]: deimos.docker.matching_image_for_host() exit 0 // bash -c '#012            set -o errexit -o nounset -o pipefail#012            ( source /etc/os-release && tr A-Z a-z <<<"$ID#011$VERSION_ID" )#012        '
Jul  8 18:24:38 vagrant deimos[4456]: deimos.docker.matching_image_for_host() STDOUT // ubuntu#01114.04
Jul  8 18:24:38 vagrant deimos[4456]: deimos.cli() Unhandled failure in launch#012Traceback (most recent call last):#012  File "/srv/deimos/deimos/__init__.py", line 73, in cli#012    result = deimos.containerizer.stdio(containerizer, *argv[1:])#012  File "/srv/deimos/deimos/containerizer/__init__.py", line 97, in stdio#012    return method(recordio.read(proto), *args[1:])#012  File "/srv/deimos/deimos/containerizer/docker.py", line 72, in launch#012    image = self.determine_image(url, launchy)#012  File "/srv/deimos/deimos/containerizer/docker.py", line 314, in determine_image#012    default = self.image_from_system_context(launchy)#012  File "/srv/deimos/deimos/containerizer/docker.py", line 324, in image_from_system_context#012    return deimos.docker.matching_image_for_host(**opts)#012  File "/srv/deimos/deimos/docker.py", line 123, in matching_image_for_host#012    return image_token("%s:%s" % (distro, release), *args, **kwargs)#012TypeError: image_token() got an unexpected keyword argument 'dockercfg'
Jul  8 18:24:38 vagrant mesos-slave[4354]: E0708 18:24:38.612555  4371 slave.cpp:2310] Container '50de9b28-f781-481e-a14d-8bcb2e0c54f2' for executor 'ubuntu_0-1404843876386' of framework '20140703-141945-16842879-5050-9288-0000' failed to start: Could not launch container '50de9b28-f781-481e-a14d-8bcb2e0c54f2': External containerizer failed (status: 8)

I'm going to try and debug now ...

from deimos.

@jschneiderhan How is this working out for you today?

from deimos.

I just tried 95a7677, which is HEAD of the index-config-fixes branch, and it worked perfectly

from deimos.

This made it in to 0.4.0

from deimos.

Great. This will be super-useful for people using a private registry. I'm going to close the issue as my use case is now met. Thanks @solidsnack!

from deimos.