Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-33985

Credentials always points to https://index.docker.io/v1 even for private registry

    Details

    • Similar Issues:

      Description

      1. Try to use a private registry in the Image id/tag. eg:
      docker.mycompany.com/my-bucket/ubuntu

      2. Setup the credentials for Docker registry credentials.

      3. Run the project

      It fails to pull the image
      Error: Status 403 trying to pull repository my-bucket/ubuntu: "

      {\"error\": \"Permission Denied\"}

      "

      Look closer to the .dockercfg generated on the host: It's always: https://index.docker.io/v1

      {"https://index.docker.io/v1": {
      "auth": ".......",
      "email": "my-crediential"
      }}

      It seems in the plugin code that when it creates the registryEndpoint, it call with 'null' on URL:

      this.registryEndpoint = new DockerRegistryEndpoint(null, credentialsId);

      And the docker-common will use its default index.docker.io/v1 instead of the one defined in image tag.

      I'm not sure how it will work, it seems the code is setting up the credential first and then pull in the container image, so the image ID is never consulted when it tries to create the registryEndpoint, so it seems it will always be the default index.docker.io/v1.

      We are actually not using private registry, but a different public one, like quay.io, and it's not working because of this.

      I thought it's supported because it's coming from the help:

      ........ or the Docker image you have configured for this build do point to a private registry "docker.mycompany.com/my-bucket/ubuntu:secret-version" - either as an image ID or parent FROM reference in Dockerfile - then specify the registry credentials here so docker command line client is configured accordingly and can pull from this registry.
      (from CloudBees Docker Custom Build Environment Plugin)

        Attachments

          Issue Links

            Activity

            Hide
            carltongbrown Carlton Brown added a comment -

            I notice the same.    If I use private repository credentials, this plugin adds a bogus entry for dockerhub into ~/.docker/config

            Show
            carltongbrown Carlton Brown added a comment - I notice the same.    If I use private repository credentials, this plugin adds a bogus entry for dockerhub into ~/.docker/config
            Hide
            carltongbrown Carlton Brown added a comment -

            This seems to be getting triggered by JENKINS-344967

            Scenario:

            • I am using a private registry at mycompany.com.    Inspect contents of ~/.docker/config.json and my private registry auth is correct.
            • I set up a build using a totally private image, and select the credentials of my private registry.
            • Run build, it fails with error:  "Unable to find image 'alpine:3.2' locally".   Whaat?   I'm not even using alpine 3.2:   Oh wait, THIS PLUGIN ITSELF USES ALPINE 3.2.  (See  JENKINS-344967)
            • And now my config.json has created an auth entry for DockerHub, but it uses my internal auth credentials.   
              • "https://index.docker.io/v1/":   {

                "auth": "Greetings Docker Hub, this plugin wants to leak a private registry token",

                "email": "internal@mycompany.com"

              }

             

             

            Show
            carltongbrown Carlton Brown added a comment - This seems to be getting triggered by JENKINS-344967 Scenario: I am using a private registry at mycompany.com.    Inspect contents of ~/.docker/config.json and my private registry auth is correct. I set up a build using a totally private image, and select the credentials of my private registry. Run build, it fails with error:  "Unable to find image 'alpine:3.2' locally".   Whaat?   I'm not even using alpine 3.2:   Oh wait, THIS PLUGIN ITSELF USES ALPINE 3.2.  (See  JENKINS-344967 ) And now my config.json has created an auth entry for DockerHub, but it uses my internal auth credentials.    "https://index.docker.io/v1/":   {     "auth": "Greetings Docker Hub, this plugin wants to leak a private registry token",     "email": "internal@mycompany.com"   }    
            Hide
            ncgee Niek Geerts added a comment -

            I've been having the same problem, now exacerbated by JENKINS-34967 as well. Whereas a workaround which removes the erroneous credentials used to work, builds now fail immediately as the private credentials are used in an attempt to download alpine:3.2 from Docker Hub. Quite frankly, I question the need for Docker Commons Plugin to write in the docker config file at all, but I suppose there's a better place to raise that issue.

            Show
            ncgee Niek Geerts added a comment - I've been having the same problem, now exacerbated by JENKINS-34967 as well. Whereas a workaround which removes the erroneous credentials used to work, builds now fail immediately as the private credentials are used in an attempt to download alpine:3.2 from Docker Hub. Quite frankly, I question the need for Docker Commons Plugin to write in the docker config file at all, but I suppose there's a better place to raise that issue.
            Hide
            jglick Jesse Glick added a comment -

            As of JENKINS-38018 the plugin will normally just run docker login (with a freshly allocated config directory), so this is probably obsolete.

            Show
            jglick Jesse Glick added a comment - As of JENKINS-38018 the plugin will normally just run docker login (with a freshly allocated config directory), so this is probably obsolete.
            Hide
            jglick Jesse Glick added a comment -

            …though if you are using the Docker Custom Build Environment plugin rather than Docker Pipeline, you would need to wait for JENKINS-51406 to pick up the change.

            Show
            jglick Jesse Glick added a comment - …though if you are using the Docker Custom Build Environment plugin rather than Docker Pipeline, you would need to wait for JENKINS-51406 to pick up the change.

              People

              • Assignee:
                ndeloof Nicolas De Loof
                Reporter:
                ctlam Dominic Lam
              • Votes:
                2 Vote for this issue
                Watchers:
                6 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: