Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-51949

Docker agent in declarative pipeline failing to login to custom registry

    XMLWordPrintable

    Details

    • Similar Issues:

      Description

      We have an image that is stored in AWS ECR. Previously this step has been working but broke when we updated the Docker Workflow plugin from 1.15.1 to 1.17. We now get a `docker login failed` message.

      This is for a declarative pipeline and our configuration is as follows.

      stage('Docker step') {
           agent {
               docker {
                   image "xxxxxxxx"
                   registryUrl "https://xxxxxxxxx.dkr.ecr.us-east-1.amazonaws.com"
                   registryCredentialsId "credentials-id"
               }
           }
       }

      When we roll the plugin back to 1.15.1 the issue no longer occurs.
      This may be related to JENKINS-38018

        Attachments

          Issue Links

            Activity

            Hide
            jarrettg Jarrett G added a comment -

            This breaks a key step in my build pipeline. Looks like the culprit is `src/main/java/org/jenkinsci/plugins/docker/commons/impl/RegistryKeyMaterialFactory.java`

                public KeyMaterial materialize() throws IOException, InterruptedException {
                    FilePath dockerConfig = createSecretsDirectory();
                    try {
                        // TODO on Docker 17.07+ use --password-stdin
                        EnvVars envWithConfig = new EnvVars(env);
                        envWithConfig.put("DOCKER_CONFIG", dockerConfig.getRemote());
                        if (launcher.launch().cmds(new ArgumentListBuilder(dockerExecutable, "login", "-u", username, "-p").add(password, true).add(endpoint)).envs(envWithConfig).stdout(listener).join() != 0) {
                            throw new AbortException("docker login failed");
                        }
                    } catch (IOException | InterruptedException x) {
                        try {
                            dockerConfig.deleteRecursive();
                        } catch (Exception x2) {
                            x.addSuppressed(x2);
                        }
                        throw x;
                    }
                    return new RegistryKeyMaterial(dockerConfig, new EnvVars("DOCKER_CONFIG", dockerConfig.getRemote()));
                }
            

            Looks like this was intentionally passed over, possibly due to some security issue. Jesse Glick - any reason why this hasn't been updated yet?

            Show
            jarrettg Jarrett G added a comment - This breaks a key step in my build pipeline. Looks like the culprit is `src/main/java/org/jenkinsci/plugins/docker/commons/impl/RegistryKeyMaterialFactory.java` public KeyMaterial materialize() throws IOException, InterruptedException { FilePath dockerConfig = createSecretsDirectory(); try { // TODO on Docker 17.07+ use --password-stdin EnvVars envWithConfig = new EnvVars(env); envWithConfig.put( "DOCKER_CONFIG" , dockerConfig.getRemote()); if (launcher.launch().cmds( new ArgumentListBuilder(dockerExecutable, "login" , "-u" , username, "-p" ).add(password, true ).add(endpoint)).envs(envWithConfig).stdout(listener).join() != 0) { throw new AbortException( "docker login failed" ); } } catch (IOException | InterruptedException x) { try { dockerConfig.deleteRecursive(); } catch (Exception x2) { x.addSuppressed(x2); } throw x; } return new RegistryKeyMaterial(dockerConfig, new EnvVars( "DOCKER_CONFIG" , dockerConfig.getRemote())); } Looks like this was intentionally passed over, possibly due to some security issue. Jesse Glick  - any reason why this hasn't been updated yet?
            Hide
            jglick Jesse Glick added a comment -

            Daniel Fosbery not sure offhand. No developer of this plugin that I know of tests against AWS ECR. It may have specialized requirements for running docker login that go beyond what a generic registry does. If in doubt, avoid use of agent docker and run Docker commands directly from sh.

            Jarrett G any reason why what has not been updated yet?

            Show
            jglick Jesse Glick added a comment - Daniel Fosbery not sure offhand. No developer of this plugin that I know of tests against AWS ECR. It may have specialized requirements for running docker login that go beyond what a generic registry does. If in doubt, avoid use of agent docker and run Docker commands directly from sh . Jarrett G any reason why what has not been updated yet?
            Hide
            jarrettg Jarrett G added a comment - - edited

            Jesse Glick - Wow, I did not describe that well. Sorry for the ambiguity  

             

            I meant that Docker throws an error and exits with a 1 if

            -p

            or

            --password

            is passed in as an arg. It looks like it only wants 

            --password-stdin

            now.

            Show
            jarrettg Jarrett G added a comment - - edited Jesse Glick  - Wow, I did not describe that well. Sorry for the ambiguity     I meant that Docker throws an error and exits with a 1 if -p or --password is passed in as an arg. It looks like it only wants  --password-stdin now.

              People

              • Assignee:
                Unassigned
                Reporter:
                danielfosbery Daniel Fosbery
              • Votes:
                6 Vote for this issue
                Watchers:
                6 Start watching this issue

                Dates

                • Created:
                  Updated: